Running behind a reverse proxy

SOAP requests aimed towards services running on Quarkus can be routed through proxies that generate additional headers (e.g. X-Forwarded-Host) to keep information from the client-facing side of the proxy servers that is altered or lost when they are involved. In those scenarios, Quarkus can be configured to automatically update information like protocol, host, port and URI reflecting the values in these headers.

Refer to Quarkus HTTP reference for more details.

Quarkus CXF support for various X-Forwarded headers works in line with Quarkus configuration.

Activating this feature leaves the server exposed to several security issues (i.e. information spoofing). Consider activating it only when running behind a reverse proxy.

These are the relevant Quarkus properties and their effect on Quarkus CXF:

  • quarkus.http.proxy.proxy-address-forwarding - the main switch to enable the rewriting of the request destination parts.

    • If enabled, the rewriting of the request fields will be effective throughout the whole CXF server stack.

    • If enabled, the values passed via X-Forwarded-Proto and X-Forwarded-Port headers will be used to set the protocol part and the port part of the URL returned by jakarta.servlet.http.HttpServletRequest.getRequestURL() respectively.

    • If enabled, the value passed via X-Forwarded-For will be returned by jakarta.servlet.ServletRequest.getRemoteAddr().

  • quarkus.http.proxy.enable-forwarded-host - enable the rewriting of the host part of URL returned by jakarta.servlet.http.HttpServletRequest.getRequestURL(). The actual host name is taken from the header configured via quarkus.http.proxy.forwarded-host-header (default is X-Forwarded-Host).

  • quarkus.http.proxy.enable-forwarded-prefix - enable the rewriting of the path part of the URL returned by jakarta.servlet.http.HttpServletRequest.getRequestURL() and of the URI returned by jakarta.servlet.http.HttpServletRequest.getRequestURI(). The actual path prefix is taken from the header configured via quarkus.http.proxy.forwarded-prefix-header (default is X-Forwarded-Prefix).

Here is the most common snippet to copy to your application.properties:

quarkus.http.proxy.proxy-address-forwarding = true
quarkus.http.proxy.enable-forwarded-host = true
quarkus.http.proxy.enable-forwarded-prefix = true

One of the observable effects of these settings is the change of the location value in WSDL served on http://localhost:8080/services/my-service?wsdl. For example, if the request contains the following headers

X-Forwarded-Proto: https
X-Forwarded-Host: api.example.com
X-Forwarded-Port: 443
X-Forwarded-Prefix: /my-prefix

then the WSDL served on http://localhost:8080/services/my-service?wsdl would contain the following location:

...
<soap:address location="https://api.example.com:443/my-prefix/services/my-service"/>
...