tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 7.0.56 - How to configure Tomcat/JRE 7u72 for client HTTPS Mutual Authentication connections
Date Fri, 09 Jan 2015 14:37:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

André,

On 1/8/15 5:07 PM, André Warnier wrote:
> dmccrthy wrote:
>> Chris, André,
>> 
>> Many thanks. I hadn't considered either the MITM or Apache HTTPD
>> angles. The proxy idea occurred to me (sorry, I had a typo in my
>> original mail and that may not have been clear) but I agree it's
>> messy.
>> 
>> Many thanks again, I just couldn't find anything that said yes it
>> can be done, or no it can't. A 3rd party feature request is a
>> last resort so I had to find out if there was some
>> under-the-bonnet way. I really appreciate your insights into
>> this.
>> 
> 
> No problem.
> 
> For the sake of completeness, the only thing which made me
> cautious about using an already-made proxy server such as Apache
> httpd, is the question of the DNS lookups (or rather the "resolver"
> in the machine itself), if you play with the fake entry in the
> hosts file. Consider the following scenario : - the webapp in
> question wants to connect to "server.company.com:8000" - to divert
> this to your own local proxy, you define "server.company.com" in
> the local hosts file as 127.0.0.1 (the localhost), and you set up a
> local httpd to listen on 127.0.0.1:8000, to do the proxying. - thus
> when the webapp builds its TCP connection to 
> "server.company.com:8000" - presumably by looking up 
> "server.company.com" first - it gets back (from the local OS's
> resolver) the IP address 127.0.0.1, and builds a TCP connection to
> 127.0.0.1. Then over that connection, it sends a HTTP 1.1 request
> including a "Host: server.company.com" header. So far so good. -
> your httpd proxy catches this connection and the request. - now the
> proxy has itself to build a connection to the "real" 
> server.company.com. So it does a lookup (using the local OS's TCP
> stack) for the IP address of "server.company.com", to build its own
> connection to it. And.. it gets back 127.0.0.1 as an IP address
> (because of course that lookup also looks in the local hosts file
> first).
> 
> That would be kind of a self-inflicted DOS attack, and it would be 
> interesting to see how quickly the proxy would blow up.

An easy solution would be to put the proxy on a different machine. I
hadn't thought of hosts+localhost = boom. Good catch.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUr+egAAoJEBzwKT+lPKRYawQQAKb14/7+pwOePtzOxSqVOAUN
J33Vejmc0D1g1fWsondGenw+T5h7lEBfCNyWh6mL02JL2N5bPptHL3wScsdtiA+4
u+hrbhSrv/iO1LHGXNZxjVot0GeCCPLnKN8DLMqAquJqADOU+bcCjnqGrO3eTK/M
Aw0rs83I7T+KIfEsIDYTagChdzNNqKbsqh28HJNQ4dNaSswnq15ecCgakUAVKbCI
4mGXXT/pC3v/lOKsI8m/vvo15cUv0Si/ptF1jr/4smQ+nbnNkg/ICmE/sdkPtVZj
kU/T2V3jKXesv72U4g1m2nBHtLpYxUaHmupkaaY9ix3kgSfFq0vtHLw09qsKBlxG
8N/aW1QH/5korYRtze6vjNFZz+mKyiqrpbytvwbBH3rQbJz4ci71cqOm9cDByvEz
pszb5wIzFwgB3IhJ2u7ZROH+30UYp4nfghEBWDPJ9Uxq5fmUwfmLR8PHX4AaQ9wO
KA2XTcUVkE1WTNFQ4QbWYGXnr6Moaeuhxq3MhMkJ7awch57DPS0su4ViFtxNq7+Q
LBG+S4sG5pWQRfBEg331XK7nnslHkUmn7YS7FojaCZMaY/b/ABwBGjlHCDTmfqAp
6WO/jjb2CHsBgOHDVrYeJkrtl2FflSo15IDMsNX8YX0MYQJQz9FB0sGAzXd6rZM/
z1dFLaN59dNMYYnill1G
=rbNy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message