From c289ba0c2c758935e1931fd6aa8c348c60d992b4 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Wed, 4 Nov 2020 10:13:55 +0000 Subject: [PATCH] Recommend disabling context root redirects with proxied Tomcat Closes gh-22908 --- .../boot/autoconfigure/web/ServerProperties.java | 3 ++- .../spring-boot-docs/src/main/asciidoc/howto.adoc | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index b379fa7b83b1..d3a2a0dbe48b 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -372,7 +372,8 @@ public static class Tomcat { /** * Whether requests to the context root should be redirected by appending a / to - * the path. + * the path. When using SSL terminated at a proxy, this property should be set to + * false. */ private Boolean redirectContextRoot = true; diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc index b290ff82d703..18aacaec8d21 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/howto.adoc @@ -856,6 +856,9 @@ With this option, the Web servers themselves natively support this feature; you If this is not enough, Spring Framework provides a {spring-framework-docs}web.html#filters-forwarded-headers[ForwardedHeaderFilter]. You can register it as a Servlet Filter in your application by setting `server.forward-headers-strategy` is set to `FRAMEWORK`. +TIP: If you are using Tomcat and terminating SSL at the proxy, configprop:server.tomcat.redirect-context-root[] should be set to `false`. +This allows the `X-Forwarded-Proto` header to be honored before any redirects are performed. + NOTE: If your application runs in Cloud Foundry or Heroku, the configprop:server.forward-headers-strategy[] property defaults to `NATIVE`. In all other instances, it defaults to `NONE`.