On 24.02.2016 23:30, André Warnier (tomcat) wrote:
On 24.02.2016 22:39, Christopher Schultz wrote:
Mark,
On 2/24/16 8:44 AM, mark.lo...@cyrenllc.com wrote:
Hi, I have written a PKI proxy servlet to support a tool that needs
access to my customer’s secured web site, but the application does
not support client certificate security. The Servlet works great
when called from a browser, where the proxy uses a B2B certificate
for access and forwards the response to the browser as expected.
That seemed like a good prototype, however, when I went to test
against the tool I found that it was not making a GET request, but
rather a CONNECT request. I extended my code to accept the CONNECT,
however the request never seems to get past the front door Tomcat.
None of my code is ever called, so I have to assume that I have a
setting wrong in Tomcat.
Everything I can find online discusses how you shouldn’t have a
Tunneling proxy in your infrastructure, but this is all in a secured
environment, not on the internet, so this is not an issue and has
been approved. Is there something I’m missing?
Technically, CONNECT is not a tunnelling protocol, since it uses a
plaintext HTTP request to negotiate with the server and then just sends
a binary blob through as the payload (e.g. a TLS connection can be sent
from a proxy to an origin server so that it includes all of the
certificate information, etc.). The CONNECT protocol basically only adds
the overhead of another (non-TLS) HTTP header to the conversation.
Anyway, it looks like this is what you are looking for:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830
Right?
-chris
Chris,
just a naive question (after reading the bz thread that you mention above, but
not really
up-to-date with the details of the CONNECT protocol) :
Could not the setup of an Apache httpd server as front-end proxy to Tomcat be a
solution
for the OP ?
Presumably, this front-end would interpret the CONNECT request and make a
connection to
Tomcat, and then pass the rest of the request (which presumably is the GET) to
Tomcat.
No ?
Added reference :
http://httpd.apache.org/docs/current/mod/mod_proxy_connect.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
