Mark, On 2/24/16 8:44 AM, mark.lo...@cyrenllc.com wrote: > Hi, I have written a PKI proxy servlet to support a tool that needs > access to my customer’s secured web site, but the application does > not support client certificate security. The Servlet works great > when called from a browser, where the proxy uses a B2B certificate > for access and forwards the response to the browser as expected. > That seemed like a good prototype, however, when I went to test > against the tool I found that it was not making a GET request, but > rather a CONNECT request. I extended my code to accept the CONNECT, > however the request never seems to get past the front door Tomcat. > None of my code is ever called, so I have to assume that I have a > setting wrong in Tomcat. > > Everything I can find online discusses how you shouldn’t have a > Tunneling proxy in your infrastructure, but this is all in a secured > environment, not on the internet, so this is not an issue and has > been approved. Is there something I’m missing?
Technically, CONNECT is not a tunnelling protocol, since it uses a plaintext HTTP request to negotiate with the server and then just sends a binary blob through as the payload (e.g. a TLS connection can be sent from a proxy to an origin server so that it includes all of the certificate information, etc.). The CONNECT protocol basically only adds the overhead of another (non-TLS) HTTP header to the conversation. Anyway, it looks like this is what you are looking for: https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 Right? -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
