Return-Path: <users-return-260363-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id BBBA6200C01
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 19 Jan 2017 18:22:20 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id BA5B2160B54; Thu, 19 Jan 2017 17:22:20 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id DB1F8160B3A
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 19 Jan 2017 18:22:19 +0100 (CET)
Received: (qmail 1073 invoked by uid 500); 19 Jan 2017 17:22:18 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 1062 invoked by uid 99); 19 Jan 2017 17:22:18 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2017 17:22:18 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id D7DB0C036F
	for <users@tomcat.apache.org>; Thu, 19 Jan 2017 17:22:17 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.48
X-Spam-Level: 
X-Spam-Status: No, score=0.48 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RCVD_IN_SORBS_SPAM=0.5] autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key)
	header.d=code-davidpcaldwell-com.20150623.gappssmtp.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id tWzqTva2KYQ9 for <users@tomcat.apache.org>;
	Thu, 19 Jan 2017 17:22:12 +0000 (UTC)
Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 7DC725FB1E
	for <users@tomcat.apache.org>; Thu, 19 Jan 2017 17:22:11 +0000 (UTC)
Received: by mail-oi0-f50.google.com with SMTP id w204so28677547oiw.0
        for <users@tomcat.apache.org>; Thu, 19 Jan 2017 09:22:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=code-davidpcaldwell-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=M/I4MXkfidAfVGuWJpD5p89VAk9kBPH/ruKZm0ehvqM=;
        b=e/99TvDJJ21dISllrIHVDdXWZM7WGhtKFoX+vv2Xc+GWQPdwbVS4T398OunwsjtbsH
         WGTN9y6acoI3jSsCnC7kolIIYVaMPhoTjt+kM+YGFjF3+yphkD/KZH4YNhLR912qcvz0
         tFdCpXleKYiuUlDKgXYK0wer4JT6U/EFk/+hAAJ65/6FKDs23zLsxXwieuek//Lcwekn
         XLJ5anX49EcuxTLRwq/FhcGkLfTQTzJrX42EjjOgooT2TNNTagXSxNEw4xBaDex7szWE
         JLYjjsBzgXZKB6GQxpfjBk4KLXBIabs0td0qISjFdiik7VdZQnvo3wfynP6jbTMbrTAK
         ytdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=M/I4MXkfidAfVGuWJpD5p89VAk9kBPH/ruKZm0ehvqM=;
        b=fYYNKov7v2GI9Vj5jAUufNCSpQQssP8qaRHg4896rDyb7jK+kx+mIUgdqUG6lhlNso
         LHHS3tgoBT+NbVqxF/I8u9YsqHIGcReBHrXzj9172amddXrZq0Ewc1Rie6GzkHJx/nj/
         GQlRG2Kn6n2qkWVoOM9j+EvevWmEJ3rBzOPLXaymDaQKTHHlqh/JbfrbQfPxNI1TmKqZ
         KMPQf3FKadm9lC59UhEhvNviRhFT2BmEWplHgENG5uwKO5+C+QDIWaiILpH2dojKzFuM
         QkDd7+9urkPzIowhpVVux6NNV+rlnr61SX5OWnueN2AoQ7cmdok75weSHrZn22+VEPqo
         /ojQ==
X-Gm-Message-State: AIkVDXI2N/uNPzmxkoNFD9X1L4P37SRMpyiuEOwyuEmatJNBGOGgIYzYhHdB0pQ4WJ4y0wGIXFHp00qkenTbmA==
X-Received: by 10.202.185.135 with SMTP id j129mr5012622oif.66.1484846529683;
 Thu, 19 Jan 2017 09:22:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.90.7 with HTTP; Thu, 19 Jan 2017 09:21:49 -0800 (PST)
X-Originating-IP: [69.32.167.43]
In-Reply-To: <8cb580e8-6389-8845-c151-1d42d991ae88@christopherschultz.net>
References: <CABBxOKn9Heim1nq438GMPNwg-gjE5QSHoRHeMQg37UJo1pggPw@mail.gmail.com>
 <8cb580e8-6389-8845-c151-1d42d991ae88@christopherschultz.net>
From: "David P. Caldwell" <david@code.davidpcaldwell.com>
Date: Thu, 19 Jan 2017 12:21:49 -0500
Message-ID: <CABBxOKkzo3A+WFccCRjQBd7i9zUQ8CERGgjnhS6igTbWaJWXVA@mail.gmail.com>
Subject: Re: Can Tomcat act as an HTTPS proxy?
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: text/plain; charset=UTF-8
archived-at: Thu, 19 Jan 2017 17:22:20 -0000

Chris,

Good questions, I'll try to clarify.

1. The backend server serves files via HTTPS. (I control this, and may
switch it to HTTP; see below.)

2. The proxy server has an HTTPS connector like this (but under my
initial solution I wasn't thinking I should use it).

var _https = new Packages.org.apache.catalina.connector.Connector();
var hport = (p.https.port) ? p.https.port : getOpenPort();
_https.setPort(hport);
_https.setSecure(true);
_https.setScheme("https");
_https.setAttribute("keyAlias", "tomcat");
_https.setAttribute("keystorePass", "inonit");
_https.setAttribute("keystoreFile", file.toString());
_https.setAttribute("clientAuth", "false");
_https.setAttribute("sslProtocol", "TLS");
_https.setAttribute("SSLEnabled", "true");
tomcat.getService().addConnector(_https);

I can connect to this HTTPS connector with my client (as long as I
disable the various SSL security checks, given that this is a
self-signed certficate).

3. The proxy server also has an HTTP connector, the one that is the
default when using the embedded API. It changes the port number on it
to an open ephemeral port, changes the base directory to a temporary
directory, adds a context and configures servlets and so forth (it's
part of a framework, so it's generalized; in the case I'm working on,
it's adding a single servlet that basically forwards requests to the
backend).

4. The purpose of all this rigamarole is mocking. The production
third-party environment uses HTTPS, and I do not control it. I've
built a fine HTTP mock of the production environment. But as you can
imagine, when developing my production code (clients that use the
production server), a bunch of parameterization creeps in. Basically
"protocol" gets passed all over the place, lots of configuration files
get pre-processed, and so forth, so that the code works in the mocked
HTTP-only environment as well as in real life. I'd like to get rid of
some or all of that parameterization, to simplify my production code,
so I decided to see whether I could build an HTTPS mock of the
environment. The purpose of the middle proxy server is essentially to
remove the need to also parameterize server names and stuff. (The
client code requests real production URLs, but because they are
proxied through the middle tier, the middle tier can forward the
requests to the mock server.)

So I think what I want to do is have that middle tier's HTTP connector
pass HTTPS requests from the client through to the backend HTTPS
server.

For what it's worth, with some additional research, it looks like
what's happening is that the various mechanisms I am attempting to use
to "proxy" (tunnel) these requests are using a CONNECT request to
Tomcat, which is returning a 400. I think. I haven't been able to
catch it in the act.

However, for my situation, explaining it to you suggests a different
solution -- since I have my Tomcat "middle" server with an HTTPS
connector, and that is working, I am also going to experiment with
using HTTPS to communicate with the middle, and then switch the back
end to HTTP. I'm not sure that'll help (because I'm not sure how I can
implement the "direct all HTTPS requests to this host/port" without
the Java client attempting to establish a tunnel) but I'll explore it.

-- David.



On Thu, Jan 19, 2017 at 11:42 AM, Christopher Schultz
<chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> David,
>
> On 1/19/17 10:38 AM, David P. Caldwell wrote:
>> I'm trying to forward HTTPS requests through a Tomcat HTTP (or
>> HTTPS) server to a backend HTTPS server.
>>
>> The requests are initiated by a Java HTTP client
>> (java.net.URLConnection-based).
>>
>> So I have:
>>
>> backend HTTPS server (which works) Tomcat server running HTTP and
>> HTTPS connectors Java HTTPUrlConnection, using Tomcat HTTP
>> connector as a proxy
>>
>> The Java client can successfully:
>>
>> * use the backend HTTPS server directly * use the Tomcat HTTP
>> connector * use the Tomcat HTTPS connector
>>
>> For my scenario, I think using the HTTP connector to proxy is
>> correct, though I've also tried using the HTTPS connector.
>>
>> I'm not an expert on SSL or HTTPS. The HTTPS connector doesn't
>> work, but my understanding is that using it doesn't make sense; the
>> trust relationship is end-to-end, so you'd use ordinary HTTP to
>> proxy in between. It ends up with an unexpected EOF from server or
>> something.
>>
>> Assuming the HTTP connector is the right one to use, here's my
>> problem: Tomcat returns a 400 Bad Request when I attempt to request
>> an https: URL via an ordinary HTTP request to the HTTP connector.
>>
>> Conceptually, it seems like this ought to be fine, to me, but as I
>> said, my understanding of the concepts is a bit murky, so I might
>> be wrong.
>>
>> Am I on the right track? If so, is there something configurable
>> that will allow those requests to be forwarded rather than
>> rejected?
>
> So you've got this?
>
> client -- HTTP --> Tomcat proxy -- HTTPS --> backend server
>
> ?
>
> Or this?
>
> client -- HTTPS --> Tomcat proxy -- HTTP --> backend server
>
> ?
>
> Please post as much of your configuration (<Connector>, proxy) as you ca
> n.
>
> Also, what is the purpose of the HTTPS wherever it is being used? It
> is for privacy or for authentication (or both)?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYgOyLAAoJEBzwKT+lPKRYcJ0P/jxtmltsNpilxkYnbTFopTFl
> 87GqViuIQOXdi/2EzP9jJhdieBv7XwIAI81hJ4qWCdUhANtxNoPeaytZPR2+E6hT
> 4zUC0x4ez4E9S2lUkhk7XcSr/0+hAM0rLd1TChJi0+tweZjWyaeCAbbdLHhjPb+e
> SRAs4Tz2qs0Y7i3qu3nV6VWt5u2eBEspogFHT8FXjXLYx/VPQOR9/60mnEDsaEek
> gC4Xqh5vMABd7Tcyslp0kfKrFEKjAgoej2cQ+p96faITV7X9ji0z35uvSwNErfD0
> iIruVVUfe8MSBRR8jwpLor6ORAL3dZ0FmKegxjAOJ897eIv3hO6rS2JqmT3Ju1Ez
> dczMIIJA7c92xk4UINlMrTRit8MXJoOuJSR778pRS/j8WirNGw1y66U2U8Z3KZeM
> 4tDKpIwwXx2HX0Mrag/m3UB5Y59UNX/5TVJQr+2GhcvIHOXK1cWUmFOdZtbwD5Xc
> a7HpZDuMNSrxZjzrfWg18EMl2IfGLWllW6Qs73e+VO3cC8tlbQzjO0RQowl2e867
> twZO8zXvGVrxtJcezaq1dRzPQDVRIVbedBAxNuN20JkdaWMcxGkBjsIiw99Vp4V7
> XgX+5+6ZeLAFHhVyoAVFumL4Rr585PzloiZLQcOUGosqqreVh4L2Yp5YRfgOojOU
> EPPtfY44QI4Jq3SwTLCr
> =938w
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org