tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frederik Nosi <frederik.n...@postecom.it>
Subject Re: [OT] Forward TLS connection information from AWS ELB -> httpd -> Tomcat
Date Wed, 01 Oct 2014 15:15:51 GMT
Hi Christopher,
On 10/01/2014 04:26 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I'm interested in using AWS ELB for SSL termination but allowing the
> client's TLS connection information to be forwarded all the way
> through the chain to Tomcat.
>
> The setup looks like this:
>
>        ELB
>         /\
>        /  \
>       /    \
>      w0    w1
>     /  \   / \
>    t0  t1 t0  t1
>
> (t0 and t1 are repeated because otherwise the diagram would be even
> more difficult to read).
>
> w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The
> client's connection is TLS terminated at ELB and whether the
> connections between ELB/wx/tx are encrypted should be immaterial. I'm
> using mod_jk from httpd -> Tomcat.
>
> ELB provides the following HTTP headers to wx:
> X-Forwarded-For 	        (client's IP)
> X-Forwarded-Port 	443
> X-Forwarded-Proto 	https
>
> Unfortunately, it looks like I can't get things like the cipher
> default, etc. but I'm okay with that for the time being.
>
> I'm wondering two things:
>
> 1. How can I get Apache httpd to trust that the connection is encrypted?
>     I want to be able to use "RequireSSL" for certain resources and have
>     httpd trust that the connection coming from the ELB is in fact
>     secure.

Maybe i'm missing something, but you can check that X-Forwarded-Proto 
header contains https? Seems a bit risky, maybe additionally adding 
another check that the incomming request comes from ELB's IP(s)?

> 2. How can I use that connection information to tell mod_jk that things
>     are to be trusted as well?

Just pass a custom header. BTW Are you encrypting the w <---> t 
connections as well? BTW I recall a setup i've made times ago, where the 
SSL termination was on the apache webservers, ex:

LB (tcp) <---- https ---> apache httpd (SSL Termination doing client 
certificate verification) / mod_jk <--- AJP ---> Tomcat

I was able to send client's certificate information as headers to 
tomcat. But not sure this is your situation.
> For #2, I might just be able to use SetEnv to set
> REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say "yes, this is
> encrypted". Should I set up a separate VirtualHost on a different
> (non-80) port that is configured only for ELB connections and then
> force SSL to "on" regardless of the actual incoming connections?
Maybe this can help:

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC]
RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0]

This way you send to tomcat as REMOTE_ADDR  the contents of the 
X-Forwarded-For header

>
> That would allow me to use port 80 for "regular" web traffic and not
> have to worry about proper checking to make sure that the connection
> was in fact coming from the ELB and not directly into the web server.
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJULA8qAAoJEBzwKT+lPKRYMf4P/2yONDv5rQFgHguhMeWv8BJs
> jbv8bLOOK5Vf+r5idJgyEgOFEI4jbEKfGdhIvD5BasT4PZF65sn3AsOXQpav9GA4
> kgomQHDipou3u5PFGi2d3xQQsDB9MjOTfAmmvQFNEnPxtisYQA+wNHGGxJDwyHIZ
> tJkS4jP8mA3vxLaoCLoSiOi2MEGr2nbj5Xcfd75F2IXfci9QEhGEgsUxyFq+K+Vb
> p+GVv4px55+zO9sLaIk6SiaNOGI3p86W+IX5spvoxO2Qxah+DVSoq9HRGryWd/Wn
> O3ZwSGqCHYKsPI1xHECaN/58pAR7polyU5nEFmzWbxFhc31Q2hpDkZuyZ3SIY2u1
> 7lLY+Zx41nizjfjeYeIcMtZ4OBj0uHBSj5qzLehF7zItZoRqEhgv2b4yn8vJjIj0
> GF4wpVqAqSWaIJ2F1C9ZjTnL9LhTJHZBurpt1JDSe7ALS/s4EoEQ/rbaz9kEUMNq
> BBThIapN+VXCwaqsA7hQliCWRoGuP2kNFStsatgeaNaBZd5Cf8cg8iTSUcoDR4UW
> Z4CHSi/4H6uD3wmcI6Jca7dfJEY+eNGM3zLsUF1hQPYP9MG6Fohy6h/UGGhlRehh
> sXZ6bL0oVfGVxSM9gMCDQzB4ptb9zuqU5UgWjKEB50lbwXgMLUm7XP3/C/bY7Zgt
> cXABRHoZSqoq2tPV1Lov
> =g2oZ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message