You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Svein-Erik Løken <sv...@jacilla.no> on 2016/07/21 09:07:36 UTC
TLS termination proxy and Tapestry
Using HAProxy or Apache HTTP Server as a TLS termination proxy I found that setting X-Forwarded-Proto="https" in the header on the proxy org.apache.tapestry5.services.Request::isSecure returns true . That's good!
In tapestry.production-mode=true I am getting absolute URLs. E.g. http://example.com/index.mycompo.form.
By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am getting a relative URL. (/index.mycompo.form).
I can see that with X-Forwarded-Proto="https" set, org.apache.tapestry5.internal.services. RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE. That's good!
For me it seems that this is the correct solution, but I find it nice if some tapestry experts can confirm this!
Re: TLS termination proxy and Tapestry
Posted by Chris Poulsen <ma...@nesluop.dk>.
It has been a while since we looked into this, but as far as I can remember
we needed SECURE_ENABLED=false in order to have our apps supporting both
http and https at the same time. None of our app servers are configured to
use ssl that is always handled before the requests hit tapestry.
--
Chris
On Fri, Jul 22, 2016 at 1:23 PM, JumpStart <
geoff.callender.jumpstart@gmail.com> wrote:
> When you say you are avoiding absolute URLs, where have you noticed this?
> I can’t recall this being a problem.
>
> Now, I’m no expert on this kind of configuration, and its a while since I
> set this all up, so forgive me if I have my wires crossed. Also, our site’s
> load is small so far but growing so all of this will be up for review soon.
>
> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
> setting this in AppModule:
>
> public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> }
>
> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
> terminating the SSL/TLS.
>
> We use:
>
> -Dtapestry.secure-enabled=true
>
> We tell mod_proxy this:
>
> ProxyPreserveHost On
>
> and we use the following to convert the request to AJP, because app
> preserves the HTTPS headers.
>
> ProxyPass /myapp ajp://app:8009/myapp retry=5
> ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>
> This all works great for us. So what’s the URL issue again?
>
> Geoff
>
> > On 22 Jul 2016, at 5:54 PM, Svein-Erik Løken <sv...@jacilla.no> wrote:
> >
> > Tanks for confirmation on this!
> >
> > What about make note on this in the documentation
> https://tapestry.apache.org/security.html? <
> https://tapestry.apache.org/security.html?>
> >
> > It's not obvious that X-Forwarded-Proto="https" should be set in the TLS
> termination proxy. Other X-Forwarded- is often set default in the proxy,
> like X-Forwarded-For.
> >
> > And the tapestry.secure-enabled = false.
> >
> >
> > Web sites need to be encrypted in the future to work in Chrome, Firefox…
> Google Will Soon Shame All Websites That Are Unencrypted
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
> <
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
> >.
> >
> >
> >
> > GeoLocation stopped to work I Chrome for desktop and Android, so I had
> to use encryption.
> >
> >
> >
> >
> > From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:
> ml-node+s1045711n5732784h85@n5.nabble.com <mailto:
> ml-node+s1045711n5732784h85@n5.nabble.com>]
> > Sent: 22. juli 2016 11:35
> > To: Svein-Erik Løken <svein@jacilla.no <ma...@jacilla.no>>
> > Subject: Re: TLS termination proxy and Tapestry
> >
> > We are always setting tapestry.secure-enabled = false
> >
> > --
> > Chris
> >
> > On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
> >> wrote:
> >
> >> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> >> always set secure enables to false.
> >>
> >> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
> >>
> >>> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> >>> that setting X-Forwarded-Proto="https" in the header on the proxy
> >>> org.apache.tapestry5.services.Request::isSecure returns true . That's
> >> good!
> >>> In tapestry.production-mode=true I am getting absolute URLs. E.g.
> >>> http://example.com/index.mycompo.form.
> >>> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I
> am
> >>> getting a relative URL. (/index.mycompo.form).
> >>> I can see that with X-Forwarded-Proto="https" set,
> >>> org.apache.tapestry5.internal.services.
> >>> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> >>> That's good!
> >>>
> >>> For me it seems that this is the correct solution, but I find it nice
> if
> >>> some tapestry experts can confirm this!
> >>>
> >>>
> >>
> >
> > ________________________________
> > If you reply to this email, your message will be added to the discussion
> below:
> >
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
> >
> > To unsubscribe from users@tapestry.apache.org <mailto:
> users@tapestry.apache.org><mailto:users@tapestry.apache.org <mailto:
> users@tapestry.apache.org>> Mailing List Archives, click here<
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4
> >>.
> > NAML<
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >>
>
>
RE: TLS termination proxy and Tapestry
Posted by Svein-Erik Løken <sv...@jacilla.no>.
My feeling is that it's for SSL/HTTPS set up in Jetty/Tomcat etc (no proxy in front needed) use:
public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
-- or secure pages with annotation:
@Secure
-- or folders with:
public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true");
}
If behind a TLS termination proxy use:
tapestry.security-enabled= false
The latter seems most intuitive also, because pages are unsecured in the tapestry application/servlet. The TLS termination proxy takes care of the security.
From: Dimitris Zenios [via Apache Tapestry Mailing List Archives] [mailto:ml-node+s1045711n5732791h2@n5.nabble.com]
Sent: 22. juli 2016 14:52
To: Svein-Erik Løken <sv...@jacilla.no>
Subject: Re: TLS termination proxy and Tapestry
Forgot to mention that i also have tapestry.security-enabled= false in my
app setings
On Fri, Jul 22, 2016 at 3:50 PM, Dimitris Zenios </user/SendEmail.jtp?type=node&node=5732791&i=0>
wrote:
> This is a snippet of nginx configuration that proxies the request to
> jetty on port 8080.Via this configuration i am able to have ssl and non ssl
> versions of the tapestry application.If i want to enforce only ssl version
> of tapestry i enforce it via nginx.Hope that was helpful
>
> location / {
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_pass <a href="http://127.0.0.1:8080;">http://127.0.0.1:8080;
> }
>
>
> On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken </user/SendEmail.jtp?type=node&node=5732791&i=1>
> wrote:
>
>> With my configuration with -Dtapestry.secure-enabled=true the private
>> String org.apache.tapestry5.internal.services.
>> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>>
>> Using:
>>
>> public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>> }
>> With -Dtapestry.secure-enabled=true also works.
>>
>> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
>> return true.
>>
>> Which one is the preferred method?
>>
>> S-E
>>
>>
>>
>> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
>> /user/SendEmail.jtp?type=node&node=5732791&i=2]
>> Sent: 22. juli 2016 13:24
>> To: Svein-Erik Løken </user/SendEmail.jtp?type=node&node=5732791&i=3>
>> Subject: Re: TLS termination proxy and Tapestry
>>
>> When you say you are avoiding absolute URLs, where have you noticed this?
>> I can’t recall this being a problem.
>>
>> Now, I’m no expert on this kind of configuration, and its a while since I
>> set this all up, so forgive me if I have my wires crossed. Also, our site’s
>> load is small so far but growing so all of this will be up for review soon.
>>
>> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
>> setting this in AppModule:
>>
>> public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>> }
>>
>> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
>> terminating the SSL/TLS.
>>
>> We use:
>>
>> -Dtapestry.secure-enabled=true
>>
>> We tell mod_proxy this:
>>
>> ProxyPreserveHost On
>>
>> and we use the following to convert the request to AJP, because app
>> preserves the HTTPS headers.
>>
>> ProxyPass /myapp ajp://app:8009/myapp retry=5
>> ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>>
>> This all works great for us. So what’s the URL issue again?
>>
>> Geoff
>>
>>
>>
>
________________________________________
If you reply to this email, your message will be added to the discussion below:
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732791.html
To unsubscribe from mailto:users@tapestry.apache.org Mailing List Archives, http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4.
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
Re: TLS termination proxy and Tapestry
Posted by Dimitris Zenios <di...@gmail.com>.
Forgot to mention that i also have tapestry.security-enabled= false in my
app setings
On Fri, Jul 22, 2016 at 3:50 PM, Dimitris Zenios <di...@gmail.com>
wrote:
> This is a snippet of nginx configuration that proxies the request to
> jetty on port 8080.Via this configuration i am able to have ssl and non ssl
> versions of the tapestry application.If i want to enforce only ssl version
> of tapestry i enforce it via nginx.Hope that was helpful
>
> location / {
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_pass http://127.0.0.1:8080;
> }
>
>
> On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken <sv...@jacilla.no>
> wrote:
>
>> With my configuration with -Dtapestry.secure-enabled=true the private
>> String org.apache.tapestry5.internal.services.
>> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>>
>> Using:
>>
>> public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>> }
>> With -Dtapestry.secure-enabled=true also works.
>>
>> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
>> return true.
>>
>> Which one is the preferred method?
>>
>> S-E
>>
>>
>>
>> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
>> ml-node+s1045711n5732786h47@n5.nabble.com]
>> Sent: 22. juli 2016 13:24
>> To: Svein-Erik Løken <sv...@jacilla.no>
>> Subject: Re: TLS termination proxy and Tapestry
>>
>> When you say you are avoiding absolute URLs, where have you noticed this?
>> I can’t recall this being a problem.
>>
>> Now, I’m no expert on this kind of configuration, and its a while since I
>> set this all up, so forgive me if I have my wires crossed. Also, our site’s
>> load is small so far but growing so all of this will be up for review soon.
>>
>> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
>> setting this in AppModule:
>>
>> public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>> }
>>
>> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
>> terminating the SSL/TLS.
>>
>> We use:
>>
>> -Dtapestry.secure-enabled=true
>>
>> We tell mod_proxy this:
>>
>> ProxyPreserveHost On
>>
>> and we use the following to convert the request to AJP, because app
>> preserves the HTTPS headers.
>>
>> ProxyPass /myapp ajp://app:8009/myapp retry=5
>> ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>>
>> This all works great for us. So what’s the URL issue again?
>>
>> Geoff
>>
>>
>>
>
Re: TLS termination proxy and Tapestry
Posted by Dimitris Zenios <di...@gmail.com>.
This is a snippet of nginx configuration that proxies the request to jetty
on port 8080.Via this configuration i am able to have ssl and non ssl
versions of the tapestry application.If i want to enforce only ssl version
of tapestry i enforce it via nginx.Hope that was helpful
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken <sv...@jacilla.no> wrote:
> With my configuration with -Dtapestry.secure-enabled=true the private
> String org.apache.tapestry5.internal.services.
> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>
> Using:
>
> public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> }
> With -Dtapestry.secure-enabled=true also works.
>
> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
> return true.
>
> Which one is the preferred method?
>
> S-E
>
>
>
> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
> ml-node+s1045711n5732786h47@n5.nabble.com]
> Sent: 22. juli 2016 13:24
> To: Svein-Erik Løken <sv...@jacilla.no>
> Subject: Re: TLS termination proxy and Tapestry
>
> When you say you are avoiding absolute URLs, where have you noticed this?
> I can’t recall this being a problem.
>
> Now, I’m no expert on this kind of configuration, and its a while since I
> set this all up, so forgive me if I have my wires crossed. Also, our site’s
> load is small so far but growing so all of this will be up for review soon.
>
> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
> setting this in AppModule:
>
> public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> }
>
> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
> terminating the SSL/TLS.
>
> We use:
>
> -Dtapestry.secure-enabled=true
>
> We tell mod_proxy this:
>
> ProxyPreserveHost On
>
> and we use the following to convert the request to AJP, because app
> preserves the HTTPS headers.
>
> ProxyPass /myapp ajp://app:8009/myapp retry=5
> ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>
> This all works great for us. So what’s the URL issue again?
>
> Geoff
>
>
>
RE: TLS termination proxy and Tapestry
Posted by Svein-Erik Løken <sv...@jacilla.no>.
With my configuration with -Dtapestry.secure-enabled=true the private String org.apache.tapestry5.internal.services. LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
Using:
public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
With -Dtapestry.secure-enabled=true also works.
Still need to set X-Forwarded-Proto="https" to have request.isSecure() return true.
Which one is the preferred method?
S-E
From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:ml-node+s1045711n5732786h47@n5.nabble.com]
Sent: 22. juli 2016 13:24
To: Svein-Erik Løken <sv...@jacilla.no>
Subject: Re: TLS termination proxy and Tapestry
When you say you are avoiding absolute URLs, where have you noticed this? I can’t recall this being a problem.
Now, I’m no expert on this kind of configuration, and its a while since I set this all up, so forgive me if I have my wires crossed. Also, our site’s load is small so far but growing so all of this will be up for review soon.
In production we run pure HTTPS. We force all HTTP traffic to HTTPS by setting this in AppModule:
public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is terminating the SSL/TLS.
We use:
-Dtapestry.secure-enabled=true
We tell mod_proxy this:
ProxyPreserveHost On
and we use the following to convert the request to AJP, because app preserves the HTTPS headers.
ProxyPass /myapp ajp://app:8009/myapp retry=5
ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
This all works great for us. So what’s the URL issue again?
Geoff
Re: TLS termination proxy and Tapestry
Posted by JumpStart <ge...@gmail.com>.
When you say you are avoiding absolute URLs, where have you noticed this? I can’t recall this being a problem.
Now, I’m no expert on this kind of configuration, and its a while since I set this all up, so forgive me if I have my wires crossed. Also, our site’s load is small so far but growing so all of this will be up for review soon.
In production we run pure HTTPS. We force all HTTP traffic to HTTPS by setting this in AppModule:
public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is terminating the SSL/TLS.
We use:
-Dtapestry.secure-enabled=true
We tell mod_proxy this:
ProxyPreserveHost On
and we use the following to convert the request to AJP, because app preserves the HTTPS headers.
ProxyPass /myapp ajp://app:8009/myapp retry=5
ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
This all works great for us. So what’s the URL issue again?
Geoff
> On 22 Jul 2016, at 5:54 PM, Svein-Erik Løken <sv...@jacilla.no> wrote:
>
> Tanks for confirmation on this!
>
> What about make note on this in the documentation https://tapestry.apache.org/security.html? <https://tapestry.apache.org/security.html?>
>
> It's not obvious that X-Forwarded-Proto="https" should be set in the TLS termination proxy. Other X-Forwarded- is often set default in the proxy, like X-Forwarded-For.
>
> And the tapestry.secure-enabled = false.
>
>
> Web sites need to be encrypted in the future to work in Chrome, Firefox… Google Will Soon Shame All Websites That Are Unencrypted http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https <http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https>.
>
>
>
> GeoLocation stopped to work I Chrome for desktop and Android, so I had to use encryption.
>
>
>
>
> From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:ml-node+s1045711n5732784h85@n5.nabble.com <ma...@n5.nabble.com>]
> Sent: 22. juli 2016 11:35
> To: Svein-Erik Løken <svein@jacilla.no <ma...@jacilla.no>>
> Subject: Re: TLS termination proxy and Tapestry
>
> We are always setting tapestry.secure-enabled = false
>
> --
> Chris
>
> On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
>> wrote:
>
>> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
>> always set secure enables to false.
>>
>> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
>>
>>> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
>>> that setting X-Forwarded-Proto="https" in the header on the proxy
>>> org.apache.tapestry5.services.Request::isSecure returns true . That's
>> good!
>>> In tapestry.production-mode=true I am getting absolute URLs. E.g.
>>> http://example.com/index.mycompo.form.
>>> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
>>> getting a relative URL. (/index.mycompo.form).
>>> I can see that with X-Forwarded-Proto="https" set,
>>> org.apache.tapestry5.internal.services.
>>> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
>>> That's good!
>>>
>>> For me it seems that this is the correct solution, but I find it nice if
>>> some tapestry experts can confirm this!
>>>
>>>
>>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion below:
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html>
> To unsubscribe from users@tapestry.apache.org <ma...@tapestry.apache.org><mailto:users@tapestry.apache.org <ma...@tapestry.apache.org>> Mailing List Archives, click here<http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4 <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4>>.
> NAML<http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
RE: TLS termination proxy and Tapestry
Posted by Svein-Erik Løken <sv...@jacilla.no>.
Tanks for confirmation on this!
What about make note on this in the documentation https://tapestry.apache.org/security.html?
It's not obvious that X-Forwarded-Proto="https" should be set in the TLS termination proxy. Other X-Forwarded- is often set default in the proxy, like X-Forwarded-For.
And the tapestry.secure-enabled = false.
Web sites need to be encrypted in the future to work in Chrome, Firefox… Google Will Soon Shame All Websites That Are Unencrypted http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https.
GeoLocation stopped to work I Chrome for desktop and Android, so I had to use encryption.
From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:ml-node+s1045711n5732784h85@n5.nabble.com]
Sent: 22. juli 2016 11:35
To: Svein-Erik Løken <sv...@jacilla.no>
Subject: Re: TLS termination proxy and Tapestry
We are always setting tapestry.secure-enabled = false
--
Chris
On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
> wrote:
> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> always set secure enables to false.
>
> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
>
> > Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> > that setting X-Forwarded-Proto="https" in the header on the proxy
> > org.apache.tapestry5.services.Request::isSecure returns true . That's
> good!
> > In tapestry.production-mode=true I am getting absolute URLs. E.g.
> > http://example.com/index.mycompo.form.
> > By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
> > getting a relative URL. (/index.mycompo.form).
> > I can see that with X-Forwarded-Proto="https" set,
> > org.apache.tapestry5.internal.services.
> > RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> > That's good!
> >
> > For me it seems that this is the correct solution, but I find it nice if
> > some tapestry experts can confirm this!
> >
> >
>
________________________________
If you reply to this email, your message will be added to the discussion below:
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
To unsubscribe from users@tapestry.apache.org<ma...@tapestry.apache.org> Mailing List Archives, click here<http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4>.
NAML<http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
Re: TLS termination proxy and Tapestry
Posted by Chris Poulsen <ma...@nesluop.dk>.
We are always setting tapestry.secure-enabled = false
--
Chris
On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <dimitris.zenios@gmail.com
> wrote:
> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> always set secure enables to false.
>
> On 21 Jul 2016 12:07, "Svein-Erik Løken" <sv...@jacilla.no> wrote:
>
> > Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> > that setting X-Forwarded-Proto="https" in the header on the proxy
> > org.apache.tapestry5.services.Request::isSecure returns true . That's
> good!
> > In tapestry.production-mode=true I am getting absolute URLs. E.g.
> > http://example.com/index.mycompo.form.
> > By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
> > getting a relative URL. (/index.mycompo.form).
> > I can see that with X-Forwarded-Proto="https" set,
> > org.apache.tapestry5.internal.services.
> > RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> > That's good!
> >
> > For me it seems that this is the correct solution, but I find it nice if
> > some tapestry experts can confirm this!
> >
> >
>
Re: TLS termination proxy and Tapestry
Posted by Dimitris Zenios <di...@gmail.com>.
When i am doing ssl out of the servlet container (eg jetty,apache etc) i
always set secure enables to false.
On 21 Jul 2016 12:07, "Svein-Erik Løken" <sv...@jacilla.no> wrote:
> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> that setting X-Forwarded-Proto="https" in the header on the proxy
> org.apache.tapestry5.services.Request::isSecure returns true . That's good!
> In tapestry.production-mode=true I am getting absolute URLs. E.g.
> http://example.com/index.mycompo.form.
> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
> getting a relative URL. (/index.mycompo.form).
> I can see that with X-Forwarded-Proto="https" set,
> org.apache.tapestry5.internal.services.
> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> That's good!
>
> For me it seems that this is the correct solution, but I find it nice if
> some tapestry experts can confirm this!
>
>