tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Forward TLS connection information from AWS ELB -> httpd -> Tomcat
Date Wed, 01 Oct 2014 18:40:02 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Stefan,

On 10/1/14 2:18 PM, Stefan Mayr wrote:
> Am 01.10.2014 19:18, schrieb Christopher Schultz:
>> -----BEGIN PGP SIGNED MESSAGE-----
> ...
>>>> What I'm mainly looking for is a way to say "the incoming 
>>>> connection (from ELB) is HTTP and I want to pretend that the 
>>>> connection is HTTPS".
>>> 
>>> Then the easier solution seems using ELB for SSL termination
>>> and using the X-Forwarded-Proto header, passing from apache to
>>> tomcat
>> 
>> Yes. Just looking for a way to say "oh, the connection is also 
>> encrypted".
> 
> If I remember correctly this needs only one line in Apache httpd
> to forward it to Tomcat
> 
> SetEnvIf X-Forwarded-Proto https HTTPS=on

This is where I have gotten so far, actually.

I've been trying to get mod_remoteip to handle the client's IP address
for me -- especially for logging -- but I'm having some difficulty and
have asked a question over on the httpd users' list about that.

> mod_jk should use this information and mark it as a secure
> connection for you. Then you can require a secure connection in
> your webapp web.xml or check it in httpd with the same environment
> variable:
> 
> Order Deny,Allow Deny from all Allow from env=HTTPS

I didn't know that you could do "Allow from env=HTTPS". I'll
definitely do that. I was also doing "Allow from 10.0.0.0/8" so that
only my ELB could access the VirtualHost I'm configuring.

> If the httpd is only a helper process to pass this information to
> Tomcat you can also use the Proxy-Valves: 
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support
>
>  Something like this should serve your purpose: <Valve 
> className="org.apache.catalina.valves.RemoteIpValve" 
> protocolHeader="x-forwarded-proto" portHeader="x-forwarded-port" 
> />

I'd prefer to handle this at the httpd level if for no other reason
than logging.

> Together with transport-guarantee CONFIDENTIAL in your web.xml
> this would eliminate the need to configure anything on Apache httpd
> at all.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJULEqCAAoJEBzwKT+lPKRYKSUP/13RcT/81IevhKnZpWq8yj4A
eJeGk2FXG3dzziO/NQq5OGUYftDCjIeY/Iwu7r5JbdjncDO6R+SMyTEBQ09rXD8L
aQCVt+mXFPU4XOeNC292o+ju1FwUS8dyEj3nPOslIarM4jOTgFo5FoZnTO/ML8pg
ho9hIUZsIQb0Tf+YlSND8gMl3Lz/N0TQFTOALcub32gGJb7PztYhqj3lEttWkFL0
5Jg368WGL22aDP3VFXjNruOiLTDV0JQH9XOojMGBV5J/5logbqTvAQpVQew3KLHW
1M0xF4Hu99JyNUdRUa8LB8gmMKcVtTArVWpjb0aKV7tXr6/dszHT0PMfRRZNCII5
ObZB+8ZGOnV6YWXgefkwiERFwa2ibjRaup/D+R6GwY4aJjJ8bR+e9Zs2HzS3nPAA
3YP5zGYYFcAu2bkw3IPCTUYdM1PHJxNIVEQ/NaMR1rEltD3v1lFjkSgq5FDl/17c
oV9aUgCtIRyz5ZDVS8j4zjEak6+wEn7mJZ3BNU4S9wpkuKJgi/e7l/PfqbcFNwlF
RS0f2j6Z9JtYNtjlNjYdpMbnnwhN3LKOBBmXQ/77PVi0WMms5Yj1HDwZxFvQNfGx
xPu+ACMweviCdza7dm7aWTx+wBg8cx5SPwn9oONpQyn54ssJzw33wOobfNDtCkPG
GeMPjnzD3XHwjXAM6c61
=STcf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message