tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Mayr <ste...@mayr-stefan.de>
Subject Re: [OT] Forward TLS connection information from AWS ELB -> httpd -> Tomcat
Date Wed, 01 Oct 2014 18:18:01 GMT
Am 01.10.2014 19:18, schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
...
>>> What I'm mainly looking for is a way to say "the incoming
>>> connection (from ELB) is HTTP and I want to pretend that the
>>> connection is HTTPS".
>>
>> Then the easier solution seems using ELB for SSL termination and
>> using the X-Forwarded-Proto header, passing from apache to tomcat
>
> Yes. Just looking for a way to say "oh, the connection is also encrypted".

If I remember correctly this needs only one line in Apache httpd to 
forward it to Tomcat

SetEnvIf X-Forwarded-Proto https HTTPS=on

mod_jk should use this information and mark it as a secure connection 
for you. Then you can require a secure connection in your webapp web.xml 
or check it in httpd with the same environment variable:

Order Deny,Allow
Deny from all
Allow from env=HTTPS

If the httpd is only a helper process to pass this information to Tomcat 
you can also use the Proxy-Valves: 
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support

Something like this should serve your purpose:
<Valve
  className="org.apache.catalina.valves.RemoteIpValve"
  protocolHeader="x-forwarded-proto"
  portHeader="x-forwarded-port"
/>

Togehter with transport-guarantee CONFIDENTIAL in your web.xml this 
would eliminate the need to configure anything on Apache httpd at all.

- Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message