cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to disable HTTPS in storefront on 6.3?

diegohs
Active Participant

on ‎06-02-2017 4:05 AM

0 Kudos

Hi all, We'd like to know how to disable HTTP in Commerce 6.3 HTTPS will be finished at Load Balancer level, so there's no need to use HTTPS in App server. We have tried both the x-forwarded-proto header and also by removing some lines in the spring-security-config.xml, but obviously we made something wrong, as the site still makes a switch to https.

Could you please provide an example of the modifications and specify the exact files we should modify? Please assume we need to disable this in the B2B Accelerator.

Thank you!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

diegohs
Active Participant
‎06-05-2017 6:52 AM
0 Kudos

Hi Jonathan, Well, I'm not sure if the missing piece is there. As I already test this in a tomcat 7 (not hybris) and it worked without any problems. I suspect that some hybris-related change is required, not a standard Tomcat one. Or is there anyway to debug this on hybris/tomcat? so we can understand what's going on?

Show replies
Show replies
Former Member
‎06-05-2017 11:30 PM
0 Kudos

It sounds like what you want is for https still to be used between your perimeter and the browser, but not for the links between loadbalancers and apache, nor for apache <-> tomcat.

The interception and redirection of your browser to https + main site name are happening under hybris/spring control. So a tomcat that wasn't performing such redirects wouldn't exercise the feature in question.

Adding the remoteip valve permits the engine to distinguish your reverse proxies (on local addresses) from your users' browsers and behave appropriately.

diegohs
Active Participant
‎06-02-2017 11:32 PM
0 Kudos

Hi Andrew, Let me provide more context. of what we have:

  1. We have a hardware load balancer in the DMZ, SSL terminates until here. IT will balance the load to two reverse proxys. Communication between load balancer and reverse proxies are over port 80.

  2. We have two apaches (ver 2.4) acting as reverse proxies (http), also in the DMZ. Communication between apache and hybris App Servers should be over port 9001.

  3. We have two hybris Commerce servers (ver. 6.3) in our internal network.

OBJECTIVE: We want to avoid hybris commerce servers to ask for https. So all communication between reverse proxies and hybris servers is not encrypted.

WHAT WE HAVE TRIED (and it's not working): In the ALF pages, we read some general instructions and tried the following: 1. In httpd.conf file in Apache, added the following lines at the end of the file

  RequestHeader set X-Forwarded-Proto "https"
  ProxyPass /myapp  http://hybris_app_server:9001/myapp/

  1. In the hybris App servers, /bin/platform/tomcat/conf/server.xml file, added the following tag just after the Engine tag. 

            <Valve className="org.apache.catalina.valves.RemoteIpValve" 
                    internalProxies=".*"
                    remoteIpHeader="x-forwarded-for"
                    proxiesHeader="x-forwarded-by"
                    protocolHeader="x-forwarded-proto"                                                                  
              />

  2. After restarting both Apache and hybris, we tried the following URL in a browser:

    http://reverse_proxy_server/myapp

  3. But instead of doing the reverse proxy work, it just changes the URL to:

    https://hybris_app_server/login.jsp

I mean, it clearly does something as the port is hidden. But it continues putting https and the server is replaced.

Do we need to do anything else?

Thank you!

Show replies
Show replies
andyfletcher
Active Contributor
‎06-05-2017 11:03 AM
0 Kudos

That does look mainly correct. It's strange that you are still getting redirected to https since the x-forwarded-for header should be telling Tomcat that there's no need to redirect.

One thing that I would point out is that you are editing bin/platform/tomcat/conf/server.xml This file will be overwritten when you run ant (specifically the deploy target) Is your config definitely still there? You should really be editing the file in config/tomcat/conf/server.xml

andyfletcher
Active Contributor
‎06-05-2017 11:07 AM
0 Kudos

... @#!$#% comment length limit!

Another thing that is wrong is that the header should only be added to request that are originally https. By sending all requests from the LB to Apache on port 80 there's no way of knowing at this point what the original protocol was. Add the header at the LB.link text

I've attached a jsp that I use for debugging this sort of thing. Just drop it into your storefront webroot (and rename it to .jsp because the forum won't let me upload a jsp). Ideally you should restrict access to this page on a public site.

diegohs
Active Participant
‎06-05-2017 3:06 PM
0 Kudos

Yes, I know this. We're editing this file for troubleshooting purposes only. Once it is working, we'll put the config in the other file to make it permanent.

diegohs
Active Participant
‎06-05-2017 3:27 PM
0 Kudos

Hi Andrew, I'll test with the page you attached.

However, I'm not sure if I understand your first comment. Please find below a simple diagram to illustrate our communication between ports, and attached the Apache httpd.conf file. Do you see anything wrong here?

ps: Right now, we're testing with a browser only from Reverse Proxy to App Servers. We are not testing with Load Balancer yet. The header is put on the Reverse Proxy.

alt text

andyfletcher
Active Contributor
‎06-05-2017 6:16 PM
0 Kudos

From the sound of things by connecting directly to Apache you aren't doing a fair test. You're connecting to port 80 using http and getting redirected to https (443) but Apache isn't listening on 443. Why not set up a (temporary) virtual host listening on 443 with a selfsigned cert. Use proxypass to send to 9001 and set the x-forwarded-proto header to https. Your existing virtualhost on 80 would proxypass to 9001 but not set the header.

If this works then you can be confident that putting the LB in connecting to Apache port 80 will work as long as it is terminating ssl and setting the header

Former Member
‎06-02-2017 9:25 PM
0 Kudos

The missing piece may be a bit of configuration for tomcat's remoteip valve to recognize proxying and the original protocol of the request (whether secure or not). See https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html

Show replies
Show replies
andyfletcher
Active Contributor
‎06-02-2017 3:12 PM
0 Kudos

You haven't really stated what you've tried with x-forwarded-for. You need to get the loadbalancer to add it to the request headers for requests that were originally https but also get Tomcat to use the value of this header to determine whether the request is secure. There's some discussion of it in this answer https://answers.sap.com/questions/12763785/how-to-run-hmc-cockpits-on-http-instead-of-https-i.html?c...

This is assuming that your question is really, "How do I terminate SSL at the loadbalancer and stop ending up in an infinite redirect loop" rather than just disabling https completely for your site.

Show replies
Show replies
Ask a Question