You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michele Mase' <mi...@gmail.com> on 2020/06/25 13:42:06 UTC
HTTP Header Security Filter (antiClickJackingEnabled x-frame-options)
doesn't work with mod_proxy as expected
I'm trying to configure the header x-frame-options in tomcat8
web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Testing it with tomcat works as expected:
curl -I http://ip_of_tomcat:port_of_tomcat/myapp/
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=5B3F02AE2484BB1A66B1875DCC4337BD.myapp1;
Path=/myapp; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 25 Jun 2020 12:36:14 GMT
Server:
Testing it with tomcat behind an apache reverse proxy with mod_proxy_http
does not work as expected
web.xml: the same as above
server.xml
<Connector port="port_of_tomcat" protocol="HTTP/1.1" server=" "
connectionTimeout="20000"
ProxyPort="443"
ProxyName="xframe.example.coms"
scheme="https"
secure="true"
redirectPort="port_of_tomcat_plus_one" />
apache.conf
<VirtualHost ip_of_tomcat:80>
ServerName xframe.example.com
ProxyPass / http://ip_of_tomcat:port_of_tomcat/
ProxyPassReverse / http://ip_of_tomcat:port_of_tomcat/
</VirtualHost>
curl -I https://xframe.example.com/myapp/
HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:20:48 GMT
Server:
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=7F94B0FFC3905A6CA4B4C192E0559AF4.myapp1;
Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
The x-frame-options header is missing. The only workaround I have found is
by enabling mod_headers in apache.conf, i.e:
<IfModule headers_module>
<IfVersion >= 2.4.7 >
Header always setifempty X-Frame-Options SAMEORIGIN
</IfVersion>
<IfVersion < 2.4.7 >
Header always merge X-Frame-Options SAMEORIGIN
</IfVersion>
</IfModule>
And it finally works:
curl -I https://xframe.example.com/myapp/
HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:24:48 GMT
Server:
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=990791DCF707F972D7C2CF09D47F4BE4.myapp1;
Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
Is it possible to use x-frame-options with mod_proxy without also having to
use mod_headers?
I would like to configure only tomcat and not apache.
--
Michele Masè
[users@httpd] Fwd: HTTP Header Security Filter (antiClickJackingEnabled
x-frame-options) doesn't work with mod_proxy as expected
Posted by Michele Mase' <mi...@gmail.com>.
Note:
already asked the tomcat mailing list without receiving any reply
I'm trying to configure the header x-frame-options in tomcat8
web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Testing it with tomcat works as expected:
curl -I http://ip_of_tomcat:port_of_tomcat/myapp/
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=5B3F02AE2484BB1A66B1875DCC4337BD.myapp1;
Path=/myapp; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 25 Jun 2020 12:36:14 GMT
Server:
Testing it with tomcat behind an apache reverse proxy with mod_proxy_http
does not work as expected
web.xml: the same as above
server.xml
<Connector port="port_of_tomcat" protocol="HTTP/1.1" server=" "
connectionTimeout="20000"
ProxyPort="443"
ProxyName="xframe.example.coms"
scheme="https"
secure="true"
redirectPort="port_of_tomcat_plus_one" />
apache.conf
<VirtualHost ip_of_tomcat:80>
ServerName xframe.example.com
ProxyPass / http://ip_of_tomcat:port_of_tomcat/
ProxyPassReverse / http://ip_of_tomcat:port_of_tomcat/
</VirtualHost>
curl -I https://xframe.example.com/myapp/
HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:20:48 GMT
Server:
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=7F94B0FFC3905A6CA4B4C192E0559AF4.myapp1;
Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
The x-frame-options header is missing. The only workaround I have found is
by enabling mod_headers in apache.conf, i.e:
<IfModule headers_module>
<IfVersion >= 2.4.7 >
Header always setifempty X-Frame-Options SAMEORIGIN
</IfVersion>
<IfVersion < 2.4.7 >
Header always merge X-Frame-Options SAMEORIGIN
</IfVersion>
</IfModule>
And it finally works:
curl -I https://xframe.example.com/myapp/
HTTP/1.1 200 OK
Date: Thu, 25 Jun 2020 13:24:48 GMT
Server:
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=990791DCF707F972D7C2CF09D47F4BE4.myapp1;
Path=/myapp; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
Is it possible to use x-frame-options with mod_proxy without also having to
use mod_headers?
I would like to configure only tomcat and not apache.
--
Michele Masè
--
Michele Masè