Badly configured HttpConfiguration.securePort can lead to wrong port produced by ForwardedHeader

[stuban]

Jetty version
9.4.32

Java version
AdoptOpenJDK build 1.8.0_262-b10

OS type/version
Linux CentOS 7.8 Kernel 3.10.0-1062.el7.x86_64

Description
For us the changes related to #5224 or #5247 have some surprising regression with 9.4.32
Our reverse-proxy (haproxy) always sends a RFC7239 style forwarded header towards jetty.
This always worked fine with 9.4.31 but with 9.4.32 it suddenly adds the (wrong) port to the requestURL
A simple example just printing out request.getRequestURL()
Request forwarded from upstream haproxy:

GET /sdpVab/test-forwarded.jsp HTTP/1.1
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language: en,en-US;q=0.95,de;q=0.89,fr-FR;q=0.84,nl;q=0.79,de-DE;q=0.74,en-GB;q=0.68,de-US;q=0.63,en-EN;q=0.58,fr;q=0.53,nl-NL;q=0.47,de-formal;q=0.42,en-CA;q=0.37,en-AU;q=0.32,es-ES;q=0.26,es;q=0.21,en-DE;q=0.16,eng-US;q=0.11,eng;q=0.05
accept-encoding: gzip, deflate, br
dnt: 1
upgrade-insecure-requests: 1
cache-control: max-age=0
te: trailers
host: web-144-237.ect-telecoms.de
cookie: JSESSIONID=oj47pppk3nxc1k1cyy156nqlx0;
forwarded: for=192.168.253.64;host=web-144-237.ect-telecoms.de;proto=https;proto-version=h2

Answer from 9.4.31:

HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=nxeetp3wb734e9udszzebmvs0; Path=/sdpVab; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Transfer-Encoding: chunked


<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Forward test</title>
</head>
<body>
<p>https://web-144-237.ect-telecoms.de/sdpVab/test-forwarded.jsp</p>
</body>
</html>

Answer from 9.4.32:

HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=oj47pppk3nxc1k1cyy156nqlx0; Path=/sdpVab; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Transfer-Encoding: chunked


<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Forward test</title>
</head>
<body>
<p>https://web-144-237.ect-telecoms.de:8443/sdpVab/test-forwarded.jsp</p>
</body>
</html>

Looks like the port 8443 is added in error here.

[joakime]

Opened PR #5419

The port in the implied case, like yours, is being pulled from the HttpConfiguration you have.
The HttpConfiguration.securePort on your system is set to 8443.
If you change HttpConfiguration.securePort on your Jetty server side it to 443 it should operate properly.

The HttpConfiguration.securePort is the logical secure port for your server, it's not the one that the https/ssl/tls connector is listening on.
In your scenario, where you have a Proxy, with Forwarding headers, your server side HttpConfiguratoin.securePort should be the port of the proxy public facing side https port.

To say this differently, take this setup.

• Browser : makes request for resource https://demo.machine.com/test/foo.jsp
• Proxy : serving demo.machine.com and listening on port 443 with SSL/TLS
• Server : handling requests on internal.machine.com on port 8443

The Server in this scenario, should have a HttpConfiguration.securePort set to 443 (the default for SSL/TLS) for the connector on port 8443.

If this was a bit more complex it might make more sense this way ...

• Browser : makes request for resource https://demo.machine.com:7443/test/foo.jsp
• Proxy : serving demo.machine.com and listening on port 7443 with SSL/TLS
• Server : handling requests on internal.machine.com on port 9443

In this scenario, the browser is talking to demo.machine.com:7443 so all redirects and URLs it sees coming back from the server should be consistent to that expectation.

The forwarding headers from the Proxy to the Server would look like this ...

GET /test/foo.jsp HTTP/1.1
host: demo.machine.com:7443
forwarded: for=192.168.253.64;host=demo.machine.com:7443;proto=https

So that means the server's HttpConfiguration.securePort should be 7443 even though it's bound/listening on 9443

[gregw]

Fixed by #5419