Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OpenAPI URL ignores X-Forwarded headers
See original GitHub issueI am using 1.3.2.Final and trying to run the registry behind an Nginx proxy. Setting the X-Forwarded header variables per #513 does not work for two reasons. The first is that the application sends a 302 redirect for “/ui” to “/ui/”. That redirect ignores the X-Forwarded variables and sets the scheme back to http:
Location: http://xxxxxxxx/ui/
Adding a redirect (rewrite ^/ui$ /ui/ redirect;) to the Nginx config gets past that. I don’t see any issues with doing so.
The second reason is that browsing to https://xxxxxxxx/api fails because the response includes the HTTP scheme in one of its URLs (http://xxxxxxxx/openapi?format=JSON). The error is similar to the Mixed-Content error described in #513.
Mixed Content: The page at ‘https://xxxxxxxx/api’ was loaded over HTTPS, but requested an insecure resource ‘http://xxxxxxxx/openapi?format=JSON’. This request has been blocked; the content must be served over HTTPS.
It seems like generateSpecUrl in app/src/main/java/io/apicurio/registry/ui/servlets/SpecUrlFilter.java is forcing the http prefix.
/** * Generates a URL that the caller can use to access the API. * @param request */ private String generateSpecUrl(HttpServletRequest request) { try { String url = request.getRequestURL().toString(); url = new URI(url).resolve("/openapi?format=JSON").toString(); return url; } catch (URISyntaxException e) { throw new RuntimeException(e); }
The url creation doesn’t test for the scheme like generateApiUrl in app/src/main/java/io/apicurio/registry/ui/servlets/ConfigJsServlet.java. Adding that test and update logic to generateSpecUrl doesn’t work because request.isSecure() is returning false in this method. I whacked it just to confirm that updating the scheme in this method does resolve the Mixed Content error:
/** * Generates a URL that the caller can use to access the API. * @param request */ private String generateSpecUrl(HttpServletRequest request) { try { String url = request.getRequestURL().toString(); url = new URI(url).resolve("/openapi?format=JSON").toString(); if (url.startsWith("http:") /*&& request.isSecure()*/) { url = url.replaceFirst("http", "https"); } return url; } catch (URISyntaxException e) { throw new RuntimeException(e); }
This works in my environment, but obviously would break environments using HTTP only. It should find out why the request.isSecure() is returning false.
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
But it might be better to wait for
2.0.0.CR1which is schedule for Thursday.@mdhender The 2.0.0 release candidate is out if you want to give that a try:
https://github.com/Apicurio/apicurio-registry/releases/tag/2.0.0.RC1
Appropriate docker image tags have been created:
https://hub.docker.com/layers/apicurio/apicurio-registry-mem/2.0.0.RC1/images/sha256-e32e1b9d9999d3367cbaf8d81fceba78a7e678328f243993f935df73cf7a5bad?context=explore