Although I access DXP using https, CDN urls use http
How To articles are not official guidelines or officially supported
documentation. They are community-contributed content and may not always
reflect the latest updates to Liferay DXP. We welcome your feedback to
improve How to articles!
While we make every effort to ensure this Knowledge Base is accurate,it
may not always reflect the most recent updates or official guidelines.We
appreciate your understanding and encourage you to reach out with any
feedback or concerns.
Legacy Article
You are viewing an article from our legacy "FastTrack"
publication program, made available for informational purposes. Articles
in this program were published without a requirement for independent
editing or verification and are provided"as is" without
guarantee.
Before using any information from this article, independently verify its
suitability for your situation and project.
Issue
- If there is a load balancer in front of the DXP nodes responsible of the SSL offloading and the use of a CDN has been configured, when DXP is accessed using the https protocol, the content is downloaded from the CDN using http and not https.
- The use of a CDN has been configured using the following properties (its values are fictional):
#
# Set the hostname that will be used to serve static content via a CDN for
# requests made over the HTTP protocol. This property can be disabled
# dynamically at runtime by setting the URL parameter "cdn_enabled" to "0".
# The value must always include the full protocol.
#
cdn.host.http=http://localhostCDN
#
# Set the hostname that will be used to serve static content via a CDN for
# requests made over the HTTPS protocol. This property can be disabled
# dynamically at runtime by setting the URL parameter "cdn_enabled" to "0".
# The value must always include the full protocol.
#
cdn.host.https=https://localhostCDN
Resolution
- This happens when the balancer receives traffic in https but send the requests to the DXP node using http (as this balancer does the SSL offloading).
- In order to avoid this problem we find these alternatives:
- Setting up a tomcat connector using the attributes
secure="true" and scheme="https" and direct the balancer requests to it. This way the application server will know that the request received by that connector should be answered in a secure context. As a drawback, this connector will not be accesible using a browser through http, it will only work properly when accessed from behind the balancer.
- Setting certain headers in the balancer that inform the application server that the request is secure. We talk about the
X-Forwarded-Proto= https header. As drawbacks, this is not guaranteed that this will work with the 100% of portal features. The reason for this is that not in every context has the portal access to the original request from the balancer so it is possible that, as an example, in some email notifications URLs with the wrong protocol appear.
- If the balancer is doing the SSL offloading and it is responsible of changing from https to http, let it be also the responsible of reverting from http to https. As a drawback, this usually implies doing complex rewrites in the balancer both of the request headers and request's contents.
Did this article resolve your issue ?
