On 22.05.2009 04:31, Andre-John Mas wrote: > > On 21-May-2009, at 12:32, Rainer Jung wrote: > >> On 20.05.2009 17:33, Markus Schönhaber wrote: >>> Andre-John Mas: >>> >>>> this is not the ideal setup, I don't have any control over this. At >>>> the same time I see that using mod_proxy, by way of ProxyPass, means >>>> that the Tomcat server does not know what hostname was used to access >>>> the Apache server, instead getting http://localhost:8080/ . Is there >>>> any way, probably via configuration of Apache, that this could be >>>> passed to the Tomcat? I looked for information on this, but I could >>>> not find any. >>> >>> Instead of mod_proxy_http, I use mod_proxy_ajp. AJP passes the client's >>> IP through. >> >> On 20.05.2009 16:59, Caldarale, Charles R wrote: >>> Aren't the X-Forwarded-For and X-Forwarded-Host headers being set by >> mod_proxy? The doc indicates they should be: >>> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html >> >> .. and finally there's ProxyPreserveHost. > > That's one option I missed. > > Is there any way to know whether Apache was contacted using HTTPS or > HTTP, on the Tomcat side?
I didn't test it, but what should work: mod_ssl automatically sets an internal httpd nvironment variable named "HTTPS" to "on" when the connection is doing https. mod_rewrite knows this variable as a builtin (look for HTTPS on http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html), but any other module, that can use data rom environment variables can also use it. E.g. mod_headers has a syntax, where you set request headers depending on an env var being set or not. So you can try to use mod_headers to add a private request header (like: X-MYAPP-HTTPS: yes) to the request, depending on the env var HTTPS being set. You backend can then check for the existence of the header. CAUTION: You can compromise your security with such a header. If your users find out, what the header is, they can send it with the original request and claim it to be HTTPS. To make it bullet proof, you would first have to remove it (and all equivalent headers). I didn't check, whether mod_ssl sets the variable earl enough for mod_request to detect it and mod_proxy to alrady find the new header before forwarding, but I think that's reasonable. Have fun, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
