When accessing AEM through an SSL terminated Load Balancer (or SSL terminated CDN), then AEM redirects back from https to http.
SSL termination at the load balancer means that the SSL certificates are installed in the load balancer. The end user accesses the site through https://, and the Dispatcher/Web Server and AEM are accessed on the back end with http://.
Different load balancers send different headers to notify the back end systems that SSL is terminated upstream. For example, Amazon ELB uses the header "X-Forwarded-Proto: https".
This hot fix helps to avoid an issue where the url anchor is lost during the redirect updated by the Apache Felix SSL Filter. For example, https://host/cf#/content/geometrixx/en.html would be redirected to https://host/cf without this fix.
II. Update Dispatcher /clientheaders configuration
Refer to the documentation of your load balancer to find out which header it sets to notify downstream systems that it terminated SSL. For simplicity, in these steps we assume that the correct HTTP header is "X-Forwarded-Proto: https"
If you are using dispatcher without a load balancer or if your load balancer or proxy fails to set the X-Forwarded-Proto header, then you can set it at the web server or dispatcher level. If you are using Apache HTTP Server, then update your HTTPS VirtualHost with this directive:
RequestHeader set X-Forwarded-Proto "https"
There is no standard for reverse proxy headers that tell the back end which protocol is used. However, here are some that are known:
- Amazon ELB (Elastic Load Balancer) uses the "X-Forwarded-Proto: https" header.
- Amazon Cloudfront CDN uses "X-Cloudfront-Proto: https" header.
IV. Update the Jetty OSGi Configuration (AEM 6.3 and later versions)
On AEM 6.3 and later versions there is an addition configuration required:
For further details on this issue, refer to the solution article.