You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andre-John Mas <aj...@sympatico.ca> on 2009/05/20 15:39:54 UTC
mod_proxy, Tomcat and request URL
Hi,
Where I work the production environment is using Apache HTTPD in front
of Tomcat and the link is then made via mod_proxy. While I understand
this is not the ideal setup, I don't have any control over this. At
the same time I see that using mod_proxy, by way of ProxyPass, means
that the Tomcat server does not know what hostname was used to access
the Apache server, instead getting http://localhost:8080/ . Is there
any way, probably via configuration of Apache, that this could be
passed to the Tomcat? I looked for information on this, but I could
not find any.
André-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_proxy, Tomcat and request URL
Posted by Rainer Jung <ra...@kippdata.de>.
On 22.05.2009 04:31, Andre-John Mas wrote:
>
> On 21-May-2009, at 12:32, Rainer Jung wrote:
>
>> On 20.05.2009 17:33, Markus Schönhaber wrote:
>>> Andre-John Mas:
>>>
>>>> this is not the ideal setup, I don't have any control over this. At
>>>> the same time I see that using mod_proxy, by way of ProxyPass, means
>>>> that the Tomcat server does not know what hostname was used to access
>>>> the Apache server, instead getting http://localhost:8080/ . Is there
>>>> any way, probably via configuration of Apache, that this could be
>>>> passed to the Tomcat? I looked for information on this, but I could
>>>> not find any.
>>>
>>> Instead of mod_proxy_http, I use mod_proxy_ajp. AJP passes the client's
>>> IP through.
>>
>> On 20.05.2009 16:59, Caldarale, Charles R wrote:
>>> Aren't the X-Forwarded-For and X-Forwarded-Host headers being set by
>> mod_proxy? The doc indicates they should be:
>>> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
>>
>> .. and finally there's ProxyPreserveHost.
>
> That's one option I missed.
>
> Is there any way to know whether Apache was contacted using HTTPS or
> HTTP, on the Tomcat side?
I didn't test it, but what should work:
mod_ssl automatically sets an internal httpd nvironment variable named
"HTTPS" to "on" when the connection is doing https. mod_rewrite knows
this variable as a builtin (look for HTTPS on
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html), but any other
module, that can use data rom environment variables can also use it.
E.g. mod_headers has a syntax, where you set request headers depending
on an env var being set or not. So you can try to use mod_headers to add
a private request header (like: X-MYAPP-HTTPS: yes) to the request,
depending on the env var HTTPS being set. You backend can then check for
the existence of the header.
CAUTION: You can compromise your security with such a header. If your
users find out, what the header is, they can send it with the original
request and claim it to be HTTPS. To make it bullet proof, you would
first have to remove it (and all equivalent headers).
I didn't check, whether mod_ssl sets the variable earl enough for
mod_request to detect it and mod_proxy to alrady find the new header
before forwarding, but I think that's reasonable.
Have fun,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_proxy, Tomcat and request URL
Posted by Andre-John Mas <aj...@sympatico.ca>.
On 21-May-2009, at 12:32, Rainer Jung wrote:
> On 20.05.2009 17:33, Markus Schönhaber wrote:
>> Andre-John Mas:
>>
>>> this is not the ideal setup, I don't have any control over this. At
>>> the same time I see that using mod_proxy, by way of ProxyPass, means
>>> that the Tomcat server does not know what hostname was used to
>>> access
>>> the Apache server, instead getting http://localhost:8080/ . Is there
>>> any way, probably via configuration of Apache, that this could be
>>> passed to the Tomcat? I looked for information on this, but I could
>>> not find any.
>>
>> Instead of mod_proxy_http, I use mod_proxy_ajp. AJP passes the
>> client's
>> IP through.
>
> On 20.05.2009 16:59, Caldarale, Charles R wrote:
>> Aren't the X-Forwarded-For and X-Forwarded-Host headers being set by
> mod_proxy? The doc indicates they should be:
>> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
>
> .. and finally there's ProxyPreserveHost.
That's one option I missed.
Is there any way to know whether Apache was contacted using HTTPS or
HTTP, on the Tomcat side?
> If yo want to get an idea, which other traps are to avoid when using a
> reverse proxy, you can also look at
>
> http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
I would love to go with AJP, but due to a very conservative customer,
this is not an option we can look at. The other points on the page
with regards to URL rewriting seem of interest, though the idea is
to try to remove assumptions to what name the client is accessing
the host by. The reason is so when we move from dev to integration
to production, this is one less thing to keep track of.
André-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_proxy, Tomcat and request URL
Posted by Rainer Jung <ra...@kippdata.de>.
On 20.05.2009 17:33, Markus Schönhaber wrote:
> Andre-John Mas:
>
>> this is not the ideal setup, I don't have any control over this. At
>> the same time I see that using mod_proxy, by way of ProxyPass, means
>> that the Tomcat server does not know what hostname was used to access
>> the Apache server, instead getting http://localhost:8080/ . Is there
>> any way, probably via configuration of Apache, that this could be
>> passed to the Tomcat? I looked for information on this, but I could
>> not find any.
>
> Instead of mod_proxy_http, I use mod_proxy_ajp. AJP passes the client's
> IP through.
On 20.05.2009 16:59, Caldarale, Charles R wrote:
> Aren't the X-Forwarded-For and X-Forwarded-Host headers being set by
mod_proxy? The doc indicates they should be:
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
.. and finally there's ProxyPreserveHost.
If yo want to get an idea, which other traps are to avoid when using a
reverse proxy, you can also look at
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_proxy, Tomcat and request URL
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
Andre-John Mas:
> this is not the ideal setup, I don't have any control over this. At
> the same time I see that using mod_proxy, by way of ProxyPass, means
> that the Tomcat server does not know what hostname was used to access
> the Apache server, instead getting http://localhost:8080/ . Is there
> any way, probably via configuration of Apache, that this could be
> passed to the Tomcat? I looked for information on this, but I could
> not find any.
Instead of mod_proxy_http, I use mod_proxy_ajp. AJP passes the client's
IP through.
--
Regards
mks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: mod_proxy, Tomcat and request URL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Andre-John Mas [mailto:ajmas@sympatico.ca]
> Subject: mod_proxy, Tomcat and request URL
>
> At the same time I see that using mod_proxy, by way of ProxyPass,
> means that the Tomcat server does not know what hostname was used
> to access the Apache server, instead getting http://localhost:8080/
Aren't the X-Forwarded-For and X-Forwarded-Host headers being set by mod_proxy? The doc indicates they should be:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org