You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by ka...@xs4all.nl on 2005/06/22 15:14:14 UTC

Force HTTPS scheme on redirects

Hi all,

I have a vendor-supplied application here that is bundled with Microsoft
IIS 5 and Tomcat version 4.1.29. Our hosting infrastructure eploys proxy
servers and external SSL acceleration hardware in front of the Tomcat
server and needs to pass scheme and secure information back to our
clients. To do this I have specified the following in server.xml:

<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
  port="8009" minProcessors="5" maxProcessors="75"
  enableLookups="true" redirectPort="8443"
  acceptCount="10" debug="0" connectionTimeout="20000"
  useURIValidationHack="false"
  proxyPort="443" scheme="https" secure="true" proxyName="my.com"
  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->

Unfortunately, Tomcat seems to ignore these seetings upon redirects.
Tracing the reponse of the server shows that the protocol http is passed
back to clients instead of https (other setting like proxyport and
proxyname are passed back correctly):

No.     Time        Source                Destination           Protocol Info
    172 4.476556    10.124.83.148         10.124.83.140         HTTP    
HTTP/1.1 302 Moved Temporarily

Frame 172 (544 bytes on wire, 544 bytes captured)
    Arrival Time: Jun 22, 2005 15:03:49.804862000
    Time delta from previous packet: 0.288105000 seconds
    Time since reference or first frame: 4.476556000 seconds
    Frame Number: 172
    Packet Length: 544 bytes
    Capture Length: 544 bytes
Ethernet II, Src: 00:08:02:a1:b0:6b, Dst: 00:08:02:f0:94:01
    Destination: 00:08:02:f0:94:01 (CompaqCo_f0:94:01)
    Source: 00:08:02:a1:b0:6b (CompaqCo_a1:b0:6b)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.124.83.148 (10.124.83.148), Dst Addr:
10.124.83.140 (10.124.83.140)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 530
    Identification: 0x2e08 (11784)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x0ec6 (correct)
    Source: 10.124.83.148 (10.124.83.148)
    Destination: 10.124.83.140 (10.124.83.140)
Transmission Control Protocol, Src Port: http (80), Dst Port: 4184 (4184),
Seq: 90, Ack: 931, Len: 490
    Source port: http (80)
    Destination port: 4184 (4184)
    Sequence number: 90    (relative sequence number)
    Next sequence number: 580    (relative sequence number)
    Acknowledgement number: 931    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16590
    Checksum: 0x69aa (correct)
Hypertext Transfer Protocol
    HTTP/1.1 302 Moved Temporarily\r\n
        Response Code: 302
    Server: Microsoft-IIS/5.0\r\n
    Date: Wed, 22 Jun 2005 13:03:49 GMT\r\n
    pragma: no-cache\r\n
    Cache-Control: no-store\r\n
    Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
    Set-Cookie: remember=false; Expires=Fri, 22-Jul-2005 13:03:50 GMT\r\n
    Set-Cookie: loginuser=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
    Set-Cookie: loginpass=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
    Location: http://my.com:443/oaa/appmenu.jsp\r\n
    Content-Type: text/html;charset=UTF-8\r\n
    Content-Length: 0\r\n
    \r\n

I have found a similar bug in the Bugzilla database
(http://issues.apache.org/bugzilla/show_bug.cgi?id=17656) for version
4.1.18 which is resolved. However, a user states in the bug report that
the bug is still present in version 4.1.24. I wonder if it has been really
fixed or I still have this bug in version 4.1.29.

Zsolt




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Force HTTPS scheme on redirects

Posted by Zsolt Kadar <ka...@xs4all.nl>.

On Wed, 22 Jun 2005 15:14:14 +0200 (CEST), kadzsol@xs4all.nl wrote:

I answer myself:

Yes, version 4.1.29 still contains the bug. An upgrade to version
4.1.31 solves the problem.

Thnaks for reading.

Zsolt

>Hi all,
>
>I have a vendor-supplied application here that is bundled with Microsoft
>IIS 5 and Tomcat version 4.1.29. Our hosting infrastructure eploys proxy
>servers and external SSL acceleration hardware in front of the Tomcat
>server and needs to pass scheme and secure information back to our
>clients. To do this I have specified the following in server.xml:
>
><!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
><Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>  port="8009" minProcessors="5" maxProcessors="75"
>  enableLookups="true" redirectPort="8443"
>  acceptCount="10" debug="0" connectionTimeout="20000"
>  useURIValidationHack="false"
>  proxyPort="443" scheme="https" secure="true" proxyName="my.com"
>  protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
><!-- Define an AJP 1.3 Connector on port 8009 -->
>
>Unfortunately, Tomcat seems to ignore these seetings upon redirects.
>Tracing the reponse of the server shows that the protocol http is passed
>back to clients instead of https (other setting like proxyport and
>proxyname are passed back correctly):
>
>No.     Time        Source                Destination           Protocol Info
>    172 4.476556    10.124.83.148         10.124.83.140         HTTP    
>HTTP/1.1 302 Moved Temporarily
>
>Frame 172 (544 bytes on wire, 544 bytes captured)
>    Arrival Time: Jun 22, 2005 15:03:49.804862000
>    Time delta from previous packet: 0.288105000 seconds
>    Time since reference or first frame: 4.476556000 seconds
>    Frame Number: 172
>    Packet Length: 544 bytes
>    Capture Length: 544 bytes
>Ethernet II, Src: 00:08:02:a1:b0:6b, Dst: 00:08:02:f0:94:01
>    Destination: 00:08:02:f0:94:01 (CompaqCo_f0:94:01)
>    Source: 00:08:02:a1:b0:6b (CompaqCo_a1:b0:6b)
>    Type: IP (0x0800)
>Internet Protocol, Src Addr: 10.124.83.148 (10.124.83.148), Dst Addr:
>10.124.83.140 (10.124.83.140)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..0. = ECN-Capable Transport (ECT): 0
>        .... ...0 = ECN-CE: 0
>    Total Length: 530
>    Identification: 0x2e08 (11784)
>    Flags: 0x04 (Don't Fragment)
>        0... = Reserved bit: Not set
>        .1.. = Don't fragment: Set
>        ..0. = More fragments: Not set
>    Fragment offset: 0
>    Time to live: 128
>    Protocol: TCP (0x06)
>    Header checksum: 0x0ec6 (correct)
>    Source: 10.124.83.148 (10.124.83.148)
>    Destination: 10.124.83.140 (10.124.83.140)
>Transmission Control Protocol, Src Port: http (80), Dst Port: 4184 (4184),
>Seq: 90, Ack: 931, Len: 490
>    Source port: http (80)
>    Destination port: 4184 (4184)
>    Sequence number: 90    (relative sequence number)
>    Next sequence number: 580    (relative sequence number)
>    Acknowledgement number: 931    (relative ack number)
>    Header length: 20 bytes
>    Flags: 0x0018 (PSH, ACK)
>        0... .... = Congestion Window Reduced (CWR): Not set
>        .0.. .... = ECN-Echo: Not set
>        ..0. .... = Urgent: Not set
>        ...1 .... = Acknowledgment: Set
>        .... 1... = Push: Set
>        .... .0.. = Reset: Not set
>        .... ..0. = Syn: Not set
>        .... ...0 = Fin: Not set
>    Window size: 16590
>    Checksum: 0x69aa (correct)
>Hypertext Transfer Protocol
>    HTTP/1.1 302 Moved Temporarily\r\n
>        Response Code: 302
>    Server: Microsoft-IIS/5.0\r\n
>    Date: Wed, 22 Jun 2005 13:03:49 GMT\r\n
>    pragma: no-cache\r\n
>    Cache-Control: no-store\r\n
>    Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
>    Set-Cookie: remember=false; Expires=Fri, 22-Jul-2005 13:03:50 GMT\r\n
>    Set-Cookie: loginuser=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
>    Set-Cookie: loginpass=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
>    Location: http://my.com:443/oaa/appmenu.jsp\r\n
>    Content-Type: text/html;charset=UTF-8\r\n
>    Content-Length: 0\r\n
>    \r\n
>
>I have found a similar bug in the Bugzilla database
>(http://issues.apache.org/bugzilla/show_bug.cgi?id=17656) for version
>4.1.18 which is resolved. However, a user states in the bug report that
>the bug is still present in version 4.1.24. I wonder if it has been really
>fixed or I still have this bug in version 4.1.29.
>
>Zsolt
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org