Spring/spring-boot
Spring/spring-boot
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-boot.git synced 2024-07-05 00:56:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Tighten up documentation on SSL and HTTPS

Browse Source 
Fixes gh-640
This commit is contained in:
Phillip Webb 2014-04-23 23:24:59 +01:00
parent 59496abf85
commit 6268322c76
1 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
spring-boot-docs/src/main/asciidoc/howto.adoc
View File

@ -448,6 +448,8 @@ that sets up the connector to be secure:
}
----
[[howto-enable-multiple-connectors-in-tomcat]]
=== Enable Multiple Connectors Tomcat
Add a `org.apache.catalina.connector.Connector` to the
@ -488,6 +490,26 @@ HTTPS connector:
----
[[howto-use-tomcat-behind-a-proxy-server]]
=== Use Tomcat behind a front-end proxy server
Spring Boot will automatically configure Tomcat's `RemoteIpValve` if it detects some
environment settings. This allows you to transparently use the standard `x-forwarded-for`
and `x-forwarded-proto` headers that most front-end proxy servers add.
You can switch on the valve by adding some entries to application.properties, e.g.
[indent=0]
----
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
----
Alternatively, you can add the `RemoteIpValve` yourself by adding a
`TomcatEmbeddedServletContainerFactory` bean.
[[howto-use-jetty-instead-of-tomcat]]
=== Use Jetty instead of Tomcat
The Spring Boot starters (`spring-boot-starter-web` in particular) use Tomcat as an
@ -1163,16 +1185,16 @@ is a useful template to follow.
[[howto-enable-https]]
=== Enable HTTPS
=== Enable HTTPS when running behind a proxy server
Ensuring that all your main endpoints are only available over HTTPS is an important
chore for any application. If you are using Tomcat as a servlet container, then
Spring Boot will add Tomcat's own `RemoteIpValve` automatically if it detects some
environment settings, and you should be able to rely on the `HttpServletRequest` to
report whether it is secure or not (even downstream of the real SSL termination). The
standard behavior is determined by the presence or absence of certain request headers
(`x-forwarded-for` and `x-forwarded-proto`), whose names are conventional, so it should
work with most front end proxies. You can switch on the valve by adding some entries to
`application.properties`, e.g.
report whether it is secure or not (even downstream of a proxy server that handles the
real SSL termination). The standard behavior is determined by the presence or absence of
certain request headers (`x-forwarded-for` and `x-forwarded-proto`), whose names are
conventional, so it should work with most front end proxies. You can switch on the valve
by adding some entries to `application.properties`, e.g.
[source,properties,indent=0]
----