Fix clienturirewritefilter host (#277)

namedgraph · claude · web-flow · commit d716cb31f081 · 2026-03-30T00:10:09.000+02:00
* Fix ClientUriRewriteFilter stripping subdomain from rewritten URI

When the request URI was a subdomain (e.g. admin.atomgraph.com) and
PROXY_HOST was set to the base domain (e.g. atomgraph.com), the filter
replaced the entire host with proxyHost, losing the subdomain. The HTTP
client then reused an existing SSL connection (SNI=atomgraph.com) for
the subdomain request, causing nginx to return 421 Misdirected Request
and breaking WebID agent loading in production.

Fix preserves the subdomain prefix when building the rewritten URI.
Adds unit tests covering exact host, subdomain, port, and query string cases.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* Restrict subdomain preservation to same-domain proxy configs

The previous fix unconditionally prepended the subdomain prefix to
proxyHost, which broke dev setups using an internal proxy hostname
(e.g. PROXY_HOST=nginx): admin.localhost was rewritten to admin.nginx
instead of nginx, which doesn't resolve in Docker.

Only preserve the subdomain when proxyHost equals host (the production
case where both are the same domain). In that case the HTTP client would
otherwise reuse an existing connection with SNI=host for the subdomain
request, causing nginx to return 421 Misdirected Request.

Update test to reflect the correct behaviour for the internal-proxy case.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java b/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java
@@ -70,8 +70,18 @@ public void filter(ClientRequestContext cr) throws IOException
         String newScheme = cr.getUri().getScheme();
         if (getProxyScheme() != null) newScheme = getProxyScheme();
 
+        // Preserve subdomain prefix only when proxyHost is the same domain as host, to prevent
+        // the HTTP client reusing a connection with a different TLS SNI (which causes 421).
+        // When proxyHost is a distinct internal hostname (e.g. "nginx"), no collision is possible.
+        String newHost = getProxyHost();
+        if (cr.getUri().getHost().endsWith("." + getHost()) && getProxyHost().equals(getHost()))
+        {
+            String subdomainPrefix = cr.getUri().getHost().substring(0, cr.getUri().getHost().length() - getHost().length()); // e.g. "admin."
+            newHost = subdomainPrefix + getProxyHost();
+        }
+
         // cannot use the URI class because query string with special chars such as '+' gets decoded
-        URI newUri = UriBuilder.fromUri(cr.getUri()).scheme(newScheme).host(getProxyHost()).port(getProxyPort()).build();
+        URI newUri = UriBuilder.fromUri(cr.getUri()).scheme(newScheme).host(newHost).port(getProxyPort()).build();
 
         if (log.isDebugEnabled()) log.debug("Rewriting client request URI from '{}' to '{}'", cr.getUri(), newUri);
         cr.setUri(newUri);
diff --git a/src/test/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilterTest.java b/src/test/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilterTest.java
@@ -0,0 +1,162 @@
+/**
+ *  Copyright 2021 Martynas Jusevičius <martynas@atomgraph.com>
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+package com.atomgraph.linkeddatahub.client.filter;
+
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.client.ClientRequestContext;
+import jakarta.ws.rs.core.Configuration;
+import jakarta.ws.rs.core.Cookie;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedHashMap;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.net.URI;
+import java.util.Collection;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ * Unit tests for {@link ClientUriRewriteFilter}.
+ *
+ * @author {@literal Martynas Jusevičius <martynas@atomgraph.com>}
+ */
+public class ClientUriRewriteFilterTest
+{
+
+    private static class StubRequestContext implements ClientRequestContext
+    {
+        private URI uri;
+        private final MultivaluedMap<String, Object> headers = new MultivaluedHashMap<>();
+
+        StubRequestContext(URI uri) { this.uri = uri; }
+
+        @Override public URI getUri() { return uri; }
+        @Override public void setUri(URI uri) { this.uri = uri; }
+        @Override public MultivaluedMap<String, Object> getHeaders() { return headers; }
+
+        @Override public Object getProperty(String name) { throw new UnsupportedOperationException(); }
+        @Override public Collection<String> getPropertyNames() { throw new UnsupportedOperationException(); }
+        @Override public void setProperty(String name, Object object) { throw new UnsupportedOperationException(); }
+        @Override public void removeProperty(String name) { throw new UnsupportedOperationException(); }
+        @Override public String getMethod() { throw new UnsupportedOperationException(); }
+        @Override public void setMethod(String method) { throw new UnsupportedOperationException(); }
+        @Override public MultivaluedMap<String, String> getStringHeaders() { throw new UnsupportedOperationException(); }
+        @Override public String getHeaderString(String name) { throw new UnsupportedOperationException(); }
+        @Override public Date getDate() { throw new UnsupportedOperationException(); }
+        @Override public Locale getLanguage() { throw new UnsupportedOperationException(); }
+        @Override public MediaType getMediaType() { throw new UnsupportedOperationException(); }
+        @Override public List<MediaType> getAcceptableMediaTypes() { throw new UnsupportedOperationException(); }
+        @Override public List<Locale> getAcceptableLanguages() { throw new UnsupportedOperationException(); }
+        @Override public Map<String, Cookie> getCookies() { throw new UnsupportedOperationException(); }
+        @Override public boolean hasEntity() { throw new UnsupportedOperationException(); }
+        @Override public Object getEntity() { throw new UnsupportedOperationException(); }
+        @Override public Class<?> getEntityClass() { throw new UnsupportedOperationException(); }
+        @Override public Type getEntityType() { throw new UnsupportedOperationException(); }
+        @Override public void setEntity(Object entity) { throw new UnsupportedOperationException(); }
+        @Override public void setEntity(Object entity, Annotation[] annotations, MediaType mediaType) { throw new UnsupportedOperationException(); }
+        @Override public Annotation[] getEntityAnnotations() { throw new UnsupportedOperationException(); }
+        @Override public OutputStream getEntityStream() { throw new UnsupportedOperationException(); }
+        @Override public void setEntityStream(OutputStream outputStream) { throw new UnsupportedOperationException(); }
+        @Override public Client getClient() { throw new UnsupportedOperationException(); }
+        @Override public Configuration getConfiguration() { throw new UnsupportedOperationException(); }
+        @Override public void abortWith(Response response) { throw new UnsupportedOperationException(); }
+    }
+
+    /** Non-matching host: filter must leave the URI untouched. */
+    @Test
+    public void testNoRewriteForNonMatchingHost() throws IOException
+    {
+        ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "http", "nginx", 9443);
+        StubRequestContext ctx = new StubRequestContext(URI.create("https://other.org/path"));
+        filter.filter(ctx);
+        assertEquals(URI.create("https://other.org/path"), ctx.getUri());
+        assertTrue(ctx.getHeaders().isEmpty());
+    }
+
+    /** Exact host match: URI host is rewritten to proxyHost, scheme to proxyScheme. */
+    @Test
+    public void testRewriteExactHost() throws IOException
+    {
+        ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "http", "nginx", 9443);
+        StubRequestContext ctx = new StubRequestContext(URI.create("https://example.com/path?q=1"));
+        filter.filter(ctx);
+        assertEquals(URI.create("http://nginx:9443/path?q=1"), ctx.getUri());
+        assertEquals("example.com", ctx.getHeaders().getFirst("Host"));
+    }
+
+    /** Exact host match with explicit port: Host header must include the original port. */
+    @Test
+    public void testRewriteExactHostWithPort() throws IOException
+    {
+        ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "http", "nginx", 9443);
+        StubRequestContext ctx = new StubRequestContext(URI.create("https://example.com:4443/path"));
+        filter.filter(ctx);
+        assertEquals(URI.create("http://nginx:9443/path"), ctx.getUri());
+        assertEquals("example.com:4443", ctx.getHeaders().getFirst("Host"));
+    }
+
+    /**
+     * Subdomain match with same-domain proxy host (production setup):
+     * subdomain prefix must be preserved in the rewritten URI so the HTTP client
+     * does not reuse a connection established with a different TLS SNI, which
+     * would cause nginx to return 421 Misdirected Request.
+     */
+    @Test
+    public void testRewriteSubdomainPreservesSubdomainWithSameDomainProxy() throws IOException
+    {
+        ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "https", "example.com", 5443);
+        StubRequestContext ctx = new StubRequestContext(URI.create("https://admin.example.com/acl/agents/123/"));
+        filter.filter(ctx);
+        assertEquals(URI.create("https://admin.example.com:5443/acl/agents/123/"), ctx.getUri());
+        assertEquals("admin.example.com", ctx.getHeaders().getFirst("Host"));
+    }
+
+    /**
+     * Subdomain match with internal proxy host (Docker Compose setup):
+     * subdomain prefix must NOT be prepended to the proxy hostname — the internal
+     * hostname (e.g. "nginx") has no subdomain equivalent. nginx routes via Host header.
+     */
+    @Test
+    public void testRewriteSubdomainWithInternalProxyUsesProxyHostOnly() throws IOException
+    {
+        ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "http", "nginx", 9443);
+        StubRequestContext ctx = new StubRequestContext(URI.create("https://admin.example.com/path"));
+        filter.filter(ctx);
+        assertEquals(URI.create("http://nginx:9443/path"), ctx.getUri());
+        assertEquals("admin.example.com", ctx.getHeaders().getFirst("Host"));
+    }
+
+    /** Query string with special characters must survive URI rewrite without decoding. */
+    @Test
+    public void testQueryStringNotDecoded() throws IOException
+    {
+        ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "http", "nginx", 9443);
+        StubRequestContext ctx = new StubRequestContext(URI.create("https://example.com/sparql?query=ASK+%7B%7D"));
+        filter.filter(ctx);
+        assertEquals("query=ASK+%7B%7D", ctx.getUri().getRawQuery());
+        assertEquals("example.com", ctx.getHeaders().getFirst("Host"));
+    }
+
+}
