You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/09/12 09:50:04 UTC
[Bug 55553] New: Proposal: Allow
org.apache.catalina.valves.RemoteIpValve to set requests as secure with a
transparent SSL termination proxy
https://issues.apache.org/bugzilla/show_bug.cgi?id=55553
Bug ID: 55553
Summary: Proposal: Allow
org.apache.catalina.valves.RemoteIpValve to set
requests as secure with a transparent SSL termination
proxy
Product: Tomcat 7
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knut@ytterhaug.com
Created attachment 30822
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30822&action=edit
Patch for RemoteIpValve.java
I've created a patch for org.apache.catalina.valves.RemoteIpValve which will
allow configuring the Valve to set requests as secure based on the
protocolHeader and protocolHeaderHttpsValue when RemoteAddr is the actual IP
for the client and not a known Proxy.
This is useful when having a transparent SSL termination proxy which is only
setting an x-forwarded-proto header and is not changing RemoteAddr or adding an
x-forwarded-for header.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55553] Proposal: Allow org.apache.catalina.valves.RemoteIpValve
to set requests as secure with a transparent SSL termination proxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55553
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
(In reply to Knut Ytterhaug from comment #4)
> Thanks for the quick answers. Unfortunately (for us) we're unable to
> configure using different connectors depending on if it's been processed or
> not.
>
> Would a patch adding a boolean property making the valve process headers
> when no trusted proxy had been configured be considered?
Unlikely.
As an aside, any changes to the Valve need to mirrored to the Filter.
The users list is the best place to figure out a solution that works for you.
I'd be surprised if one wasn't available with existing configuration. Saying
which proxy you are using would help.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55553] Proposal: Allow org.apache.catalina.valves.RemoteIpValve
to set requests as secure with a transparent SSL termination proxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55553
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |WONTFIX
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Then the solution is to configure two http connectors on separate ports: one
for direct http traffic and one for http traffic that has been processed by the
transparent proxy.
If you want the http and https requests to share a common thread pool then an
executor can be configured.
The proposed patch would result in the the valve processing headers when no
trusted proxy had been configured and I am concerned that some users may be
caught out by this and end up with an insecure configuration - even if this
behavior is documented.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55553] Proposal: Allow org.apache.catalina.valves.RemoteIpValve
to set requests as secure with a transparent SSL termination proxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55553
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
In that case why can't you just set secure on the connector?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55553] Proposal: Allow org.apache.catalina.valves.RemoteIpValve
to set requests as secure with a transparent SSL termination proxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55553
--- Comment #2 from Knut Ytterhaug <kn...@ytterhaug.com> ---
We need our tomcats to be able to serve the same content both on http and https
and would like our applications to be able to use request.isSecure() to handle
redirects etc accordingly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55553] Proposal: Allow org.apache.catalina.valves.RemoteIpValve
to set requests as secure with a transparent SSL termination proxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55553
--- Comment #4 from Knut Ytterhaug <kn...@ytterhaug.com> ---
Thanks for the quick answers. Unfortunately (for us) we're unable to configure
using different connectors depending on if it's been processed or not.
Would a patch adding a boolean property making the valve process headers when
no trusted proxy had been configured be considered?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org