Spring Boot HTTPS redirect loop after Swisscom Application Cloud update

Question

We are using the Swisscom Application Cloud to run our Spring Boot application. After their "Migration to multi-cloud environment" on 2018-02-22 (Swisscom Status Page), our application completely failed to serve any request.

The problem was found to be the automated redirection of HTTP to HTTPS. We were doing this in the SecurityConfiguration of our application like this:

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    // [...]

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // [...]
        if (env.acceptsProfiles(SPRING_PROFILE_PRODUCTION)) {
            http.requiresChannel().anyRequest().requiresSecure();
        }
    }
}

How can Spring Boot be configured to only allow HTTPS connections while at the same time not fall into a redirect loop using the Swisscom Application Cloud?

Answer 1

As part of the migration to multi-cloud there was a major change in the used IP ranges.

Due to this the tomcat buildpack has issues with redirection as these IPs are not trusted. We fixed this in the latest version of the system buildpack.

Please restage your application to make apply those changes. Further information can be found in our docs: https://docs.developer.swisscom.com/devguide-sc/buildpacks/java/caveats.html

Update:

Unfortunately, if you're using Spring boot with an embedded Tomcat, our buildpack can not do this configuration for you. You have to configure the internal proxies whitelist in your app config. Please see the instructions in the docs above.

Update 28th Nov: We've updated the config in our buildpacks for the new ranges that CF now uses with Envoy. If you use your own buildpack, please update the ranges.

As described in: https://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-servlet-containers.html#howto-customize-tomcat-behind-a-proxy-server

We'll update the documentation right away.