Re: Force HTTPS scheme on redirects

[Zsolt Kadar]

On Wed, 22 Jun 2005 15:14:14 +0200 (CEST), [EMAIL PROTECTED] wrote:

I answer myself:

Yes, version 4.1.29 still contains the bug. An upgrade to version
4.1.31 solves the problem.

Thnaks for reading.

Zsolt

Hi all,

I have a vendor-supplied application here that is bundled with Microsoft
IIS 5 and Tomcat version 4.1.29. Our hosting infrastructure eploys proxy
servers and external SSL acceleration hardware in front of the Tomcat
server and needs to pass scheme and secure information back to our
clients. To do this I have specified the following in server.xml:

!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 --
Connector className=org.apache.coyote.tomcat4.CoyoteConnector
  port=8009 minProcessors=5 maxProcessors=75
  enableLookups=true redirectPort=8443
  acceptCount=10 debug=0 connectionTimeout=2
  useURIValidationHack=false
  proxyPort=443 scheme=https secure=true proxyName=my.com
  protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler/
!-- Define an AJP 1.3 Connector on port 8009 --

Unfortunately, Tomcat seems to ignore these seetings upon redirects.
Tracing the reponse of the server shows that the protocol http is passed
back to clients instead of https (other setting like proxyport and
proxyname are passed back correctly):

No. TimeSourceDestination   Protocol Info
172 4.47655610.124.83.148 10.124.83.140 HTTP
HTTP/1.1 302 Moved Temporarily

Frame 172 (544 bytes on wire, 544 bytes captured)
Arrival Time: Jun 22, 2005 15:03:49.804862000
Time delta from previous packet: 0.288105000 seconds
Time since reference or first frame: 4.476556000 seconds
Frame Number: 172
Packet Length: 544 bytes
Capture Length: 544 bytes
Ethernet II, Src: 00:08:02:a1:b0:6b, Dst: 00:08:02:f0:94:01
Destination: 00:08:02:f0:94:01 (CompaqCo_f0:94:01)
Source: 00:08:02:a1:b0:6b (CompaqCo_a1:b0:6b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 10.124.83.148 (10.124.83.148), Dst Addr:
10.124.83.140 (10.124.83.140)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
 00.. = Differentiated Services Codepoint: Default (0x00)
 ..0. = ECN-Capable Transport (ECT): 0
 ...0 = ECN-CE: 0
Total Length: 530
Identification: 0x2e08 (11784)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x0ec6 (correct)
Source: 10.124.83.148 (10.124.83.148)
Destination: 10.124.83.140 (10.124.83.140)
Transmission Control Protocol, Src Port: http (80), Dst Port: 4184 (4184),
Seq: 90, Ack: 931, Len: 490
Source port: http (80)
Destination port: 4184 (4184)
Sequence number: 90(relative sequence number)
Next sequence number: 580(relative sequence number)
Acknowledgement number: 931(relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0...  = Congestion Window Reduced (CWR): Not set
.0..  = ECN-Echo: Not set
..0.  = Urgent: Not set
...1  = Acknowledgment: Set
 1... = Push: Set
 .0.. = Reset: Not set
 ..0. = Syn: Not set
 ...0 = Fin: Not set
Window size: 16590
Checksum: 0x69aa (correct)
Hypertext Transfer Protocol
HTTP/1.1 302 Moved Temporarily\r\n
Response Code: 302
Server: Microsoft-IIS/5.0\r\n
Date: Wed, 22 Jun 2005 13:03:49 GMT\r\n
pragma: no-cache\r\n
Cache-Control: no-store\r\n
Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
Set-Cookie: remember=false; Expires=Fri, 22-Jul-2005 13:03:50 GMT\r\n
Set-Cookie: loginuser=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
Set-Cookie: loginpass=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
Location: http://my.com:443/oaa/appmenu.jsp\r\n
Content-Type: text/html;charset=UTF-8\r\n
Content-Length: 0\r\n
\r\n

I have found a similar bug in the Bugzilla database
(http://issues.apache.org/bugzilla/show_bug.cgi?id=17656) for version
4.1.18 which is resolved. However, a user states in the bug report that
the bug is still present in version 4.1.24. I wonder if it has been really
fixed or I still have this bug in version 4.1.29.

Zsolt




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Force HTTPS scheme on redirects

[kadzsol]

Hi all,

I have a vendor-supplied application here that is bundled with Microsoft
IIS 5 and Tomcat version 4.1.29. Our hosting infrastructure eploys proxy
servers and external SSL acceleration hardware in front of the Tomcat
server and needs to pass scheme and secure information back to our
clients. To do this I have specified the following in server.xml:

!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 --
Connector className=org.apache.coyote.tomcat4.CoyoteConnector
  port=8009 minProcessors=5 maxProcessors=75
  enableLookups=true redirectPort=8443
  acceptCount=10 debug=0 connectionTimeout=2
  useURIValidationHack=false
  proxyPort=443 scheme=https secure=true proxyName=my.com
  protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler/
!-- Define an AJP 1.3 Connector on port 8009 --

Unfortunately, Tomcat seems to ignore these seetings upon redirects.
Tracing the reponse of the server shows that the protocol http is passed
back to clients instead of https (other setting like proxyport and
proxyname are passed back correctly):

No. TimeSourceDestination   Protocol Info
172 4.47655610.124.83.148 10.124.83.140 HTTP
HTTP/1.1 302 Moved Temporarily

Frame 172 (544 bytes on wire, 544 bytes captured)
Arrival Time: Jun 22, 2005 15:03:49.804862000
Time delta from previous packet: 0.288105000 seconds
Time since reference or first frame: 4.476556000 seconds
Frame Number: 172
Packet Length: 544 bytes
Capture Length: 544 bytes
Ethernet II, Src: 00:08:02:a1:b0:6b, Dst: 00:08:02:f0:94:01
Destination: 00:08:02:f0:94:01 (CompaqCo_f0:94:01)
Source: 00:08:02:a1:b0:6b (CompaqCo_a1:b0:6b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 10.124.83.148 (10.124.83.148), Dst Addr:
10.124.83.140 (10.124.83.140)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
 00.. = Differentiated Services Codepoint: Default (0x00)
 ..0. = ECN-Capable Transport (ECT): 0
 ...0 = ECN-CE: 0
Total Length: 530
Identification: 0x2e08 (11784)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x0ec6 (correct)
Source: 10.124.83.148 (10.124.83.148)
Destination: 10.124.83.140 (10.124.83.140)
Transmission Control Protocol, Src Port: http (80), Dst Port: 4184 (4184),
Seq: 90, Ack: 931, Len: 490
Source port: http (80)
Destination port: 4184 (4184)
Sequence number: 90(relative sequence number)
Next sequence number: 580(relative sequence number)
Acknowledgement number: 931(relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0...  = Congestion Window Reduced (CWR): Not set
.0..  = ECN-Echo: Not set
..0.  = Urgent: Not set
...1  = Acknowledgment: Set
 1... = Push: Set
 .0.. = Reset: Not set
 ..0. = Syn: Not set
 ...0 = Fin: Not set
Window size: 16590
Checksum: 0x69aa (correct)
Hypertext Transfer Protocol
HTTP/1.1 302 Moved Temporarily\r\n
Response Code: 302
Server: Microsoft-IIS/5.0\r\n
Date: Wed, 22 Jun 2005 13:03:49 GMT\r\n
pragma: no-cache\r\n
Cache-Control: no-store\r\n
Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
Set-Cookie: remember=false; Expires=Fri, 22-Jul-2005 13:03:50 GMT\r\n
Set-Cookie: loginuser=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
Set-Cookie: loginpass=; Expires=Thu, 01-Jan-1970 00:00:10 GMT\r\n
Location: http://my.com:443/oaa/appmenu.jsp\r\n
Content-Type: text/html;charset=UTF-8\r\n
Content-Length: 0\r\n
\r\n

I have found a similar bug in the Bugzilla database
(http://issues.apache.org/bugzilla/show_bug.cgi?id=17656) for version
4.1.18 which is resolved. However, a user states in the bug report that
the bug is still present in version 4.1.24. I wonder if it has been really
fixed or I still have this bug in version 4.1.29.

Zsolt




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]