Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id DE6EE200D4C for ; Thu, 30 Nov 2017 09:25:47 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id DC576160C04; Thu, 30 Nov 2017 08:25:47 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0770E160BF4 for ; Thu, 30 Nov 2017 09:25:46 +0100 (CET) Received: (qmail 48737 invoked by uid 500); 30 Nov 2017 08:25:45 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 48724 invoked by uid 99); 30 Nov 2017 08:25:45 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Nov 2017 08:25:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A111A1A0129 for ; Thu, 30 Nov 2017 08:25:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.401 X-Spam-Level: X-Spam-Status: No, score=-2.401 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=manthan.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id iXyw2r5G3iai for ; Thu, 30 Nov 2017 08:25:43 +0000 (UTC) Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 8DB835FAD2 for ; Thu, 30 Nov 2017 08:25:42 +0000 (UTC) Received: by mail-io0-f170.google.com with SMTP id u42so6649337ioi.9 for ; Thu, 30 Nov 2017 00:25:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manthan.com; s=google; h=reply-to:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=TXbtmKz2WiCTTvgt80n/VcztgwHebbrpWwJnD8nsRDo=; b=dBfdIZu+IHpHDOMb+oAhZnmY3LvtUNc2qkAfDOsUUazMCTexaZqNK06Engmy/opeOn F5igH68dsYxSpcuH3k9670PZJZOCbtIs1aHgEFcutN4+FbIulbvVEQu3nGIGE8PyHuTn 2+riSU9/D1fYpwBUyRuPZU+NRRpyJqX1dj+Ts= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:from:to:references:in-reply-to:subject :date:message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=TXbtmKz2WiCTTvgt80n/VcztgwHebbrpWwJnD8nsRDo=; b=CUVhX2tIqh7rgYng6mjqV0uu2cQJwqekF2y19GlAhk5MX3DFTCBDlSlkr4aXNgPRA9 1ikOa4ACN4Uz+SXqwqjFyLtj7ugY4GxcAWLXpC79BDcKp6eirfPvz3pCwLU9b7O9/kzk MxW+9tDiGfkDyFtsFs4fWrQkZrzvbC5EYQvHOhBtwTjRXhEe918zXOrdki8FWu0/ku7N 6NGrcL66LLlZFNdpAUzoO5zxl42yXrZVJ5MCmzpXoT+aFyhkJjZRMJsisq738ZZIlH1k 808YazFzg33wCmPcDYqCpbIhdSPayHvLlrZjM1MpQERVObP9vW9xpKvFI7mKFNEdy6gn YEqQ== X-Gm-Message-State: AJaThX7nhskbMJO0773rg1DZYvL1t1a4cGIqEcLpbSreuUUHW/tB/mTn NHWeRY3qt5kHdxHAuzFNpe+JzsnT X-Google-Smtp-Source: AGs4zMb1iafifoprgwg5T0suo77pwFhSHOaaAIAGRkJgNlBRUbeuxYYZO05EpB5XrZAxriJd53xkQQ== X-Received: by 10.107.20.129 with SMTP id 123mr6858735iou.36.1512030340868; Thu, 30 Nov 2017 00:25:40 -0800 (PST) Received: from MSSPAD572 ([61.12.69.165]) by smtp.gmail.com with ESMTPSA id m31sm2022765iti.3.2017.11.30.00.25.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 30 Nov 2017 00:25:40 -0800 (PST) Reply-To: From: "Naga Ramesh" To: "'Tomcat Users List'" References: <004901d369a7$f8af76a0$ea0e63e0$@manthan.com> <3af1965e-bab8-7174-ccad-80bca9a27907@apache.org> <008e01d369b0$2496f5b0$6dc4e110$@manthan.com> <3de038e8-8903-8980-b6af-0ebd9a3b7c9c@olafkock.de> In-Reply-To: <3de038e8-8903-8980-b6af-0ebd9a3b7c9c@olafkock.de> Subject: RE: getting some cookie & security related issues. Date: Thu, 30 Nov 2017 13:55:37 +0530 Message-ID: <00a401d369b4$ce43dca0$6acb95e0$@manthan.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQGfxletQp40ShGDGuHcchmSBJ8tsAGNxKnfAUWvTSECsZqh/aNnsu9g Content-Language: en-us archived-at: Thu, 30 Nov 2017 08:25:48 -0000 Thanks Olaf.. There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one. User-https request ---> AWS-ELB-443 & here we have applied the SSL &443 redirect to 8080 of tomcat(non SSL) To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection I have tried this way (secure="true") also, but application is working fine but we are unable to login the application & getting the oops session expired error message, so I have reverted this parameter. Regards, Naga Ramesh R 1974 -----Original Message----- From: Olaf Kock [mailto:tomcat@olafkock.de] Sent: Thursday, November 30, 2017 1:33 PM To: users@tomcat.apache.org Subject: Re: getting some cookie & security related issues. On 30.11.2017 08:52, Naga Ramesh wrote: > User --------> AWS --------> Tomcat > (HTTPS) (HTTPS) > > User-HTTPS request----> AWS-ELB(https-443) re-direct to tomcat > connector > port-8080 > > What is the (expected) path when the user makes an HTTPS request? Is it: > > User --------> AWS --------> Tomcat > (HTTPS) (HTTPS) There's one piece of information that looks suspicious to me: HTTPS from AWS to Tomcat, port 8080. While it's possible that you're doing this, 8080 is typically used to handle http requests, while 8443 would be a default choice in the 8000+ range of ports for handling https. Please confirm or deny that you have reconfigured a secure connector to listen to port 8080, otherwise it's not clear that you're indeed configuring the communication from AWS to Tomcat as an encrypted one. To preempt the next mail and give more information upfront: If you indeed have tomcat listen on 8080 for http, it won't have a clue that this connection is secure, because it doesn't know anything about the original connection. You can fake the knowledge about the connection to be secure with the connector attribute secure="true", but you'll have to make sure that nobody can reach your tomcat through any other way than through your load balancer when you do. Another option is to use AJP for the communication between AWS and Tomcat (I don't know if this is supported on the AWS-ELB side). While this protocol is unencrypted, it does forward the http/https information from the original connection User->AWS Please clarify your situation. Thanks, Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org