You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ka...@xs4all.nl on 2005/06/22 15:14:14 UTC
Force HTTPS scheme on redirects
Hi all,
I have a vendor-supplied application here that is bundled with Microsoft
IIS 5 and Tomcat version 4.1.29. Our hosting infrastructure eploys proxy
servers and external SSL acceleration hardware in front of the Tomcat
server and needs to pass scheme and secure information back to our
clients. To do this I have specified the following in server.xml:
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8009" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="0" connectionTimeout="20000"
useURIValidationHack="false"
proxyPort="443" scheme="https" secure="true" proxyName="my.com"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
Unfortunately, Tomcat seems to ignore these seetings upon redirects.
Tracing the reponse of the server shows that the protocol http is passed
back to clients instead of https (other setting like proxyport and
proxyname are passed back correctly):
No. Time Source Destination Protocol Info
172 4.476556 10.124.83.148 10.124.83.140 HTTP
HTTP/1.1 302 Moved Temporarily
Frame 172 (544 bytes on wire, 544 bytes captured)
Arrival Time: Jun 22, 2005 15:03:49.804862000
Time delta from previous packet: 0.288105000 seconds
Time since reference or first frame: 4.476556000 seconds
Frame Number: 172
Packet Length: 544 bytes
Capture Length: 544 bytes
Ethernet II, Src: 00:08:02:a1:b0:6b, Dst: 00:08:02:f0:94:01
Destination: 00:08:02:f0:94:01 (CompaqCo_f0:94:01)
Source: 00:08:02:a1:b0:6b (CompaqCo_a1:b0:6b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 10.124.83.148 (10.124.83.148), Dst Addr:
10.124.83.140 (10.124.83.140)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 530
Identification: 0x2e08 (11784)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x0ec6 (correct)
Source: 10.124.83.148 (10.124.83.148)
Destination: 10.124.83.140 (10.124.83.140)
Transmission Control Protocol, Src Port: http (80), Dst Port: 4184 (4184),
Seq: 90, Ack: 931, Len: 490
Source port: http (80)
Destination port: 4184 (4184)
Sequence number: 90 (relative sequence number)
Next sequence number: 580 (relative sequence number)
Acknowledgement number: 931 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 16590
Checksum: 0x69aa (correct)
Hypertext Transfer Protocol
HTTP/1.1 302 Moved Temporarily\r\n
Response Code: 302
Server: Microsoft-IIS/5.0\r\n
Date: Wed, 22 Jun 2005 13:03:49 GMT\r\n
pragma: no-cache\r\n
Cache-Control: no-store\r\n
Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
Set-Cookie: remember=false; Expires=Fri, 22-Jul-2005 13:03:50 GMT\r\n
Set-Cookie: loginuser=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
Set-Cookie: loginpass=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
Location: http://my.com:443/oaa/appmenu.jsp\r\n
Content-Type: text/html;charset=UTF-8\r\n
Content-Length: 0\r\n
\r\n
I have found a similar bug in the Bugzilla database
(http://issues.apache.org/bugzilla/show_bug.cgi?id=17656) for version
4.1.18 which is resolved. However, a user states in the bug report that
the bug is still present in version 4.1.24. I wonder if it has been really
fixed or I still have this bug in version 4.1.29.
Zsolt
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Force HTTPS scheme on redirects
Posted by Zsolt Kadar <ka...@xs4all.nl>.
On Wed, 22 Jun 2005 15:14:14 +0200 (CEST), kadzsol@xs4all.nl wrote:
I answer myself:
Yes, version 4.1.29 still contains the bug. An upgrade to version
4.1.31 solves the problem.
Thnaks for reading.
Zsolt
>Hi all,
>
>I have a vendor-supplied application here that is bundled with Microsoft
>IIS 5 and Tomcat version 4.1.29. Our hosting infrastructure eploys proxy
>servers and external SSL acceleration hardware in front of the Tomcat
>server and needs to pass scheme and secure information back to our
>clients. To do this I have specified the following in server.xml:
>
><!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
><Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="10" debug="0" connectionTimeout="20000"
> useURIValidationHack="false"
> proxyPort="443" scheme="https" secure="true" proxyName="my.com"
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
><!-- Define an AJP 1.3 Connector on port 8009 -->
>
>Unfortunately, Tomcat seems to ignore these seetings upon redirects.
>Tracing the reponse of the server shows that the protocol http is passed
>back to clients instead of https (other setting like proxyport and
>proxyname are passed back correctly):
>
>No. Time Source Destination Protocol Info
> 172 4.476556 10.124.83.148 10.124.83.140 HTTP
>HTTP/1.1 302 Moved Temporarily
>
>Frame 172 (544 bytes on wire, 544 bytes captured)
> Arrival Time: Jun 22, 2005 15:03:49.804862000
> Time delta from previous packet: 0.288105000 seconds
> Time since reference or first frame: 4.476556000 seconds
> Frame Number: 172
> Packet Length: 544 bytes
> Capture Length: 544 bytes
>Ethernet II, Src: 00:08:02:a1:b0:6b, Dst: 00:08:02:f0:94:01
> Destination: 00:08:02:f0:94:01 (CompaqCo_f0:94:01)
> Source: 00:08:02:a1:b0:6b (CompaqCo_a1:b0:6b)
> Type: IP (0x0800)
>Internet Protocol, Src Addr: 10.124.83.148 (10.124.83.148), Dst Addr:
>10.124.83.140 (10.124.83.140)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 530
> Identification: 0x2e08 (11784)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 128
> Protocol: TCP (0x06)
> Header checksum: 0x0ec6 (correct)
> Source: 10.124.83.148 (10.124.83.148)
> Destination: 10.124.83.140 (10.124.83.140)
>Transmission Control Protocol, Src Port: http (80), Dst Port: 4184 (4184),
>Seq: 90, Ack: 931, Len: 490
> Source port: http (80)
> Destination port: 4184 (4184)
> Sequence number: 90 (relative sequence number)
> Next sequence number: 580 (relative sequence number)
> Acknowledgement number: 931 (relative ack number)
> Header length: 20 bytes
> Flags: 0x0018 (PSH, ACK)
> 0... .... = Congestion Window Reduced (CWR): Not set
> .0.. .... = ECN-Echo: Not set
> ..0. .... = Urgent: Not set
> ...1 .... = Acknowledgment: Set
> .... 1... = Push: Set
> .... .0.. = Reset: Not set
> .... ..0. = Syn: Not set
> .... ...0 = Fin: Not set
> Window size: 16590
> Checksum: 0x69aa (correct)
>Hypertext Transfer Protocol
> HTTP/1.1 302 Moved Temporarily\r\n
> Response Code: 302
> Server: Microsoft-IIS/5.0\r\n
> Date: Wed, 22 Jun 2005 13:03:49 GMT\r\n
> pragma: no-cache\r\n
> Cache-Control: no-store\r\n
> Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
> Set-Cookie: remember=false; Expires=Fri, 22-Jul-2005 13:03:50 GMT\r\n
> Set-Cookie: loginuser=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
> Set-Cookie: loginpass=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
> Location: http://my.com:443/oaa/appmenu.jsp\r\n
> Content-Type: text/html;charset=UTF-8\r\n
> Content-Length: 0\r\n
> \r\n
>
>I have found a similar bug in the Bugzilla database
>(http://issues.apache.org/bugzilla/show_bug.cgi?id=17656) for version
>4.1.18 which is resolved. However, a user states in the bug report that
>the bug is still present in version 4.1.24. I wonder if it has been really
>fixed or I still have this bug in version 4.1.29.
>
>Zsolt
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org