Hello,
I use ORDS 22.4 to access APEX applications.
ORDS runs in Tomcat and is access throught ProxyPass in Apache configuration like this:
<Location "/apex">
ProxyPreserveHost On
RequestHeader unset Origin
ProxyPass "http://127.0.0.1:8080/ords/apex"
ProxyPassReverse "/ords/apex"
</Location>
My ORDS run behind a Proxy which manage the SSL Certificate so my ORDS listen en HTTP port.
Using ORDS 19.X, we set the parameter security.forceHTTPS to force HTTPS in ORDS Response like 302-Location:
Now, in ORDS 22.4, I don't see a reference on security.forceHTTPS parameter in documentation.
Maybe I missed something.
On Doc 2139195.1, it is explained that
"To fix the problem the load balancer must be configured to communicate to the HTTP server that the request was received over https.
There is no one method to do this and there are many variations on the basic approach,
but the general idea is to add a header to the forwarded request that indicates what protocol request was received by the load balancer."
If it's not possible to add a Header you should use the following parameter in ORDS
<entry key="security.forceHTTPS">true</entry>
I tries this parameter but it doesn't work in ORDS 22.4
All 302 redirection are made with HTTP and not HTTPS
Maybe I should use the parameter "security.httpsHeaderCheck"
I tried by adding it in the global/setting.xml, restart ORDS (Tomcat) and check with the command:
ords config list --include-defaults
The parameter appears in the list.
security.httpsHeaderCheck X-Forwarded-Proto: https Global
After that I added the following line in the Apache Configuration:
RequestHeader set X-Forwarded-Proto https
<Location "/apex">
ProxyPreserveHost On
RequestHeader unset Origin
RequestHeader set X-Forwarded-Proto https
ProxyPass "http://127.0.0.1:8080/ords/apex"
ProxyPassReverse "/ords/apex"
</Location>
But it doesn't work.
I cannot find How to force HTTPS in ORDS Response ?
Thanks in advance