Can WebLogic be Configured to Use X-Forwarded-Proto Header Running in AWS
(Doc ID 2976928.1)
Last updated on SEPTEMBER 28, 2023
Applies to:Oracle WebLogic Server - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
Can WebLogic be configured to use X-Forwarded-Proto header?
1) PeopleSoft applications/WebLogic is running in AWS.
AWS Application Load Balancer (ALB) inserts X-Forwarded-Proto header which contains the protocol used by client to connect.
Can WebLogic be configured to use X-Forwarded-Proto to make the determination whether client connected through https or not?
WL-Proxy-SSL header was previously used with other Load Balancers, but that is not an option for AWS Application Load Balancer (ALB).
2) Here is more information about X-Forwarded-Proto header - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html#x-forwarded-proto
3) Virtual Addressing can be used; however, vulnerabilities related to enabling HTTP response header field named Strict-Transport-Security (aka: HSTS) should be mitigated too.
HSTS can be enabled in WebLogic, but the HSTS header is not being honored/sent by AWS Application Load Balancer (ALB).
In the F5 Load Balancer, the WL-Proxy-SSL header could be sent to WebLogic to indicate that SSL is being offloaded at the Load Balancer.
That header is not available in AWS Application Load Balancer, but the X-Forwarded-Proto is similar and available in AWS.
4) Oracle Cloud Infrastructure (OCI)'s LBaas is not being used.
WebLogic Server uses WL-Proxy-SSL:true to construct a response header properly but not X-Forwarded-Proto.
So can't AWS Load Balancer read this and Accept ?
Has there been further review if AWS Load Balancer will configure custom HTTP headers ?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document