You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Scott Gray <sc...@hotwaxmedia.com> on 2010/03/04 19:00:50 UTC

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

On 4/03/2010, at 10:50 AM, Brett Palmer wrote:

> We use Apache web servers to communicate with our OFBiz servers using a
> combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
> forward secure requests (https) from Apache to a non-secure port (8080) on
> Tomcat/OFBiz.
> 

Hi Brett

Why do you transfer from https to http?  If you stopped doing that wouldn't all your problems go away?

Regards
Scott

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

Posted by Brett Palmer <br...@gmail.com>.

Thanks that was a helpful link.

We are still trying to determine what performs better, mod_jk or mod_proxy.
 We thought we found some bottlenecks under heavy loads with mod_Jk but we
never confirmed that.  I'll update the group on our findings as we discover
them.



Brett

On Thu, Mar 4, 2010 at 1:35 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:

> Also you might be interested by mod_proxy_ajp, a simple setting here
>
> http://cwiki.apache.org/confluence/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD
>
> Jacques
>
> From: "Adrian Crum" <ad...@hlmksw.com>
>
>  Scott Gray wrote:
>>
>>> I don't have a recommendation as such, it was just a thought to get you
>>> to the quickest possible solution.
>>>
>>> The options as I see it are:
>>> 1. Switch back to using https
>>> 2. Submit patches so that these warnings/error aren't logged for every
>>> request, perhaps just at startup or perhaps have another configuration to
>>> disable the warnings
>>>
>>> It wasn't clear to me how you are ensuring the same level of security
>>> that OFBiz provides OOTB but I would recommend that maintaining it should be
>>> your highest priority.
>>>
>>
>> I agree with this. Don't assume the network behind the firewall is safe.
>> Enable security wherever and whenever possible.
>>
>>
>
>

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

Posted by Jacques Le Roux <ja...@les7arts.com>.

Also you might be interested by mod_proxy_ajp, a simple setting here
http://cwiki.apache.org/confluence/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD

Jacques

From: "Adrian Crum" <ad...@hlmksw.com>
> Scott Gray wrote:
>> I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.
>>
>> The options as I see it are:
>> 1. Switch back to using https
>> 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another 
>> configuration to disable the warnings
>>
>> It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that 
>> maintaining it should be your highest priority.
>
> I agree with this. Don't assume the network behind the firewall is safe. Enable security wherever and whenever possible.
>

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

Posted by Adrian Crum <ad...@hlmksw.com>.

Scott Gray wrote:
> I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.
> 
> The options as I see it are:
> 1. Switch back to using https
> 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another configuration to disable the warnings
> 
> It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that maintaining it should be your highest priority.

I agree with this. Don't assume the network behind the firewall is safe. 
Enable security wherever and whenever possible.

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

Posted by Scott Gray <sc...@hotwaxmedia.com>.

I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.

The options as I see it are:
1. Switch back to using https
2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another configuration to disable the warnings

It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that maintaining it should be your highest priority.

Regards
Scott

On 4/03/2010, at 11:21 AM, Brett Palmer wrote:

> Scott,
> 
> We don't really have a good reason for turning it off.  Here were some of
> the reasons:
> 
> - The initial thought was secure connections between web and application
> servers was not necessary as these are behind the firewall.
> - We also thought we might be improving performance by not encrypting
> requests between servers, but we never verified these benefits.
> - We also use mod_jk and it communicates insecurely using is own AJP
> protocol.
> 
> Is your recommendation to turn on security and have mod_proxy communicate
> directly to port 8443?
> 
> 
> Brett
> 
> 
> 
> On Thu, Mar 4, 2010 at 11:00 AM, Scott Gray <sc...@hotwaxmedia.com>wrote:
> 
>> On 4/03/2010, at 10:50 AM, Brett Palmer wrote:
>> 
>>> We use Apache web servers to communicate with our OFBiz servers using a
>>> combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
>>> forward secure requests (https) from Apache to a non-secure port (8080)
>> on
>>> Tomcat/OFBiz.
>>> 
>> 
>> 
>> Hi Brett
>> 
>> Why do you transfer from https to http?  If you stopped doing that wouldn't
>> all your problems go away?
>> 
>> Regards
>> Scott

Re: Avoiding the "Got a insecure (non-https) form POST" warning when running non-secure between Apache and Tomcat

Posted by Brett Palmer <br...@gmail.com>.

Scott,

We don't really have a good reason for turning it off.  Here were some of
the reasons:

- The initial thought was secure connections between web and application
servers was not necessary as these are behind the firewall.
- We also thought we might be improving performance by not encrypting
requests between servers, but we never verified these benefits.
- We also use mod_jk and it communicates insecurely using is own AJP
protocol.

Is your recommendation to turn on security and have mod_proxy communicate
directly to port 8443?


Brett



On Thu, Mar 4, 2010 at 11:00 AM, Scott Gray <sc...@hotwaxmedia.com>wrote:

> On 4/03/2010, at 10:50 AM, Brett Palmer wrote:
>
> > We use Apache web servers to communicate with our OFBiz servers using a
> > combination of mod_jk and mod_proxy.  For our mod_proxy configuration, we
> > forward secure requests (https) from Apache to a non-secure port (8080)
> on
> > Tomcat/OFBiz.
> >
>
>
> Hi Brett
>
> Why do you transfer from https to http?  If you stopped doing that wouldn't
> all your problems go away?
>
> Regards
> Scott