Java – does the playframework return absolute URLs in HTTP instead of HTTPS?

2020-08-21 • Java

I'm using only HTTPS in nginx play! A project is implemented in the framework

Everything is normal, SSL is recognized, I can use my application anywhere, but when playing! Returns the absolute URL, which is HTTP, not HTTPS

There is a problem. I don't know what the problem is I try to use - dhttps Port = XXXX instead of - dhttp Port = XXXX starts play, but it does not change the output of "HTTP" instead of "HTTPS"

I suspect that nginx is incorrectly configured (I forgot a parameter?) This is my site enable / site profile:

proxy_buffering    off;
proxy_set_header   X-Real-IP $remote_addr;
proxy_set_header   X-Scheme "https"; # I also tried $scheme without any luck
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header   Host $http_host;
proxy_http_version 1.1;

server {
        listen 80;
        server_name my.website.com;
        return      301 https://my.website.com;
}

upstream my-backend {
        server 127.0.0.1:9100;
}

server {
    listen               443;
    ssl                  on;
    root                 /var/www/website/errors/;

    # http://www.selfsignedcertificate.com/ is useful for development testing
    ssl_certificate      /etc/Nginx/ssl/my.website.com.crt;
    ssl_certificate_key  /etc/Nginx/ssl/my.website.com.key;

    # From https://bettercrypto.org/static/applied-crypto-hardening.pdf
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
    ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
    add_header Strict-Transport-Security max-age=15768000; # six months
    # use this only if all subdomains support HTTPS!
    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"

    keepalive_timeout    70;
    server_name my.website.com;

    location / {
        #proxy_pass  http://my-backend;
        proxy_pass  http://127.0.0.1:9100;
    }

    location ~ /\.git {
        deny all;
    }

    error_page 502 @maintenance;
    location @maintenance {
        rewrite ^(.*)$/error502.html break;
    }
}

What did I miss?

Update: This is the code that generates the absolute URL:

controllers.routes.Pages.loginToken(getToken()).absoluteURL(play.mvc.Http.Context.current().request());

Solution

Absoluteurl has several overloads You are using this:

public String absoluteURL(Http.Request request) {
    return absoluteURL(request.secure(),request.host());
}

The problem is that because you play through the nginx reverse proxy, play actually receives all requests through HTTP, not HTTPS This means request Secure() is false, and the absoluteurl will return a URL containing http: / / URL for

Instead, manually set secure to true in one of the overloads:

controllers.routes.Pages.loginToken(getToken()).absoluteURL(play.mvc.Http.Context.current().request(),true);

In addition, what I usually do is security configuration variables, so it can generate non HTTPS URLs during local development

In application In conf:

application.secure = false # for local dev

In production, I added the command line option - dapplication. Com when I started the application Secure = true to override application Value in conf

The generated URL will then look like this:

controllers.routes.Pages.loginToken(getToken()).absoluteURL(
    play.mvc.Http.Context.current().request(),play.Play.application().configuration().getBoolean("application.secure",true) // default to true
);

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.

THE END

Java