ConnectController creates relative redirect which breaks when running behind reverse proxy

[pcornelissen]

Summary

I have the effect that my spring-social-based-service, which is behind a zuul proxy, generates a redirect view to /connect/facebook after the authentication succeeded and spring creates a redirect which uses the service IP+Port and not the zuul IP+Port (or it's hostname) :-/

(while stepping through the code I realized that Tomcat 8 is generating the URL because spring-social generates a relative URL and the container fetches the hostname not via the proxy header fields)

Actual Behavior

ConnectionController#connectionStatusRedirect creates a relative redirect to /connect/facebook after a successful connect, which is "enhanced" by the underlying tomcat to an absolute URL with the local IP and port

Expected Behavior

The URL should take into account that the service is behind a reverse proxy (zuul) and the reverse proxy header fields are set.

Configuration

Version

   <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>Dalston.SR1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.social</groupId>
            <artifactId>spring-social-facebook</artifactId>
            <version>3.0.0.M1</version>
        </dependency>
    </dependencies>

[lixiaocong]

I have the same problem

[demaniak]

This might be relevant: https://stackoverflow.com/questions/25455969/spring-boot-with-embedded-tomcat-behind-apache-proxy

[alek-sys]

This actually not a spring-social issue but specific of how Spring does redirection behind the proxy. If you are using Tomcat as a server, refer to Spring Boot documentation.

The key is to add server.use-forward-headers=true to the application.properties, this should activate RemoteIpValve and it will override schema, protocol and port from X-Forwarded-* headers. Just make sure your proxy sends these headers.

Also important to remember that RemoteIpValve filters requests by proxy's IP address, so make sure your proxy's IP matches server.tomcat.internal-proxies default value or override it.