I am creating an https connection to my WAR app at tomcat (localhost:8080/myApp).
Inside we have an Angular and Java app. I create nginx config and after review some similar questions here and here have that:
server {
if ($https = "") {
return 301 https://$host$request_uri;
}
listen 80;
server_name my.app.com www.my.app.com;
return 404;
}
server {
server_name my.app.com www.my.app.com;
access_log /var/log/nginx/expertry-access.log;
error_log /var/log/nginx/expertry-error.log;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_pass http://localhost:8080/myApp/;
}
location /myApp/min {
alias /var/www/httpdocs/my.app.com/myApp/src/main/resources/static/min/;
}
location /assets/ {
alias /var/www/httpdocs/my.app.com/myApp/src/main/resources/static/assets/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/app.expertry.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.app.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Troubles is my.app.com/login page works fine, but after sent login form with some cred get 302 redirect to same page without any response and nothing happened at BE or Angular part.
What is wrong? May be some header reconfiguration need or smth else?
logs: 302 from network tab
Request URL:
https://my.app.com/login
Request Method:
POST
Status Code:
302 Found
Remote Address:
5.189.249.46:64062
Referrer Policy:
strict-origin-when-cross-origin
Cache-Control:
no-cache, no-store, max-age=0, must-revalidate
Connection:
keep-alive
Content-Length:
0
Date:
Mon, 25 Mar 2024 13:39:59 GMT
Expires:
0
Location:
https://my.app.com/login
Pragma:
no-cache
Server:
nginx/1.18.0 (Ubuntu)
Set-Cookie:
JSESSIONID=99630EAB249FF4578E12809749C2C72F; Path=/myApp; HttpOnly
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
X-Xss-Protection:
1; mode=block
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding:
gzip, deflate, br, zstd
Accept-Language:
ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,uk;q=0.6
Cache-Control:
max-age=0
Connection:
keep-alive
Content-Length:
68
Content-Type:
application/x-www-form-urlencoded
Cookie:
_ga=GA1.2.1925035569.1710852928; _gid=GA1.2.2111176261.1711364383; _gat=1; _ga_K42MQL5WDW=GS1.2.1711373521.7.1.1711373994.0.0.0
Host:
my.app.com
Origin:
https://my.app.com
Referer:
https://my.app.com/login
Sec-Ch-Ua:
"Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
document
Sec-Fetch-Mode:
navigate
Sec-Fetch-Site:
same-origin
Sec-Fetch-User:
?1
Upgrade-Insecure-Requests:
1
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Payload : payload
And after that 200 OK:
Request URL:
https://my.app.com/login
Request Method:
GET
Status Code:
200 OK
Remote Address:
5.189.249.46:64062
Referrer Policy:
strict-origin-when-cross-origin
HTTP/1.1 200
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 25 Mar 2024 13:39:59 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Application-Context: application:prod,git:443
Set-Cookie: JSESSIONID=3055B06B41BDEF5F8BEC05C36279A927; Path=/myApp; HttpOnly
Content-Language: ru-RU
Content-Encoding: gzip
GET /login HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,uk;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Cookie: _ga=GA1.2.1925035569.1710852928; _gid=GA1.2.2111176261.1711364383; _gat=1; _ga_K42MQL5WDW=GS1.2.1711373521.7.1.1711373994.0.0.0
Host: my.app.com
Referer: https://my.app.com/login
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
UPD: Local I tested app with curl and get normal response without any 302 loop, just incorrect login and pass.
UPD2: Due to my experiment I drop any changes from server.xml and now problem with redirection loop gone, but one still here.
UPD3: For check from browser I use this code snippet and login page work properly expected
let formData = new FormData();
formData.append('_csrf:', 'c7db50b5-a653-4f67-8b73-7d79adc52da73');
formData.append('userName', 'sdasd');
formData.append('password', 'sdasd');
formData.append('remember', 'on');
fetch("/login",
{
body: formData,
method: "post"
})