HTTP CONNECT method not being accepted by Tomcat 7

["mark.loper@cyrenllc.com" <ma...@cyrenllc.com>]

Hi,  I have written a PKI proxy servlet to support a tool that needs access to my customer’s secured web site, but the application does not support client certificate security.  The Servlet works great when called from a browser, where the proxy uses a B2B certificate for access and forwards the response to the browser as expected.  That seemed like a good prototype, however, when I went to test against the tool I found that it was not making a GET request, but rather a CONNECT request.  I extended my code to accept the CONNECT, however the request never seems to get past the front door Tomcat.  None of my code is ever called, so I have to assume that I have a setting wrong in Tomcat.

Everything I can find online discusses how you shouldn’t have a Tunneling proxy in your infrastructure, but this is all in a secured environment, not on the internet, so this is not an issue and has been approved.  Is there something I’m missing?  

Thank You,
Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HTTP CONNECT method not being accepted by Tomcat 7

[Christopher Schultz <ch...@christopherschultz.net>]

André,

On 2/24/16 5:42 PM, André Warnier (tomcat) wrote:
> On 24.02.2016 23:30, André Warnier (tomcat) wrote:
>> On 24.02.2016 22:39, Christopher Schultz wrote:
>>> Mark,
>>>
>>> On 2/24/16 8:44 AM, mark.loper@cyrenllc.com wrote:
>>>> Hi,  I have written a PKI proxy servlet to support a tool that needs
>>>> access to my customer’s secured web site, but the application does
>>>> not support client certificate security.  The Servlet works great
>>>> when called from a browser, where the proxy uses a B2B certificate
>>>> for access and forwards the response to the browser as expected.
>>>> That seemed like a good prototype, however, when I went to test
>>>> against the tool I found that it was not making a GET request, but
>>>> rather a CONNECT request.  I extended my code to accept the CONNECT,
>>>> however the request never seems to get past the front door Tomcat.
>>>> None of my code is ever called, so I have to assume that I have a
>>>> setting wrong in Tomcat.
>>>>
>>>> Everything I can find online discusses how you shouldn’t have a
>>>> Tunneling proxy in your infrastructure, but this is all in a secured
>>>> environment, not on the internet, so this is not an issue and has
>>>> been approved.  Is there something I’m missing?
>>>
>>> Technically, CONNECT is not a tunnelling protocol, since it uses a
>>> plaintext HTTP request to negotiate with the server and then just sends
>>> a binary blob through as the payload (e.g. a TLS connection can be sent
>>> from a proxy to an origin server so that it includes all of the
>>> certificate information, etc.). The CONNECT protocol basically only adds
>>> the overhead of another (non-TLS) HTTP header to the conversation.
>>>
>>> Anyway, it looks like this is what you are looking for:
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=57830
>>>
>>> Right?
>>>
>>> -chris
>>>
>>
>> Chris,
>> just a naive question (after reading the bz thread that you mention
>> above, but not really
>> up-to-date with the details of the CONNECT protocol) :
>>
>> Could not the setup of an Apache httpd server as front-end proxy to
>> Tomcat be a solution
>> for the OP ?
>> Presumably, this front-end would interpret the CONNECT request and
>> make a connection to
>> Tomcat, and then pass the rest of the request (which presumably is the
>> GET) to Tomcat.
>> No ?
>>
> 
> Added reference :
> http://httpd.apache.org/docs/current/mod/mod_proxy_connect.html

So, mod_proxy_connect currently only does *forward* proxying (like, to
allow a client to go through a corporate firewall to get to the outside
Internet).

My confusing comment on the Tomcat bug about Dan Ruggeri having done
some work was about httpd's capabilities to do HTTP CONNECT as a
*reverse* proxy, as we are discussing, now.

Dan did his work and had a sample patch, and I think it was intended to
be a part of mod_proxy_http, but it actually might have gotten into
mod_proxy_connect instead.

I'll have to see if Dan is going to ApacheCon again this year.... he and
I might be able to grab a table and just bang-out the httpd
implementation and then httpd *could* be a conduit for this information.

It would be nice if Tomcat could support this directly, but for my
purposes, httpd supporting it would be enough, since httpd is already
being used in my deployments, and solves all the problems that arise
from using haproxy and similar load-balancers that want to provide
pass-through TLS proxying.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HTTP CONNECT method not being accepted by Tomcat 7

["André Warnier (tomcat)" <aw...@ice-sa.com>]

On 24.02.2016 23:30, André Warnier (tomcat) wrote:
> On 24.02.2016 22:39, Christopher Schultz wrote:
>> Mark,
>>
>> On 2/24/16 8:44 AM, mark.loper@cyrenllc.com wrote:
>>> Hi,  I have written a PKI proxy servlet to support a tool that needs
>>> access to my customer’s secured web site, but the application does
>>> not support client certificate security.  The Servlet works great
>>> when called from a browser, where the proxy uses a B2B certificate
>>> for access and forwards the response to the browser as expected.
>>> That seemed like a good prototype, however, when I went to test
>>> against the tool I found that it was not making a GET request, but
>>> rather a CONNECT request.  I extended my code to accept the CONNECT,
>>> however the request never seems to get past the front door Tomcat.
>>> None of my code is ever called, so I have to assume that I have a
>>> setting wrong in Tomcat.
>>>
>>> Everything I can find online discusses how you shouldn’t have a
>>> Tunneling proxy in your infrastructure, but this is all in a secured
>>> environment, not on the internet, so this is not an issue and has
>>> been approved.  Is there something I’m missing?
>>
>> Technically, CONNECT is not a tunnelling protocol, since it uses a
>> plaintext HTTP request to negotiate with the server and then just sends
>> a binary blob through as the payload (e.g. a TLS connection can be sent
>> from a proxy to an origin server so that it includes all of the
>> certificate information, etc.). The CONNECT protocol basically only adds
>> the overhead of another (non-TLS) HTTP header to the conversation.
>>
>> Anyway, it looks like this is what you are looking for:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=57830
>>
>> Right?
>>
>> -chris
>>
>
> Chris,
> just a naive question (after reading the bz thread that you mention above, but not really
> up-to-date with the details of the CONNECT protocol) :
>
> Could not the setup of an Apache httpd server as front-end proxy to Tomcat be a solution
> for the OP ?
> Presumably, this front-end would interpret the CONNECT request and make a connection to
> Tomcat, and then pass the rest of the request (which presumably is the GET) to Tomcat.
> No ?
>

Added reference :
http://httpd.apache.org/docs/current/mod/mod_proxy_connect.html



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HTTP CONNECT method not being accepted by Tomcat 7

["André Warnier (tomcat)" <aw...@ice-sa.com>]

On 24.02.2016 22:39, Christopher Schultz wrote:
> Mark,
>
> On 2/24/16 8:44 AM, mark.loper@cyrenllc.com wrote:
>> Hi,  I have written a PKI proxy servlet to support a tool that needs
>> access to my customer’s secured web site, but the application does
>> not support client certificate security.  The Servlet works great
>> when called from a browser, where the proxy uses a B2B certificate
>> for access and forwards the response to the browser as expected.
>> That seemed like a good prototype, however, when I went to test
>> against the tool I found that it was not making a GET request, but
>> rather a CONNECT request.  I extended my code to accept the CONNECT,
>> however the request never seems to get past the front door Tomcat.
>> None of my code is ever called, so I have to assume that I have a
>> setting wrong in Tomcat.
>>
>> Everything I can find online discusses how you shouldn’t have a
>> Tunneling proxy in your infrastructure, but this is all in a secured
>> environment, not on the internet, so this is not an issue and has
>> been approved.  Is there something I’m missing?
>
> Technically, CONNECT is not a tunnelling protocol, since it uses a
> plaintext HTTP request to negotiate with the server and then just sends
> a binary blob through as the payload (e.g. a TLS connection can be sent
> from a proxy to an origin server so that it includes all of the
> certificate information, etc.). The CONNECT protocol basically only adds
> the overhead of another (non-TLS) HTTP header to the conversation.
>
> Anyway, it looks like this is what you are looking for:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=57830
>
> Right?
>
> -chris
>

Chris,
just a naive question (after reading the bz thread that you mention above, but not really 
up-to-date with the details of the CONNECT protocol) :

Could not the setup of an Apache httpd server as front-end proxy to Tomcat be a solution 
for the OP ?
Presumably, this front-end would interpret the CONNECT request and make a connection to 
Tomcat, and then pass the rest of the request (which presumably is the GET) to Tomcat.
No ?




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: HTTP CONNECT method not being accepted by Tomcat 7

[Christopher Schultz <ch...@christopherschultz.net>]

Mark,

On 2/24/16 8:44 AM, mark.loper@cyrenllc.com wrote:
> Hi,  I have written a PKI proxy servlet to support a tool that needs
> access to my customer’s secured web site, but the application does
> not support client certificate security.  The Servlet works great
> when called from a browser, where the proxy uses a B2B certificate
> for access and forwards the response to the browser as expected.
> That seemed like a good prototype, however, when I went to test
> against the tool I found that it was not making a GET request, but
> rather a CONNECT request.  I extended my code to accept the CONNECT,
> however the request never seems to get past the front door Tomcat.
> None of my code is ever called, so I have to assume that I have a
> setting wrong in Tomcat.
> 
> Everything I can find online discusses how you shouldn’t have a
> Tunneling proxy in your infrastructure, but this is all in a secured
> environment, not on the internet, so this is not an issue and has
> been approved.  Is there something I’m missing?

Technically, CONNECT is not a tunnelling protocol, since it uses a
plaintext HTTP request to negotiate with the server and then just sends
a binary blob through as the payload (e.g. a TLS connection can be sent
from a proxy to an origin server so that it includes all of the
certificate information, etc.). The CONNECT protocol basically only adds
the overhead of another (non-TLS) HTTP header to the conversation.

Anyway, it looks like this is what you are looking for:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830

Right?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org