Tomcat behind Apache behind Firewall: AJP ignores X-Forwarded-Proto -


we have following setup in case of https traffic:

  • firewall: terminates https, adds "x-forwarded-proto: https", forwards apache via http
  • apache: forwards tomcat through ajp
  • tomcat: receives request via ajp-connector

we have added remoteipvalve tomcat's server.xml:

<valve classname="org.apache.catalina.valves.remoteipvalve"                    remoteipheader="x-forwarded-for"                    protocolheader="x-forwarded-proto"             />

it works if skip apache , forward straight firewall tomcat regular http-connector. in case tomcat uses https redirect , base urls.

but once go through apache , ajp, x-forwarded-proto header seems ignored. checked, x-forwarded-proto header still present on tomcat's request.

i guess tomcat told through ajp front-end protocol used (http or https). maybe doesn't happen? need tell apache somehow consider x-forwarded-proto ajp?

apache virtualhost configuration:

<virtualhost *:80>     servername www.myserver.biz      jkmount /* loadbalancerhd </virtualhost>

workers.properties:

worker.list=loadbalancerhd  worker.loadbalancerhd.balance_workers=hdnode1,hdnode2 worker.loadbalancerhd.type=lb worker.loadbalancerhd.sticky_session=true  worker.hdnode1.type=ajp13 worker.hdnode1.host=webserver01 worker.hdnode1.port=8010 worker.hdnode1.distance=0  worker.hdnode2.type=ajp13 worker.hdnode2.port=8010 worker.hdnode2.host=webserver02 worker.hdnode2.distance=1

after studying mod_jk docs found out mod_jk evaluates apache environment variable https in order detect https. variable set mod_ssl if apache processes https traffic itself. not case since https terminated before apache.

simply setting environment variable based on http header trick:

setenvifnocase x-forwarded-proto https https=on

btw: the environment variable evaluated mod_jk can changed jkhttpsindicator directive (see mod_jk docs). following same:

setenvifnocase x-forwarded-proto https external_traffic_is_https=on jkhttpsindicator external_traffic_is_https

might useful if changing https interfere other modules.


Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

consider, toml node module can use: // toml.d.ts declare module toml { export function parse(value:string):any; } declare module "toml" { export = toml; } then: /// <reference path="../../../../../defs/toml/toml.d.ts"/> import toml = require('toml'); toml.parse(...); however, node module export single function, such 'glob' ( https://github.com/isaacs/node-glob ). the node usage of module be: var glob = require("glob") glob("*.js", {}, callback(err, files) { ... }); you'd naively expect this: // glob.d.ts declare function globs(paths:string, options:any, callback:{(err:any, files:string[]):void; ...but because typescripts 'import' semantics bit strange, seems can use 'import .. = require()' statement alias modules . trying call: /// <reference path="../../../../../defs/glob/glob.d.ts"/> import blog = require('glob'); results in: error ts2072: mod...
Read more

openid - Okta: Failed to get authorization code through API call -

i'm integrating okta own idp server using okta's api. i'm implementing authorization code flow following steps below: in own server, use /api/v1/authn endpoint sessiontoken. use sessiontoken obtain authorization calling endpoint: /oauth2/v1/authorize?client_id=" + clientid + "&sessiontoken=" + sessiontoken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirecturl + "&state=evanyang&nonce=" it's supposed return response status code 302 , location header containing redirect url code value. however, keep getting response status code 200 , without location header, html body saying "you using unsupported browser." , "javascript disabled on browser." according api documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request , sessiontoken parameter sufficient this: an okta one-time sessiontoken. allows api-based ...
Read more

ios - Change Storyboard View using Seague -

i have following code checks connection server, , depending on want change views if no connection found. nsstring *connect = [nsstring stringwithcontentsofurl:[nsurl urlwithstring:@"http://myserver.com"] encoding:nsutf8stringencoding error:nil]; if (connect == null) { [self performseguewithidentifier:@"network_failure" sender:self]; } else { // other code here } my problem not change views. have added storyboard segue between 2 views identifier of network_failure . not have navigation controller or that, problem? thanks help! no not problem. first of all, in objectivec exists nil object oriented null . must use that. so: if(connect == nil) or better: if(!connect) so due fact nil not same of null , probably code does't enter in if scope . you have been able discover breakpoint. anyway: be sure set trigger segue (line) 2 view controller , , name network_failure (that not best name. should instead view1toview2 ) as, m...
Read more