JETTY Generates 302 Redirects Using Wrong Protocol when SSL is Terminated Upstream (Doc ID 3013718.1)

Last updated on JANUARY 06, 2025

Applies to:

Symptoms

When standalone ORDS is fronted by a load balancer that terminates SSL/TLS, the embedded Jetty generates 302 Location redirects using the wrong protocol
scheme - HTTP. The issue occurs when Jetty itself handles the redirect as opposed to ORDS war. The load balancer sets all expected X-Forwarded-*
headers.

The 2 common paths where this behavior can be seen are / and /ords:

$ curl -v https://<domain>/
...
> GET / HTTP/1.1
> Host: foo.<domain>

> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 24 Jun 2020 14:52:39 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: http://<domain>/ords/

$ curl -v https://<domain>/ords
...
> GET /ords HTTP/1.1
> Host: <domain> 
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 24 Jun 2020 14:54:12 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: http:/<domain>/ords/

ORDS war generates the correct 302 Location redirects since it is
configured with security.httpsHeaderCheck parameter and respects the
X-Forwarded-Proto header:

$ curl -v https://<domain>/ords/
...
> GET /ords/ HTTP/1.1
> Host: <domain> 
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 24 Jun 2020 14:55:12 GMT
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Content-Type-Options: nosniff
< X-Xss-Protection: 1; mode=block
< Cache-Control: no-store
< Pragma: no-cache
< Expires: Sun, 27 Jul 1997 13:00:00 GMT
< Set-Cookie: ...
secure; HttpOnly
< Set-Cookie:....; secure; HttpOnly
< Location: https://<domain>/ords/f?p=4550:1:709238504087009:::::

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.