Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Brett Palmer <br...@gmail.com>]

We use Apache web servers to communicate with our OFBiz servers using a
combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
forward secure requests (https) from Apache to a non-secure port (8080) on
Tomcat/OFBiz.

Our application is an AJAX/Dojo application that posts normal HTTP requests
to the web server, but when we do this we frequently get the following
messages:

2010-03-01 13:32:18,890 (http-0.0.0.0-8080-6) [
RequestHandler.java:186:ERROR] Got a insecure (non-https) form POST to a
secure (http) request [jsonservice], returning error
2010-03-01 13:32:18,906 (http-0.0.0.0-8080-6) [
RequestHandler.java:204:WARN ] HTTPS is disabled for this site, so we can't
tell if this was encrypted or not which means if a form was POSTed and it
was not over HTTPS we don't know, but it would be vulnerable to an XSRF and
other attacks: Not accepting insecure form data posted to a secure request

I understand the reason for the error message and the potential security
problems if our Tomcat/OFBiz application server was the front-facing server,
but in our environment the Tomcat/OFBiz servers are only accessible via
Apache.  The request from the user is secure.

I don't believe the error causes any problems for us (transaction roll
backs, etc), but we would like to eliminate all false error messages in our
logs so we can focus on more critical ones.

What is the recommendation from the community for avoiding these types of
messages when using Apache to Tomcat configuration?  Are others working
around these issues when they use Apache mod_proxy?




Brett

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Brett Palmer <br...@gmail.com>]

Thanks that was a helpful link.

We are still trying to determine what performs better, mod_jk or mod_proxy.
 We thought we found some bottlenecks under heavy loads with mod_Jk but we
never confirmed that.  I'll update the group on our findings as we discover
them.



Brett

On Thu, Mar 4, 2010 at 1:35 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:

> Also you might be interested by mod_proxy_ajp, a simple setting here
>
> http://cwiki.apache.org/confluence/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
>
> Jacques
>
> From: "Adrian Crum" <ad...@hlmksw.com>
>
>  Scott Gray wrote:
>>
>>> I don't have a recommendation as such, it was just a thought to get you
>>> to the quickest possible solution.
>>>
>>> The options as I see it are:
>>> 1. Switch back to using https
>>> 2. Submit patches so that these warnings/error aren't logged for every
>>> request, perhaps just at startup or perhaps have another configuration to
>>> disable the warnings
>>>
>>> It wasn't clear to me how you are ensuring the same level of security
>>> that OFBiz provides OOTB but I would recommend that maintaining it should be
>>> your highest priority.
>>>
>>
>> I agree with this. Don't assume the network behind the firewall is safe.
>> Enable security wherever and whenever possible.
>>
>>
>
>

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Jacques Le Roux <ja...@les7arts.com>]

Also you might be interested by mod_proxy_ajp, a simple setting here
http://cwiki.apache.org/confluence/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD

Jacques

From: "Adrian Crum" <ad...@hlmksw.com>
> Scott Gray wrote:
>> I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.
>>
>> The options as I see it are:
>> 1. Switch back to using https
>> 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another 
>> configuration to disable the warnings
>>
>> It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that 
>> maintaining it should be your highest priority.
>
> I agree with this. Don't assume the network behind the firewall is safe. Enable security wherever and whenever possible.
> 

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Adrian Crum <ad...@hlmksw.com>]

Scott Gray wrote:
> I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.
> 
> The options as I see it are:
> 1. Switch back to using https
> 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another configuration to disable the warnings
> 
> It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that maintaining it should be your highest priority.

I agree with this. Don't assume the network behind the firewall is safe. 
Enable security wherever and whenever possible.

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Scott Gray <sc...@hotwaxmedia.com>]

I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.

The options as I see it are:
1. Switch back to using https
2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another configuration to disable the warnings

It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that maintaining it should be your highest priority.

Regards
Scott

On 4/03/2010, at 11:21 AM, Brett Palmer wrote:

> Scott,
> 
> We don't really have a good reason for turning it off.  Here were some of
> the reasons:
> 
> - The initial thought was secure connections between web and application
> servers was not necessary as these are behind the firewall.
> - We also thought we might be improving performance by not encrypting
> requests between servers, but we never verified these benefits.
> - We also use mod_jk and it communicates insecurely using is own AJP
> protocol.
> 
> Is your recommendation to turn on security and have mod_proxy communicate
> directly to port 8443?
> 
> 
> Brett
> 
> 
> 
> On Thu, Mar 4, 2010 at 11:00 AM, Scott Gray <sc...@hotwaxmedia.com>wrote:
> 
>> On 4/03/2010, at 10:50 AM, Brett Palmer wrote:
>> 
>>> We use Apache web servers to communicate with our OFBiz servers using a
>>> combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
>>> forward secure requests (https) from Apache to a non-secure port (8080)
>> on
>>> Tomcat/OFBiz.
>>> 
>> 
>> 
>> Hi Brett
>> 
>> Why do you transfer from https to http?  If you stopped doing that wouldn't
>> all your problems go away?
>> 
>> Regards
>> Scott

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Brett Palmer <br...@gmail.com>]

Scott,

We don't really have a good reason for turning it off.  Here were some of
the reasons:

- The initial thought was secure connections between web and application
servers was not necessary as these are behind the firewall.
- We also thought we might be improving performance by not encrypting
requests between servers, but we never verified these benefits.
- We also use mod_jk and it communicates insecurely using is own AJP
protocol.

Is your recommendation to turn on security and have mod_proxy communicate
directly to port 8443?


Brett



On Thu, Mar 4, 2010 at 11:00 AM, Scott Gray <sc...@hotwaxmedia.com>wrote:

> On 4/03/2010, at 10:50 AM, Brett Palmer wrote:
>
> > We use Apache web servers to communicate with our OFBiz servers using a
> > combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
> > forward secure requests (https) from Apache to a non-secure port (8080)
> on
> > Tomcat/OFBiz.
> >
>
>
> Hi Brett
>
> Why do you transfer from https to http?  If you stopped doing that wouldn't
> all your problems go away?
>
> Regards
> Scott

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

[Scott Gray <sc...@hotwaxmedia.com>]

On 4/03/2010, at 10:50 AM, Brett Palmer wrote:

> We use Apache web servers to communicate with our OFBiz servers using a
> combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
> forward secure requests (https) from Apache to a non-secure port (8080) on
> Tomcat/OFBiz.
> 


Hi Brett

Why do you transfer from https to http?  If you stopped doing that wouldn't all your problems go away?

Regards
Scott