Zuul behind an AWS ELB over HTTPS/SSL

5
votes

I have an AWS Elastic Load Balancer with the certificates for my domain and which terminates the SSL traffic. The ELB has a listener on the https port and forwards it as http to Zuul.

When I use Spring Boot HATEOAS, Zuul will replace the links with the correct address but with http instead of https:

"_links": {
  "self": {
    "href": "http://my.domain.com:80/rest/foo/bar"
  }
}

but what I want is:

"_links": {
  "self": {
    "href": "https://my.domain.com/rest/foo/bar"
  }
}

The request that generates this response is made over https

Because Zuul is behind the ELB I'm guessing it cannot know that it should receive traffic through https.

Is there a way to tell Zuul to replace links with https even though it receives un-encrypted traffic through http?

I guess an alternative is to deploy Zuul with https with a self-signed certificate but I'd rather ovoid this complication if I can.

1
springamazon-web-servicesspring-cloudspring-hateoasnetflix-zuul
see github.com/spring-cloud/spring-cloud-netflix/issues/1286 - phoenix7360

1 Answers

1
votes

Following recommendation from the Zuul team, this issue can be fixed by adding a pre Zuul filter, to be applied after PreDecorationFilter (order 5):

new ZuulFilter() {
        @Override
        public String filterType() {
            return "pre";
        }

        @Override
        public int filterOrder() {
            return 6; //PreDecorationFilter=5 + 1
        }

        @Override
        public boolean shouldFilter() {
            return true;
        }

        @Override
        public Object run() {
            RequestContext ctx = RequestContext.getCurrentContext();
            log.info(String.format("Before filter ['%s': '%s', '%s': '%s']",
                    ZuulHeaders.X_FORWARDED_PROTO.toLowerCase(),
                    ctx.getZuulRequestHeaders().get(ZuulHeaders.X_FORWARDED_PROTO.toLowerCase()),
                    "X-Forwarded-Port",
                    ctx.getZuulRequestHeaders().get("x-forwarded-port")));


            final String originalXForwardedProto = ctx.getRequest().getHeader(ZuulHeaders.X_FORWARDED_PROTO.toLowerCase());
            final String originalXForwardedPort = ctx.getRequest().getHeader("x-forwarded-port");

            if (!StringUtils.isEmpty(originalXForwardedProto)) {
                ctx.addZuulRequestHeader(ZuulHeaders.X_FORWARDED_PROTO.toLowerCase(), originalXForwardedProto);
            }

            if (!StringUtils.isEmpty(originalXForwardedPort)) {
                ctx.addZuulRequestHeader("x-forwarded-port", originalXForwardedPort);
            }

            log.info(String.format("After filter ['%s': '%s', '%s': '%s']",
                    ZuulHeaders.X_FORWARDED_PROTO.toLowerCase(),
                    ctx.getZuulRequestHeaders().get(ZuulHeaders.X_FORWARDED_PROTO.toLowerCase()),
                    "X-Forwarded-Port",
                    ctx.getZuulRequestHeaders().get("x-forwarded-port")));

            return null;
        }
    };
}