Am 01.10.2014 19:18, schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
...
What I'm mainly looking for is a way to say "the incoming
connection (from ELB) is HTTP and I want to pretend that the
connection is HTTPS".

Then the easier solution seems using ELB for SSL termination and
using the X-Forwarded-Proto header, passing from apache to tomcat

Yes. Just looking for a way to say "oh, the connection is also encrypted".

If I remember correctly this needs only one line in Apache httpd to forward it to Tomcat

SetEnvIf X-Forwarded-Proto https HTTPS=on

mod_jk should use this information and mark it as a secure connection for you. Then you can require a secure connection in your webapp web.xml or check it in httpd with the same environment variable:

Order Deny,Allow
Deny from all
Allow from env=HTTPS

If the httpd is only a helper process to pass this information to Tomcat you can also use the Proxy-Valves: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support

Something like this should serve your purpose:
<Valve
 className="org.apache.catalina.valves.RemoteIpValve"
 protocolHeader="x-forwarded-proto"
 portHeader="x-forwarded-port"
/>

Togehter with transport-guarantee CONFIDENTIAL in your web.xml this would eliminate the need to configure anything on Apache httpd at all.

- Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to