4

I'm a bit out of my depth here and nothing I have found quite addresses my problem. Si any and all suggestions are most welcome.

I've got tomcat6 running on CentOS 6.5 hidden behind an apache server (v2.2.15) and I am using Apache's mod_proxy to expose the tomcat webapps, which are running on port 8080. The tomcat hosts one production application and several development applications. On the apache side, both a Drupal site and the aforementioned tomcat production application are on the same domain and, thanks to rewrite rules, all requests to this domain are changed to https. The development sites are reached via subdomains and do not get re-written as https requests.

For the most part, this arrangement works fine. But parts of the tomcat apps are AJAX (calling a Java Struts 1.2 backend). Most of those requests are handled OK. But a few AJAX requests result in redirects (i.e., forward.setRedirect(true)) and that redirect is http (I guess because the container itself is not secure). As a result, I run into cross site scripting issues. I imagine I can use CORS headers to avoid the problem. But that seems like a hack. Is there a relatively painless way I can use to have tomcat send redirects back as https without making tomcat handle ssl directly?

Cris

Improve this question

3 Answers 3

Reset to default
4

You could configure the RemoteIpValve in Tomcat:

Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

To configure Apache to forward the original protocol in the X-Forwarded-Proto header, add a RequestHeader directive in your Apache config, e.g.:

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"
    ...

Note that in Tomcat 7, there is also a RemoteIpFilter.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Note that both the Valve and the Filter are still available.
1

You don't need to do anything special. It already works. Make sure you set the "redirectPort" in server.xml to Apache's HTTPS port, usually 443, and add the following to your <security-constraint> sections for resources you want secured by HTTPS:

<user-data-constraint>
    <description>HTTPS</description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</‌​user-data-constraint>
Improve this answer

7 Comments

Well it does work. I've never done anything to configure this in 10+ years other than the above, and of course defining the appropriate resources as requiring SSL in the webapp's web.xml files.
I didn't add any security constraints....I can try that. Is this all I need? <security-constraint> <web-resource-collection> <web-resource-name>SSL</web-resource-name> <url-pattern>*</url-pattern> </web-resource-collection> </security-constraint>
No. Did you just make that up? You need <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint> inside your <security-constraint>.
Actually, tomcat barfed on a * only for the url-pattern, so I used /*. My Connector looks like this: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />. Still doesn't work for me
OK...did as you suggested and I get an infinite loop of 302s. In your environment are you also using mod-proxy?
|
0

Late to the game here but others may find this-- we had a similar setup and issue where everything worked fine until the application started using ajax posts which did redirects for the response. The fix was to use mod_header in apache to rewrite redirects using "Header edit Location"

http://httpd.apache.org/docs/current/mod/mod_headers.html

Header edit Location ^http://www.example.com/ https://www.example.com/

This went unnoticed prior to the ajax redirects because the browser has no problem doing page level redirects to http (which apache would then redirect back to https). But the ajax cross-site prevention halts at the initial http missing out on that would then be redirected to https by a subsequent request.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.