Reverse Proxy

If there is a reverse proxy used in front of the Weave server then additional configuration must be setup for Weave to tell it that there is a reverse proxy. This is so that Weave can process the various headers provided by the proxy to determine the information required about the actual user rather than the proxy server (IP Address, HTTP vs HTTPS, etc).

Jetty 9

The default installation of Weave includes the Jetty 9 Web Application Server and “running” Weave involves running Jetty and Jetty then runs the Weave application, weave.war. So enabling reverse proxy support for a default Weave instance means enabling reverse proxy support for Jetty 9.

To enable reverse proxy support for Jetty 9 you should edit the file …\weave\jetty_base\etc\jetty.xml and add the following lines to the httpConfig item (before the closing </New> tag).

<Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg> </Call>

e.g.

<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Set name="secureScheme"><Property name="jetty.httpConfig.secureScheme" default="https" /></Set> <Set name="securePort"><Property name="jetty.httpConfig.securePort" deprecated="jetty.secure.port" default="8443" /></Set> <!-- more settings here that have been excluded for brevity --> <Set name="responseCookieCompliance"><Call class="org.eclipse.jetty.http.CookieCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.responseCookieCompliance" default="RFC6265"/></Arg></Call></Set> <Set name="multiPartFormDataCompliance"><Call class="org.eclipse.jetty.server.MultiPartFormDataCompliance" name="valueOf"><Arg><Property name="jetty.httpConfig.multiPartFormDataCompliance" default="RFC7578"/></Arg></Call></Set> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg> </Call> </New>

Note: as of Weave 2.6.8 this is done by default on a new installation, if you’ve upgraded from a previous release then you may still have to edit jetty.xml.

Reverse Proxy Requirements

The Jetty forward request customizer relies upon the X-Forwarded-Host and X-Forwarded-Proto headers to be set correctly in the reverse proxy that is setup in front of Jetty/Weave, be that Apache, IIS, NetScaler, nginx, haproxy, traefik, etc. This configuration change just tells Jetty to make use of those headers, it does not ensure that those headers have been set by the reverse proxy, it is your job to ensure that the reverse proxy is setup to do that.

Docker

When Weave is run as a Docker container it does the reverse of the default installation. Rather than running Weave within Jetty it runs Jetty within Weave (by including additional Jetty related plugins in the …\weave\platform\plugins directory) and this configuration (out of the box) does not use the same configuration files used when running Weave embedded in Jetty. So to make it easier to perform the configuration of the embedded Jetty plugins to correctly parse the required reverse proxy headers, Weave provides a custom plugin to perform the required changes. Currently this has to be enabled manually by you but that may change in the future.

To configure Weave to enable the reverse proxy customizer you should set the system property org.eclipse.equinox.http.jetty.customizer.class to the value com.cohga.jetty8.ReverseProxyCustomizer (note jetty8 is correct, the embedded version of Jetty is Jetty 8, not Jetty 9).

Other

If you’re running Weave embedded within a different Web Application Server (i.e. not Jetty 9), you will have to examine the documentation for that Web Application Server to determine if/how it can be configured to correctly parse the proxy headers sent by the reverse proxy.