"This is *open* source..."
Thx Capt. Obvious - very helpful ;-)

....

OK, so I now understand why it was chosen to perform the redirection in the 
Connector rather than in a Valve; to remove unnecessary processing keeping the 
redirect response as efficient as possible. I might lodge an enhancement for 
the connector to have the redirect configurable so that it can be disabled via 
an element attribute. The redirecting can then be done as a valve instead.

We are using an F5 LB which does not support AJP. So that option will not work 
for us. The other option of using multiple HTTP Connectors is doable, but adds 
a lot of config management overhead (and points of possible failure/error) 
which is not very popular with those responsible for that management. But that 
is an internal issue which I need to deal with if this prob is deemed to be 
worth the worry.

Out of interest, what are some of the security risks around non-trusted proxies 
injecting the x-forwarded-* headers?

Thanks for your help,
Matt.

-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Thursday, 17 June 2010 10:28 PM
To: Tomcat Users List
Subject: Re: HTTP connector to be aware of proxied SSL requests

On 17/06/2010 01:41, Matt Peterson wrote:
> I can't find any documentation on the order of events for the Connector, so
> I'm not sure what other decisions get made based on the request attributes,
> but assume there are others.

This is *open* source...


> Is there another solution to handling proxied SSL requests so that Catalina
> as well as our apps are aware that the requests are secure??? One
> possibility is to have two Connectors (1 using the secure, scheme and
> serverPort attributes for secure and 1 for non-secure) and have the LB
> connect to the appropriate Connector depending on the request. But this
> effectively doubles the amount of config needed to be managed (2nd set of
> config for LB + 2nd connector), which is considerable when dealing with 6 TC
> clusters each with their own set of LB config.

The other option would be to proxy using AJP rather than HTTP (if the
load-balancer supports it) since AJP passes SSL info as part of the
protocol.

If you want to use mixed HTTP/HTTPS in the LB and just HTTP on Tomcat
than multiple connectors is usually what I'd recommend.

> Should I lodge an enhancement request for the Connector to become aware of
> proxied SSL requests (perhaps via an injected x-forwarded-proto header, ala
> WebLogic)?

You can, not sure how much traction it would get. Both the logic and
configuration is non-trivial to ensure only trusted proxies set the
header. We try to keep the connector code fairly slick. This feels like
more than we would want to add (bearing in mind this is just instinct -
I haven't looked at any code at ths point).

You might have better luck with an option to defer the redirection with
the / to later in the processing chain. That would be simpler to
implement but would add some extra processing that currently is bypassed
by doing the rediection as early as possible.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to