Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of Frederik.Nosi@postecom.it
 designates 62.241.5.180 as permitted sender)
Message-ID: <542C313A.7030503@postecom.it>
Date: Wed, 1 Oct 2014 18:52:10 +0200
From: Frederik Nosi <frederik.nosi@postecom.it>
Organization: Postecom s.r.l.
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: [OT] Forward TLS connection information from AWS ELB -> httpd
 -> Tomcat
References: <542C0F2A.6000402@christopherschultz.net>
 <542C1AA7.3050206@postecom.it> <542C265E.6050704@christopherschultz.net>
In-Reply-To: <542C265E.6050704@christopherschultz.net>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit

Hi Christopher,

On 10/01/2014 06:05 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Frederik,
>
> On 10/1/14 11:15 AM, Frederik Nosi wrote:
>> Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote:
>> All,
>>
>> I'm interested in using AWS ELB for SSL termination but allowing
>> the client's TLS connection information to be forwarded all the
>> way through the chain to Tomcat.
>>
>> The setup looks like this:
>>
>> ELB /\ /  \ /    \ w0    w1 /  \   / \ t0  t1 t0  t1
>>
>> (t0 and t1 are repeated because otherwise the diagram would be
>> even more difficult to read).
>>
>> w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat.
>> The client's connection is TLS terminated at ELB and whether the
>> connections between ELB/wx/tx are encrypted should be immaterial.
>> I'm using mod_jk from httpd -> Tomcat.
>>
>> ELB provides the following HTTP headers to wx: X-Forwarded-For
>> (client's IP) X-Forwarded-Port     443 X-Forwarded-Proto     https
>>
>> Unfortunately, it looks like I can't get things like the cipher
>> default, etc. but I'm okay with that for the time being.
>>
>> I'm wondering two things:
>>
>> 1. How can I get Apache httpd to trust that the connection is
>> encrypted? I want to be able to use "RequireSSL" for certain
>> resources and have httpd trust that the connection coming from the
>> ELB is in fact secure.
>>
>>> Maybe i'm missing something, but you can check that
>>> X-Forwarded-Proto header contains https? Seems a bit risky, maybe
>>> additionally adding another check that the incomming request
>>> comes from ELB's IP(s)?
> Yes, I can check this. I can also ensure that the port is only
> accessible from the ELB. I'm less worried about this and more worried
> about getting everything else working first. Protecting the connection
> itself will not be a problem.
>

Maybe i didn't got your question right, what you're interested first, is 
letting know to tomcat that the client is using a secure connection? If 
so you can just pass a custom header from apache to tomcat, but this 
seems too easy :-)

>> 2. How can I use that connection information to tell mod_jk that
>> things are to be trusted as well?
>>
>>> Just pass a custom header. BTW Are you encrypting the w <---> t
>>> connections as well? BTW I recall a setup i've made times ago,
>>> where the SSL termination was on the apache webservers, ex:
>>> LB (tcp) <---- https ---> apache httpd (SSL Termination doing
>>> client certificate verification) / mod_jk <--- AJP ---> Tomcat
>>> I was able to send client's certificate information as headers
>>> to tomcat. But not sure this is your situation.
> I don't need to use client certificates, but being able to support
> them would be nice.
>
> AWS ELB seems to support TCP pass-through but you can't do it for port
> 443. If you want to use port 443, you can either choose "HTTPS/SSL" or
> "TCP/SSL". If you choose "HTTPS/SSL" then you have to use either HTTP
> or HTTPS as the back-end protocol. For some reason, choosing HTTPS
> causes endless stalling when trying to make a connection.

I would get a tcpdump from the apache frontend, maybe you can get more 
info this way.

>
> Using TCP/SSL -> TCP/SSL (what I would call TCP pass-through) ought to
> allow me to do SSL termination at the web server level, accept client
> certificates, and have mod_ssk work without any modification at all. I
> think in order to do this, I have to configure Apache httpd to accept
> connections using the "proxy protocol", and I'm not sure how to do that.

Hmm, didn't knowed about this protocol before. From some quick googling 
and reading, seems interesting, as at your endpoint the connection comes 
from ELBs'IP not from the client's IP, this protocol adds the missing 
info, real client ip.

http://blog.haproxy.com/haproxy/proxy-protocol/

So using this seems you need to add another piece to you'r infrastructure.

>
>> For #2, I might just be able to use SetEnv to set
>> REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say "yes, this
>> is encrypted". Should I set up a separate VirtualHost on a
>> different (non-80) port that is configured only for ELB connections
>> and then force SSL to "on" regardless of the actual incoming
>> connections?
>>> Maybe this can help:
>>> RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC]
>>> RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0]
>>> This way you send to tomcat as REMOTE_ADDR  the contents of the
>>> X-Forwarded-For header
> Why use mod_rewrite (slow) when you can use mod_setenvif (fast)?
>
> SetEnvIf X-Forwarded-For "(.*)" JK_REMOTE_ADDR=$1

Indeed is better your way

>
> What I'm mainly looking for is a way to say "the incoming connection
> (from ELB) is HTTP and I want to pretend that the connection is HTTPS".

Then the easier solution seems using ELB for SSL termination and using 
the X-Forwarded-Proto header, passing from apache to tomcat

[...]


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org