On 18/06/2010 00:36, Matthew Peterson wrote:
> Out of interest, what are some of the security risks around non-trusted
> proxies injecting the x-forwarded-* headers?
Mainly an issue if you use the RemoteAddressValve or a similar mechanism
to secure your webapp based on client IP address. If an un
.
-Original Message-
From: Cyrille Le Clerc [mailto:clecl...@xebia.fr]
Sent: Friday, 18 June 2010 8:30 AM
To: Tomcat Users List; Matthew Peterson
Subject: Re: HTTP connector to be aware of proxied SSL requests
Hello Matt,
I think the RemoteIpValve does what you need : it looks at http
headers filled
, what are some of the security risks around non-trusted proxies
injecting the x-forwarded-* headers?
Thanks for your help,
Matt.
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Thursday, 17 June 2010 10:28 PM
To: Tomcat Users List
Subject: Re: HTTP connector to b
Hello Matt,
I think the RemoteIpValve does what you need : it looks at http
headers filled in the request by preceding network components (layer 7
load balancer, ssl accelerator, etc) such as 'x-forwarded-for' to get
the real ip address and 'x-forwarded-proto' to get the http/https
protocol. A con
On 17/06/2010 01:41, Matt Peterson wrote:
> I can't find any documentation on the order of events for the Connector, so
> I'm not sure what other decisions get made based on the request attributes,
> but assume there are others.
This is *open* source...
> Is there another solution to handling pr
Hi All,
We have a hardware load balancer terminating SSL requests before making a
plain-text connection with Tomcat. So that all contexts are aware that the
request is actually a secure request, we have implemented the RemoteIpValve
with a LB injected header. This works well for our apps. Howev
