tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject Settings when SSL terminates on the front-end
Date Wed, 17 Jun 2015 18:08:51 GMT
I've been deploying letting Tomcat do it all when it came to connectors and SSL, with the app
forcing everything to SSL in the <security-constraints> section.  Now I'm setting up
a haproxy front-end that will both terminate the SSL and take care of the redirect from HTTP
to HTTPS for me and tomcat only running a standard HTTP port on 8080.
So my question is, Is it still important for the app to know that it operating "secure", and
if so, what settings are a must?
Here is the old setup:

SERVER.XML:
<Service name="Catalina">
    <Connector address="${IP_ADDRESS}" port="80" maxHttpHeaderSize="8192"
               maxThreads="50" enableLookups="false" redirectPort="443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" compression="on"
       compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,text/javascript,text/rtf,text/richtext"
    />
    <Connector address="${IP_ADDRESS}" port="443" maxHttpHeaderSize="8192"
               maxThreads="150" enableLookups="false" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" compression="on"
       compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,text/javascript,text/rtf,text/richtext"
               scheme="https" secure="true" SSLEnabled="true"
               SSLHonorCipherOrder="true"
               SSLCipherSuite="list-of-ciphers"
               SSLCertificateFile="path-to-server.crt"
               SSLCertificateKeyFile="path-to-server.key"
               SSLCertificateChainFile="path-to-server_chain.crt"
               SSLPassword="password" />
    <Engine name="Catalina" defaultHost="localhost ">
      <Host name="localhost " appBase=" webapps"
       unpackWARs="true" autoDeploy="false" deployXML = "false">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>

CONTEXT.XML:  No tomcat-level parameters specified

WEB.XML: (only the important bits, assume servlets and filters won't change)
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Everything</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Here is the new setup:
SERVER.XML:
<Service name="Catalina">
    <Connector port="${tomcatPort}" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
   <Engine name="Catalina" defaultHost="localhost " jvmRoute="serverX">
      <Host name="localhost " appBase=" webapps"
       unpackWARs="true" autoDeploy="false" deployXML = "false">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
      </Host>
    </Engine>
  </Service>

CONTEXT.XML: no changes
WEB.XML: drop the <security-constraints> section?

Am I missing something from a security standpoint here?
And yes, I'm aware I need to adjust some parameters in the <Connector> that are left
out in the second example.  I'm just interested in things like secure-cookie, etc.


Jeffrey Janner
Sr. Network Administrator
jeffrey.janner@polydyne.com<mailto:first.last@polydyne.com>
PolyDyne Software Inc.
Main:   512.343.9100
Direct:  512.583.8930

 [cid:image002.png@01CC0FB7.4FF43CE0]

Speed, Intelligence & Savings in Sourcing


Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message