Skip to content

Commit 6268322

Browse files
author
Phillip Webb
committed
Tighten up documentation on SSL and HTTPS
Fixes gh-640
1 parent 59496ab commit 6268322

File tree

1 file changed

+28
-6
lines changed

1 file changed

+28
-6
lines changed

spring-boot-docs/src/main/asciidoc/howto.adoc

Lines changed: 28 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -448,6 +448,8 @@ that sets up the connector to be secure:
448448
}
449449
----
450450

451+
452+
451453
[[howto-enable-multiple-connectors-in-tomcat]]
452454
=== Enable Multiple Connectors Tomcat
453455
Add a `org.apache.catalina.connector.Connector` to the
@@ -488,6 +490,26 @@ HTTPS connector:
488490
----
489491

490492

493+
494+
[[howto-use-tomcat-behind-a-proxy-server]]
495+
=== Use Tomcat behind a front-end proxy server
496+
Spring Boot will automatically configure Tomcat's `RemoteIpValve` if it detects some
497+
environment settings. This allows you to transparently use the standard `x-forwarded-for`
498+
and `x-forwarded-proto` headers that most front-end proxy servers add.
499+
500+
You can switch on the valve by adding some entries to application.properties, e.g.
501+
502+
[indent=0]
503+
----
504+
server.tomcat.remote_ip_header=x-forwarded-for
505+
server.tomcat.protocol_header=x-forwarded-proto
506+
----
507+
508+
Alternatively, you can add the `RemoteIpValve` yourself by adding a
509+
`TomcatEmbeddedServletContainerFactory` bean.
510+
511+
512+
491513
[[howto-use-jetty-instead-of-tomcat]]
492514
=== Use Jetty instead of Tomcat
493515
The Spring Boot starters (`spring-boot-starter-web` in particular) use Tomcat as an
@@ -1163,16 +1185,16 @@ is a useful template to follow.
11631185

11641186

11651187
[[howto-enable-https]]
1166-
=== Enable HTTPS
1188+
=== Enable HTTPS when running behind a proxy server
11671189
Ensuring that all your main endpoints are only available over HTTPS is an important
11681190
chore for any application. If you are using Tomcat as a servlet container, then
11691191
Spring Boot will add Tomcat's own `RemoteIpValve` automatically if it detects some
11701192
environment settings, and you should be able to rely on the `HttpServletRequest` to
1171-
report whether it is secure or not (even downstream of the real SSL termination). The
1172-
standard behavior is determined by the presence or absence of certain request headers
1173-
(`x-forwarded-for` and `x-forwarded-proto`), whose names are conventional, so it should
1174-
work with most front end proxies. You can switch on the valve by adding some entries to
1175-
`application.properties`, e.g.
1193+
report whether it is secure or not (even downstream of a proxy server that handles the
1194+
real SSL termination). The standard behavior is determined by the presence or absence of
1195+
certain request headers (`x-forwarded-for` and `x-forwarded-proto`), whose names are
1196+
conventional, so it should work with most front end proxies. You can switch on the valve
1197+
by adding some entries to `application.properties`, e.g.
11761198

11771199
[source,properties,indent=0]
11781200
----

0 commit comments

Comments
 (0)