OpenDAP DAta Url form set to http and not https when behind a proxy

[mike-gangl]

Environment

• the version of the software with which you are encountering an issue
  • TDS Docker container 5.3
• Environment
  AWS EC2 behind a load balancer (important)

root@1c607a9eb9d0:/usr/local/tomcat# bin/catalina.sh version
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/local/openjdk-11
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
Using CATALINA_OPTS:
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Server version: Apache Tomcat
Server built:   Jan 17 2022 22:07:47 UTC
Server number:  8.5.75.0
OS Name:        Linux
OS Version:     4.14.268-205.500.amzn2.x86_64
Architecture:   amd64
JVM Version:    11.0.13+8
JVM Vendor:     Oracle Corporation

Issue

we run a load balancer in AWS that maps to one or more EC2 instance running the TDS docker image. The loadbalancer expects https connections from the user, but this is where SSL termination occurs, and load balancer to the TDS containers is all over HTTP. When a user navigates to the opendap pages (and probably others, but this is where we are), the 'data url' is not secure- it's using http and i can't find a way to override this with 'https'.

Because the data form url is not https, no commands to 'get binary' or 'get ascii' actually work. the get ASCII button works (presumably because the forwarding from http to https is allowed via the browser) but the get Binary button doesn't work unless we manually set the protocol to https.

Is there a way to 'force' https in the data form url? I think this would also manifest itself in the ncsubset forms, but i can't confirm that right now (we've turned them off). i'm aware the OPeNDAP had this same issue, and now has a configuration element for it:

Hyrax/OPeNDAP Option to fix this

element (optional)

'ForceDataRequestFormLinkToHttps' - The presence of this element will cause the Data Request Form interfaces to "force" the dataset URL to HTTPS. This is useful for situations where the sever is sitting behind a connection management tool (like CloudFront) whose outward facing connections are HTTPS but Hyrax is not using HTTPS. Thus the internal URLs being received by Hyrax are on HTTP. When these URLs are exposed via the Data Request Forms they can cause some clients issues with session dropping because the protocols are not consistent.

OPeNDAP Common Problems

Is the above available to the THREDDS service? If so, in which configurations should it be placed.

[tdrwenski]

Hi, were you ever able to figure out a solution to this issue?

[DennisHeimbigner]

No solution yet.
I would like to figure out why thredds is generating http: protocols rather than http:.
Is there a URL I can use that shows the problem so I can fix it?