Issue

When accessing AEM through an SSL terminated Load Balancer (or SSL terminated CDN), then AEM redirects back from https to http.

SSL termination at the load balancer means that the SSL certificates are installed in the load balancer. The end user accesses the site through https://, and the Dispatcher/Web Server and AEM are accessed on the back end with http://.

Cause

Different load balancers send different headers to notify the back end systems that SSL is terminated upstream. For example, Amazon ELB uses the header "X-Forwarded-Proto: https".

Resolution

To fix the issue:

I. Install Hot fix 6922:

If you are on AEM6.0 or 6.1:

  1. Contact AEM Customer Care and request hot fix 6922. The hot fix is for AEM 6.0, but it works on AEM 6.1 as well.

  2. Go to http://aem-host:port/crx/packmgr/index.jsp, and log in as administrator.

  3. Install the hot fix zip to the AEM package manager.

    Note:

    This hot fix helps to avoid an issue where the url anchor is lost during the redirect updated by the Apache Felix SSL Filter.  For example, https://host/cf#/content/geometrixx/en.html would be redirected to https://host/cf without this fix.

II. Update Dispatcher /clientheaders configuration

Refer to the documentation of your load balancer to find out which header it sets to notify downstream systems that it terminated SSL. For simplicity, in these steps we assume that the correct HTTP header is "X-Forwarded-Proto: https"

  1. Log in to the dispatcher server.

  2. Open the dispatcher farm .any configuration.

  3. Add the header to the /clientheaders section.

If you are using dispatcher without a load balancer or if your load balancer or proxy fails to set the X-Forwarded-Proto header, then you can set it at the web server or dispatcher level. If you are using Apache HTTP Server, then update your HTTPS VirtualHost with this directive:

RequestHeader set X-Forwarded-Proto "https"

III. Update the Header Configurations:

  1. Go to http://host:port/system/console/configMgr/org.apache.felix.http.sslfilter.SslFilter, and log in as administrator.

  2. Set SSL forward header to X-Forwarded-Proto.

  3. Set SSL forward value to https.

  4. Click Save.

Note:

There is no standard for reverse proxy headers that tell the back end which protocol is used. However, here are some that are known:

  • Amazon ELB (Elastic Load Balancer) uses the "X-Forwarded-Proto: https" header.
  • Amazon Cloudfront CDN uses "X-Cloudfront-Proto: https" header.

IV. Update the Jetty OSGi Configuration (AEM 6.3 and later versions)

On AEM 6.3 and later versions there is an addition configuration required:

  1. Log in to http://aem-host:port/system/console/configMgr/org.apache.felix.http.

  2. Enable the setting Enable Proxy/Load Balancer Connection, and save it.

  3. Search for Sling Authentication Service and open the configuration.

  4. Deselect Allow Anonymous Access.

  5. Click Save.

For further details on this issue, refer to the solution article.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy