<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>I’m setting up midpoint on Google Cloud Platform, where it will serve as my IDP for internal users (which right now is me, myself and I) and external users (which right now is my wife and my dog).<o:p></o:p></p><p class=MsoNormal>I’ll have various other admin and devops apps running in this environment. Of course, I don’t want these publicly accessible.<o:p></o:p></p><p class=MsoNormal>One approach is to implement a VPN into the cloud. But Google is recommending a different approach. The approach is to use an “identity aware” load balancer / proxy. None of the internal apps will have public IP addresses, and the proxy will only let authenticated users through. I can then set up auth schemes appropriately, leveraging Google infrastructure at least for the internal users.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The load balancer only accepts SSL:443 connections on the public facing IP address <a href="https://internal.mydomain.com">https://internal.mydomain.com</a>. After authenticating, the request is forwarded to the internal midpoint server on <a href="http://midpoint-internalip:8080">http://midpoint-internalip:8080</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’ve got this set up and working, but every time I load a page, or click a link it redirects to http, which the Google load balancer responds rudely with a 404. Note that if I edit the URL after every page load and manually add https, the correct page comes up. It just keeps reverting to http.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I can’t rule out the possibility that there’s something going on with cached pages or DNS, but I think these are links or redirects coming from midpoint.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I’ve found a few discussions on the net talking about configuring Tomcat to work with forwarded requests:<o:p></o:p></p><p class=MsoNormal><a href="https://serverfault.com/questions/181177/rewriting-302-app-server-redirect-urls-with-apache-proxy-in-the-middle">https://serverfault.com/questions/181177/rewriting-302-app-server-redirect-urls-with-apache-proxy-in-the-middle</a><o:p></o:p></p><p class=MsoNormal><a href="https://serverfault.com/questions/388927/apache-reverseproxypass-redrects-to-http-rather-than-https">https://serverfault.com/questions/388927/apache-reverseproxypass-redrects-to-http-rather-than-https</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The recommendation is to use a valve in the Tomcat server.xml that handles the x-forwarded-protocol header:<o:p></o:p></p><p class=MsoNormal><Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="x-forwarded-protocol" /><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Looking at the midpoint.war file, though, I don’t see a server.xml. I’ve been out of the Java loop for a while, but is the application.yml file taking the place of server.xml? Is there a way to configure this valve in that file?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks for any advice.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Eric<o:p></o:p></p></div></body></html>