Hello, I have some questions about HTTP request smuggling in the context of Tomcat with Apache httpd as its reverse proxy.
First of all, a few words about my current setup: At the moment I have a few applications that are deployed this way: I use Tomcat 10.1 as my backend server. It only activates its AJP connector (no HTTP(S)). In front, there is an Apache httpd 2.4 with mod_jk as a reverse proxy for my Tomcat. Apache httpd does SSL termination and HSTS redirecting and rejects some trash traffic before it could reach Tomcat. mod_jk is used with the more or less default configuration, which includes reuse of backend AJP connections. Question 1: Assuming I use the up-to-date package versions in Debian 11, is this setup prone to HTTP request smuggling? If that might be the case, what steps should be taken against? Do users have to enable "JkOptions +DisableReuse" to prevent HTTP request smuggling? Or is the AJP protocol somewhat "immune" against the confusion about the request headers Content-Length, Transfer-Encoding etc.? I haven't found much about the topic "mod_jk + request smuggling". Question 2: In a new application I will have to use websockets. It seems websockets do not work over AJP / mod_jk. So I will have to enable Tomcat's HTTP connector and use mod_proxy_wstunnel in the Apache httpd reverse proxy. Therefore, the setup probably won't use AJP / mod_jk at all, but mod_proxy_http, connecting to Tomcat's HTTP connector. What steps does one have to take against HTTP request smuggling in this case? Do we have to use "disablereuse=on keepalive=off" on the Apache httpd side? What are your experiences / best practices? Question 3: Do the Apache httpd and Apache Tomcat projects coordinate their header processing algorithms, header normalization efforts etc. to combat HTTP request smuggling? So is the combination of "Apache httpd + (mod_jk | mod_proxy_*) + Apache Tomcat" considered "HTTP request smuggling"-safe in general? Thanks a lot for any advice! Reg --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
