Can WebLogic be Configured to Use X-Forwarded-Proto Header Running in AWS (Doc ID 2976928.1)

Last updated on SEPTEMBER 28, 2023

Applies to:

Goal

Can WebLogic be configured to use X-Forwarded-Proto header?

Additional Details:

1) PeopleSoft applications/WebLogic is running in AWS.
AWS Application Load Balancer (ALB) inserts X-Forwarded-Proto header which contains the protocol used by client to connect.
Can WebLogic be configured to use X-Forwarded-Proto to make the determination whether client connected through https or not?
WL-Proxy-SSL header was previously used with other Load Balancers, but that is not an option for AWS Application Load Balancer (ALB).

2) Here is more information about X-Forwarded-Proto header - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html#x-forwarded-proto

3) Virtual Addressing can be used; however, vulnerabilities related to enabling HTTP response header field named Strict-Transport-Security (aka: HSTS) should be mitigated too.
HSTS can be enabled in WebLogic, but the HSTS header is not being honored/sent by AWS Application Load Balancer (ALB).
In the F5 Load Balancer, the WL-Proxy-SSL header could be sent to WebLogic to indicate that SSL is being offloaded at the Load Balancer.
That header is not available in AWS Application Load Balancer, but the X-Forwarded-Proto is similar and available in AWS.

4) Oracle Cloud Infrastructure (OCI)'s LBaas is not being used.

WebLogic Server uses WL-Proxy-SSL:true to construct a response header properly but not X-Forwarded-Proto.
So can't AWS Load Balancer read this and Accept ?

Has there been further review if AWS Load Balancer will configure custom HTTP headers ?

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.