tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [OT] Forward TLS connection information from AWS ELB -> httpd -> Tomcat
Date Wed, 01 Oct 2014 14:26:50 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm interested in using AWS ELB for SSL termination but allowing the
client's TLS connection information to be forwarded all the way
through the chain to Tomcat.

The setup looks like this:

      ELB
       /\
      /  \
     /    \
    w0    w1
   /  \   / \
  t0  t1 t0  t1

(t0 and t1 are repeated because otherwise the diagram would be even
more difficult to read).

w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The
client's connection is TLS terminated at ELB and whether the
connections between ELB/wx/tx are encrypted should be immaterial. I'm
using mod_jk from httpd -> Tomcat.

ELB provides the following HTTP headers to wx:
X-Forwarded-For 	        (client's IP)
X-Forwarded-Port 	443
X-Forwarded-Proto 	https

Unfortunately, it looks like I can't get things like the cipher
default, etc. but I'm okay with that for the time being.

I'm wondering two things:

1. How can I get Apache httpd to trust that the connection is encrypted?
   I want to be able to use "RequireSSL" for certain resources and have
   httpd trust that the connection coming from the ELB is in fact
   secure.

2. How can I use that connection information to tell mod_jk that things
   are to be trusted as well?

For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say "yes, this is
encrypted". Should I set up a separate VirtualHost on a different
(non-80) port that is configured only for ELB connections and then
force SSL to "on" regardless of the actual incoming connections?

That would allow me to use port 80 for "regular" web traffic and not
have to worry about proper checking to make sure that the connection
was in fact coming from the ELB and not directly into the web server.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULA8qAAoJEBzwKT+lPKRYMf4P/2yONDv5rQFgHguhMeWv8BJs
jbv8bLOOK5Vf+r5idJgyEgOFEI4jbEKfGdhIvD5BasT4PZF65sn3AsOXQpav9GA4
kgomQHDipou3u5PFGi2d3xQQsDB9MjOTfAmmvQFNEnPxtisYQA+wNHGGxJDwyHIZ
tJkS4jP8mA3vxLaoCLoSiOi2MEGr2nbj5Xcfd75F2IXfci9QEhGEgsUxyFq+K+Vb
p+GVv4px55+zO9sLaIk6SiaNOGI3p86W+IX5spvoxO2Qxah+DVSoq9HRGryWd/Wn
O3ZwSGqCHYKsPI1xHECaN/58pAR7polyU5nEFmzWbxFhc31Q2hpDkZuyZ3SIY2u1
7lLY+Zx41nizjfjeYeIcMtZ4OBj0uHBSj5qzLehF7zItZoRqEhgv2b4yn8vJjIj0
GF4wpVqAqSWaIJ2F1C9ZjTnL9LhTJHZBurpt1JDSe7ALS/s4EoEQ/rbaz9kEUMNq
BBThIapN+VXCwaqsA7hQliCWRoGuP2kNFStsatgeaNaBZd5Cf8cg8iTSUcoDR4UW
Z4CHSi/4H6uD3wmcI6Jca7dfJEY+eNGM3zLsUF1hQPYP9MG6Fohy6h/UGGhlRehh
sXZ6bL0oVfGVxSM9gMCDQzB4ptb9zuqU5UgWjKEB50lbwXgMLUm7XP3/C/bY7Zgt
cXABRHoZSqoq2tPV1Lov
=g2oZ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message