Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
On 10/1/14 10:26 AM, Christopher Schultz wrote:
I'm interested in using AWS ELB for SSL termination but allowing
the client's TLS connection information to be forwarded all the
way through the chain to Tomcat.
The setup looks like this:
ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1
(t0 and t1 are repeated because otherwise the diagram would be
even more difficult to read).
w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat.
The client's connection is TLS terminated at ELB and whether the
connections between ELB/wx/tx are encrypted should be immaterial.
I'm using mod_jk from httpd - Tomcat.
ELB provides the following HTTP headers to wx: X-Forwarded-For
(client's IP) X-Forwarded-Port443 X-Forwarded-Proto https
Unfortunately, it looks like I can't get things like the cipher
default, etc. but I'm okay with that for the time being.
I'm wondering two things:
1. How can I get Apache httpd to trust that the connection is
encrypted? I want to be able to use RequireSSL for certain
resources and have httpd trust that the connection coming from the
ELB is in fact secure.
2. How can I use that connection information to tell mod_jk that
things are to be trusted as well?
For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this
is encrypted. Should I set up a separate VirtualHost on a
different (non-80) port that is configured only for ELB connections
and then force SSL to on regardless of the actual incoming
connections?
That would allow me to use port 80 for regular web traffic and
not have to worry about proper checking to make sure that the
connection was in fact coming from the ELB and not directly into
the web server.
I have some information for those wanting to do this.
Here is a write-up someone did for how to get Apache to log things
appropriately when using AWS ELB:
http://knowledgevoid.com/blog/2012/01/13/logging-the-correct-ip-address-using-apache-2-2-x-and-amazons-elastic-load-balancer/
Here are the two configurations I was able to get working and a few
notes about them.
I would highly recommend that anyone using ELB set up an ELB-only
VirtualHost that only handles requests being proxied through the ELB.
This will protect you against some misconfigurations, etc. that might
allow remote users to get access to resources they should not, or be
able to forge certain parts of the request.
Something like this:
VirtualHost *:81
(remaining configuration)
/VirtualHost
Remember that you will have to Listen 81 somewhere.
If you have httpd 2.4, then you have mod_remoteip out of the box.
That's nice:
# Trust AWS ELB's X-Forwarded-For header
# This will set REMOTE_ADDR to the client's real IP
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.0.0.0/8
# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto https HTTPS=On
SetEnvIf X-Forwarded-Port (.*) JK_LOCAL_PORT=$1
That last SetEnvIf is nearly entirely useless (because nobody really
cares about users' port numbers), but I put it in there for completeness.
Also, mod_remoteip will adjust the value of the REMOTE_ADDR
environment variable -- which is visible to CGI-style programs as well
as mod_jk/Tomcat/etc. but *it will not work in log files* if you use
%h as your remote-ip log format. You will have to use %a instead.
On AWS Linux, the httpd package comes with both combined and
common log formats defined using %h so you'll have to change those
to %a.
If you have httpd 2.2. instead, you'll have to do things a bit
differently (unless you want to use the back-port of mod_remoteip for
httpd 2.2):
# Handle ELB requests; maintain client information
SetEnvIf X-Forwarded-Proto https HTTPS=On
SetEnvIf X-Forwarded-For (.*) REMOTE_ADDR=$1 JK_REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Port (.*) JK_LOCAL_PORT=$1
Location /
Order deny,allow
Deny from all
Allow from 10.0.0.0/8
/Location
If you want to log properly, I think the best thing to do is change
%h (or %a) in your log formats to %{X-Forwarded-For}i or, if you
want to be super-correct, you want to do something like this:
# The following line has been split over multiple lines.
# httpd doesn't support this; it's for email readability only
SetEnvIf X-Forwarded-For \
^.*?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+) \
XFFCLIENTIP=$1
LogFormat ... %{XFFCLIENTIP}e ... format-name
CustomLog access_log format-name
This won't get you the right client IP address in error.log, though.
I'm not exactly sure how to do that. Apparently, setting REMOTE_ADDR
is only useful for CGI-style interaction and has no effect on how
httpd does logging, etc.
It also seems that you cannot re-define a LogFormat. I tried
re-defining my combined log format in a VirtualHost and it did not
work. Using a different LogFormat
[OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? That would allow me to use port 80 for regular web traffic and not have to worry about proper checking to make sure that the connection was in fact coming from the ELB and not directly into the web server. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULA8qAAoJEBzwKT+lPKRYMf4P/2yONDv5rQFgHguhMeWv8BJs jbv8bLOOK5Vf+r5idJgyEgOFEI4jbEKfGdhIvD5BasT4PZF65sn3AsOXQpav9GA4 kgomQHDipou3u5PFGi2d3xQQsDB9MjOTfAmmvQFNEnPxtisYQA+wNHGGxJDwyHIZ tJkS4jP8mA3vxLaoCLoSiOi2MEGr2nbj5Xcfd75F2IXfci9QEhGEgsUxyFq+K+Vb p+GVv4px55+zO9sLaIk6SiaNOGI3p86W+IX5spvoxO2Qxah+DVSoq9HRGryWd/Wn O3ZwSGqCHYKsPI1xHECaN/58pAR7polyU5nEFmzWbxFhc31Q2hpDkZuyZ3SIY2u1 7lLY+Zx41nizjfjeYeIcMtZ4OBj0uHBSj5qzLehF7zItZoRqEhgv2b4yn8vJjIj0 GF4wpVqAqSWaIJ2F1C9ZjTnL9LhTJHZBurpt1JDSe7ALS/s4EoEQ/rbaz9kEUMNq BBThIapN+VXCwaqsA7hQliCWRoGuP2kNFStsatgeaNaBZd5Cf8cg8iTSUcoDR4UW Z4CHSi/4H6uD3wmcI6Jca7dfJEY+eNGM3zLsUF1hQPYP9MG6Fohy6h/UGGhlRehh sXZ6bL0oVfGVxSM9gMCDQzB4ptb9zuqU5UgWjKEB50lbwXgMLUm7XP3/C/bY7Zgt cXABRHoZSqoq2tPV1Lov =g2oZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Hi Christopher,
On 10/01/2014 04:26 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
I'm interested in using AWS ELB for SSL termination but allowing the
client's TLS connection information to be forwarded all the way
through the chain to Tomcat.
The setup looks like this:
ELB
/\
/ \
/\
w0w1
/ \ / \
t0 t1 t0 t1
(t0 and t1 are repeated because otherwise the diagram would be even
more difficult to read).
w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The
client's connection is TLS terminated at ELB and whether the
connections between ELB/wx/tx are encrypted should be immaterial. I'm
using mod_jk from httpd - Tomcat.
ELB provides the following HTTP headers to wx:
X-Forwarded-For (client's IP)
X-Forwarded-Port443
X-Forwarded-Proto https
Unfortunately, it looks like I can't get things like the cipher
default, etc. but I'm okay with that for the time being.
I'm wondering two things:
1. How can I get Apache httpd to trust that the connection is encrypted?
I want to be able to use RequireSSL for certain resources and have
httpd trust that the connection coming from the ELB is in fact
secure.
Maybe i'm missing something, but you can check that X-Forwarded-Proto
header contains https? Seems a bit risky, maybe additionally adding
another check that the incomming request comes from ELB's IP(s)?
2. How can I use that connection information to tell mod_jk that things
are to be trusted as well?
Just pass a custom header. BTW Are you encrypting the w --- t
connections as well? BTW I recall a setup i've made times ago, where the
SSL termination was on the apache webservers, ex:
LB (tcp) https --- apache httpd (SSL Termination doing client
certificate verification) / mod_jk --- AJP --- Tomcat
I was able to send client's certificate information as headers to
tomcat. But not sure this is your situation.
For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is
encrypted. Should I set up a separate VirtualHost on a different
(non-80) port that is configured only for ELB connections and then
force SSL to on regardless of the actual incoming connections?
Maybe this can help:
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC]
RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0]
This way you send to tomcat as REMOTE_ADDR the contents of the
X-Forwarded-For header
That would allow me to use port 80 for regular web traffic and not
have to worry about proper checking to make sure that the connection
was in fact coming from the ELB and not directly into the web server.
Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULA8qAAoJEBzwKT+lPKRYMf4P/2yONDv5rQFgHguhMeWv8BJs
jbv8bLOOK5Vf+r5idJgyEgOFEI4jbEKfGdhIvD5BasT4PZF65sn3AsOXQpav9GA4
kgomQHDipou3u5PFGi2d3xQQsDB9MjOTfAmmvQFNEnPxtisYQA+wNHGGxJDwyHIZ
tJkS4jP8mA3vxLaoCLoSiOi2MEGr2nbj5Xcfd75F2IXfci9QEhGEgsUxyFq+K+Vb
p+GVv4px55+zO9sLaIk6SiaNOGI3p86W+IX5spvoxO2Qxah+DVSoq9HRGryWd/Wn
O3ZwSGqCHYKsPI1xHECaN/58pAR7polyU5nEFmzWbxFhc31Q2hpDkZuyZ3SIY2u1
7lLY+Zx41nizjfjeYeIcMtZ4OBj0uHBSj5qzLehF7zItZoRqEhgv2b4yn8vJjIj0
GF4wpVqAqSWaIJ2F1C9ZjTnL9LhTJHZBurpt1JDSe7ALS/s4EoEQ/rbaz9kEUMNq
BBThIapN+VXCwaqsA7hQliCWRoGuP2kNFStsatgeaNaBZd5Cf8cg8iTSUcoDR4UW
Z4CHSi/4H6uD3wmcI6Jca7dfJEY+eNGM3zLsUF1hQPYP9MG6Fohy6h/UGGhlRehh
sXZ6bL0oVfGVxSM9gMCDQzB4ptb9zuqU5UgWjKEB50lbwXgMLUm7XP3/C/bY7Zgt
cXABRHoZSqoq2tPV1Lov
=g2oZ
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Frederik,
On 10/1/14 11:15 AM, Frederik Nosi wrote:
Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote:
All,
I'm interested in using AWS ELB for SSL termination but allowing
the client's TLS connection information to be forwarded all the
way through the chain to Tomcat.
The setup looks like this:
ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1
(t0 and t1 are repeated because otherwise the diagram would be
even more difficult to read).
w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat.
The client's connection is TLS terminated at ELB and whether the
connections between ELB/wx/tx are encrypted should be immaterial.
I'm using mod_jk from httpd - Tomcat.
ELB provides the following HTTP headers to wx: X-Forwarded-For
(client's IP) X-Forwarded-Port 443 X-Forwarded-Proto https
Unfortunately, it looks like I can't get things like the cipher
default, etc. but I'm okay with that for the time being.
I'm wondering two things:
1. How can I get Apache httpd to trust that the connection is
encrypted? I want to be able to use RequireSSL for certain
resources and have httpd trust that the connection coming from the
ELB is in fact secure.
Maybe i'm missing something, but you can check that
X-Forwarded-Proto header contains https? Seems a bit risky, maybe
additionally adding another check that the incomming request
comes from ELB's IP(s)?
Yes, I can check this. I can also ensure that the port is only
accessible from the ELB. I'm less worried about this and more worried
about getting everything else working first. Protecting the connection
itself will not be a problem.
2. How can I use that connection information to tell mod_jk that
things are to be trusted as well?
Just pass a custom header. BTW Are you encrypting the w --- t
connections as well? BTW I recall a setup i've made times ago,
where the SSL termination was on the apache webservers, ex:
LB (tcp) https --- apache httpd (SSL Termination doing
client certificate verification) / mod_jk --- AJP --- Tomcat
I was able to send client's certificate information as headers
to tomcat. But not sure this is your situation.
I don't need to use client certificates, but being able to support
them would be nice.
AWS ELB seems to support TCP pass-through but you can't do it for port
443. If you want to use port 443, you can either choose HTTPS/SSL or
TCP/SSL. If you choose HTTPS/SSL then you have to use either HTTP
or HTTPS as the back-end protocol. For some reason, choosing HTTPS
causes endless stalling when trying to make a connection.
Using TCP/SSL - TCP/SSL (what I would call TCP pass-through) ought to
allow me to do SSL termination at the web server level, accept client
certificates, and have mod_ssk work without any modification at all. I
think in order to do this, I have to configure Apache httpd to accept
connections using the proxy protocol, and I'm not sure how to do that.
For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this
is encrypted. Should I set up a separate VirtualHost on a
different (non-80) port that is configured only for ELB connections
and then force SSL to on regardless of the actual incoming
connections?
Maybe this can help:
RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC]
RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0]
This way you send to tomcat as REMOTE_ADDR the contents of the
X-Forwarded-For header
Why use mod_rewrite (slow) when you can use mod_setenvif (fast)?
SetEnvIf X-Forwarded-For (.*) JK_REMOTE_ADDR=$1
What I'm mainly looking for is a way to say the incoming connection
(from ELB) is HTTP and I want to pretend that the connection is HTTPS.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULCZeAAoJEBzwKT+lPKRYHQcP/1tdeiy0lWAHcQ2vG4HrpACy
ni5Ac17Z5gSeqQyol66/NiOPBnRM9NaZqLg6wpIps+8SaZuKnHir2IgnWXOBo7lQ
81aJokPIivwO74ang6lnfJJR2vYCYLn7eONI6+qqSWlk+Mw2CoLbsGoPxVeeBBe7
AE+2QZnzj9NtuhlGiIKvlPQXmJBs/VgBiEq23wFsikLisY0eHMkwGcYnuPZ9KYil
qHxxmfntPgMH+uhCcxwGHrXlLJLCCGZCFv3xQHkCKC5Ndb9mnGBY1b0IcplPwOvQ
zbRVHdJcewE36hHECE5r2Z4a44ThKMLPEz1wZVCJm5ljEZiyuVq181ukkotBdvT8
y3/WuHwzZV8z6mdCNGBoB/Y4RdXfyfwaIKFZwlM3OhBcPVD+jki82dE/7tLZ3mlZ
AUj5pBGuoePVV8hnrukLi+DM4sJ6CZ6zLq0OKX3MzfF8n8/kG7vr20ntTi7mjTDs
Suk3lLr2L+Y7LBOzeepbThGK3CtCMm3OGZisuN90Pf9yrnuxDRJigpPUSeKdO0uQ
rJMx9gqRWiBl2jbWO6bsF4Aqy4wGVA+zyG9oTWMWDegU3uXHVAZdVb/R1YRZ18Qk
wH826ul3NMaUUGmWS6rpGpKpFm8V4UZ+qtz8eaMkBet3YOzYLBqJQ4xj5Co2K+g+
ZNKUGsHHHFYdVK9HyKcL
=PcDT
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Hi Christopher,
On 10/01/2014 06:05 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Frederik,
On 10/1/14 11:15 AM, Frederik Nosi wrote:
Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote:
All,
I'm interested in using AWS ELB for SSL termination but allowing
the client's TLS connection information to be forwarded all the
way through the chain to Tomcat.
The setup looks like this:
ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1
(t0 and t1 are repeated because otherwise the diagram would be
even more difficult to read).
w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat.
The client's connection is TLS terminated at ELB and whether the
connections between ELB/wx/tx are encrypted should be immaterial.
I'm using mod_jk from httpd - Tomcat.
ELB provides the following HTTP headers to wx: X-Forwarded-For
(client's IP) X-Forwarded-Port 443 X-Forwarded-Proto https
Unfortunately, it looks like I can't get things like the cipher
default, etc. but I'm okay with that for the time being.
I'm wondering two things:
1. How can I get Apache httpd to trust that the connection is
encrypted? I want to be able to use RequireSSL for certain
resources and have httpd trust that the connection coming from the
ELB is in fact secure.
Maybe i'm missing something, but you can check that
X-Forwarded-Proto header contains https? Seems a bit risky, maybe
additionally adding another check that the incomming request
comes from ELB's IP(s)?
Yes, I can check this. I can also ensure that the port is only
accessible from the ELB. I'm less worried about this and more worried
about getting everything else working first. Protecting the connection
itself will not be a problem.
Maybe i didn't got your question right, what you're interested first, is
letting know to tomcat that the client is using a secure connection? If
so you can just pass a custom header from apache to tomcat, but this
seems too easy :-)
2. How can I use that connection information to tell mod_jk that
things are to be trusted as well?
Just pass a custom header. BTW Are you encrypting the w --- t
connections as well? BTW I recall a setup i've made times ago,
where the SSL termination was on the apache webservers, ex:
LB (tcp) https --- apache httpd (SSL Termination doing
client certificate verification) / mod_jk --- AJP --- Tomcat
I was able to send client's certificate information as headers
to tomcat. But not sure this is your situation.
I don't need to use client certificates, but being able to support
them would be nice.
AWS ELB seems to support TCP pass-through but you can't do it for port
443. If you want to use port 443, you can either choose HTTPS/SSL or
TCP/SSL. If you choose HTTPS/SSL then you have to use either HTTP
or HTTPS as the back-end protocol. For some reason, choosing HTTPS
causes endless stalling when trying to make a connection.
I would get a tcpdump from the apache frontend, maybe you can get more
info this way.
Using TCP/SSL - TCP/SSL (what I would call TCP pass-through) ought to
allow me to do SSL termination at the web server level, accept client
certificates, and have mod_ssk work without any modification at all. I
think in order to do this, I have to configure Apache httpd to accept
connections using the proxy protocol, and I'm not sure how to do that.
Hmm, didn't knowed about this protocol before. From some quick googling
and reading, seems interesting, as at your endpoint the connection comes
from ELBs'IP not from the client's IP, this protocol adds the missing
info, real client ip.
http://blog.haproxy.com/haproxy/proxy-protocol/
So using this seems you need to add another piece to you'r infrastructure.
For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this
is encrypted. Should I set up a separate VirtualHost on a
different (non-80) port that is configured only for ELB connections
and then force SSL to on regardless of the actual incoming
connections?
Maybe this can help:
RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC]
RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0]
This way you send to tomcat as REMOTE_ADDR the contents of the
X-Forwarded-For header
Why use mod_rewrite (slow) when you can use mod_setenvif (fast)?
SetEnvIf X-Forwarded-For (.*) JK_REMOTE_ADDR=$1
Indeed is better your way
What I'm mainly looking for is a way to say the incoming connection
(from ELB) is HTTP and I want to pretend that the connection is HTTPS.
Then the easier solution seems using ELB for SSL termination and using
the X-Forwarded-Proto header, passing from apache to tomcat
[...]
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Frederik,
On 10/1/14 12:52 PM, Frederik Nosi wrote:
Hi Christopher,
On 10/01/2014 06:05 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256
Frederik,
On 10/1/14 11:15 AM, Frederik Nosi wrote:
Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz
wrote: All,
I'm interested in using AWS ELB for SSL termination but
allowing the client's TLS connection information to be
forwarded all the way through the chain to Tomcat.
The setup looks like this:
ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1
(t0 and t1 are repeated because otherwise the diagram would be
even more difficult to read).
w0 and w1 are running Apache httpd, t0 and t1 are running
Tomcat. The client's connection is TLS terminated at ELB and
whether the connections between ELB/wx/tx are encrypted should
be immaterial. I'm using mod_jk from httpd - Tomcat.
ELB provides the following HTTP headers to wx: X-Forwarded-For
(client's IP) X-Forwarded-Port 443 X-Forwarded-Proto
https
Unfortunately, it looks like I can't get things like the
cipher default, etc. but I'm okay with that for the time
being.
I'm wondering two things:
1. How can I get Apache httpd to trust that the connection is
encrypted? I want to be able to use RequireSSL for certain
resources and have httpd trust that the connection coming from
the ELB is in fact secure.
Maybe i'm missing something, but you can check that
X-Forwarded-Proto header contains https? Seems a bit risky,
maybe additionally adding another check that the incomming
request comes from ELB's IP(s)?
Yes, I can check this. I can also ensure that the port is only
accessible from the ELB. I'm less worried about this and more
worried about getting everything else working first. Protecting
the connection itself will not be a problem.
Maybe i didn't got your question right, what you're interested
first, is letting know to tomcat that the client is using a secure
connection? If so you can just pass a custom header from apache to
tomcat, but this seems too easy :-)
No, I'm interested in convincing Apache httpd that the original
connection was encrypted. Basically, I want the equivalent of Tomcat's
secure=true configuration option.
2. How can I use that connection information to tell mod_jk
that things are to be trusted as well?
Just pass a custom header. BTW Are you encrypting the w ---
t connections as well? BTW I recall a setup i've made times
ago, where the SSL termination was on the apache webservers,
ex: LB (tcp) https --- apache httpd (SSL Termination
doing client certificate verification) / mod_jk --- AJP ---
Tomcat I was able to send client's certificate information as
headers to tomcat. But not sure this is your situation.
I don't need to use client certificates, but being able to
support them would be nice.
AWS ELB seems to support TCP pass-through but you can't do it for
port 443. If you want to use port 443, you can either choose
HTTPS/SSL or TCP/SSL. If you choose HTTPS/SSL then you have
to use either HTTP or HTTPS as the back-end protocol. For some
reason, choosing HTTPS causes endless stalling when trying to
make a connection.
I would get a tcpdump from the apache frontend, maybe you can get
more info this way.
Yes, obviously I can do that. I was hoping that resorting to
packet-tracing would not be necessary.
Using TCP/SSL - TCP/SSL (what I would call TCP pass-through)
ought to allow me to do SSL termination at the web server level,
accept client certificates, and have mod_ssk work without any
modification at all. I think in order to do this, I have to
configure Apache httpd to accept connections using the proxy
protocol, and I'm not sure how to do that.
Hmm, didn't knowed about this protocol before. From some quick
googling and reading, seems interesting, as at your endpoint the
connection comes from ELBs'IP not from the client's IP, this
protocol adds the missing info, real client ip.
http://blog.haproxy.com/haproxy/proxy-protocol/
So using this seems you need to add another piece to you'r
infrastructure.
For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes,
this is encrypted. Should I set up a separate VirtualHost on
a different (non-80) port that is configured only for ELB
connections and then force SSL to on regardless of the actual
incoming connections?
Maybe this can help: RewriteEngine on RewriteCond
%{HTTP:X-Forwarded-For} ^(.*)$ [NC] RewriteRule ^(.*)$ -
[env=JK_REMOTE_ADDR:%0] This way you send to tomcat as
REMOTE_ADDR the contents of the X-Forwarded-For header
Why use mod_rewrite (slow) when you can use mod_setenvif (fast)?
SetEnvIf X-Forwarded-For (.*) JK_REMOTE_ADDR=$1
Indeed is better your way
What I'm mainly looking for is a way to say the incoming
connection (from ELB) is HTTP and I want to
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Am 01.10.2014 19:18, schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- ... What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to pretend that the connection is HTTPS. Then the easier solution seems using ELB for SSL termination and using the X-Forwarded-Proto header, passing from apache to tomcat Yes. Just looking for a way to say oh, the connection is also encrypted. If I remember correctly this needs only one line in Apache httpd to forward it to Tomcat SetEnvIf X-Forwarded-Proto https HTTPS=on mod_jk should use this information and mark it as a secure connection for you. Then you can require a secure connection in your webapp web.xml or check it in httpd with the same environment variable: Order Deny,Allow Deny from all Allow from env=HTTPS If the httpd is only a helper process to pass this information to Tomcat you can also use the Proxy-Valves: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support Something like this should serve your purpose: Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=x-forwarded-proto portHeader=x-forwarded-port / Togehter with transport-guarantee CONFIDENTIAL in your web.xml this would eliminate the need to configure anything on Apache httpd at all. - Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Stefan, On 10/1/14 2:18 PM, Stefan Mayr wrote: Am 01.10.2014 19:18, schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- ... What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to pretend that the connection is HTTPS. Then the easier solution seems using ELB for SSL termination and using the X-Forwarded-Proto header, passing from apache to tomcat Yes. Just looking for a way to say oh, the connection is also encrypted. If I remember correctly this needs only one line in Apache httpd to forward it to Tomcat SetEnvIf X-Forwarded-Proto https HTTPS=on This is where I have gotten so far, actually. I've been trying to get mod_remoteip to handle the client's IP address for me -- especially for logging -- but I'm having some difficulty and have asked a question over on the httpd users' list about that. mod_jk should use this information and mark it as a secure connection for you. Then you can require a secure connection in your webapp web.xml or check it in httpd with the same environment variable: Order Deny,Allow Deny from all Allow from env=HTTPS I didn't know that you could do Allow from env=HTTPS. I'll definitely do that. I was also doing Allow from 10.0.0.0/8 so that only my ELB could access the VirtualHost I'm configuring. If the httpd is only a helper process to pass this information to Tomcat you can also use the Proxy-Valves: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support Something like this should serve your purpose: Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=x-forwarded-proto portHeader=x-forwarded-port / I'd prefer to handle this at the httpd level if for no other reason than logging. Together with transport-guarantee CONFIDENTIAL in your web.xml this would eliminate the need to configure anything on Apache httpd at all. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULEqCAAoJEBzwKT+lPKRYKSUP/13RcT/81IevhKnZpWq8yj4A eJeGk2FXG3dzziO/NQq5OGUYftDCjIeY/Iwu7r5JbdjncDO6R+SMyTEBQ09rXD8L aQCVt+mXFPU4XOeNC292o+ju1FwUS8dyEj3nPOslIarM4jOTgFo5FoZnTO/ML8pg ho9hIUZsIQb0Tf+YlSND8gMl3Lz/N0TQFTOALcub32gGJb7PztYhqj3lEttWkFL0 5Jg368WGL22aDP3VFXjNruOiLTDV0JQH9XOojMGBV5J/5logbqTvAQpVQew3KLHW 1M0xF4Hu99JyNUdRUa8LB8gmMKcVtTArVWpjb0aKV7tXr6/dszHT0PMfRRZNCII5 ObZB+8ZGOnV6YWXgefkwiERFwa2ibjRaup/D+R6GwY4aJjJ8bR+e9Zs2HzS3nPAA 3YP5zGYYFcAu2bkw3IPCTUYdM1PHJxNIVEQ/NaMR1rEltD3v1lFjkSgq5FDl/17c oV9aUgCtIRyz5ZDVS8j4zjEak6+wEn7mJZ3BNU4S9wpkuKJgi/e7l/PfqbcFNwlF RS0f2j6Z9JtYNtjlNjYdpMbnnwhN3LKOBBmXQ/77PVi0WMms5Yj1HDwZxFvQNfGx xPu+ACMweviCdza7dm7aWTx+wBg8cx5SPwn9oONpQyn54ssJzw33wOobfNDtCkPG GeMPjnzD3XHwjXAM6c61 =STcf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Hi Christopher,
Am 01.10.2014 20:40, schrieb Christopher Schultz:
-BEGIN PGP SIGNED MESSAGE-
...
I've been trying to get mod_remoteip to handle the client's IP address
for me -- especially for logging -- but I'm having some difficulty and
have asked a question over on the httpd users' list about that.
...
mod_remoteip can do more for you (if you need it). Just for the purpose
of logging the X-Forwarded-For-Header you could define a custom
LogFormat and add request headers like \%{X-Forwarded-For}i\ to it.
- Stefan
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Stefan,
On 10/1/14 5:33 PM, Stefan Mayr wrote:
Hi Christopher,
Am 01.10.2014 20:40, schrieb Christopher Schultz:
-BEGIN PGP SIGNED MESSAGE-
...
I've been trying to get mod_remoteip to handle the client's IP
address for me -- especially for logging -- but I'm having some
difficulty and have asked a question over on the httpd users'
list about that.
...
mod_remoteip can do more for you (if you need it). Just for the
purpose of logging the X-Forwarded-For-Header you could define a
custom LogFormat and add request headers like
\%{X-Forwarded-For}i\ to it.
Yes, but I don't need mod_remoteip if all I want to do is log the
client's IP. What I was hoping to to us to use mode_remoteip to just
substitute the client's IP for everything. That doesn't seem to be
working for me at all.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJULHPeAAoJEBzwKT+lPKRY7T8P/iyLcWtf2V/COmPjPFiVQqnX
cmgDnzt8kzK4FX3fuERAjNLCK3l7ulhHHRn7hEScy3AFixF4sbFotYrAzaTdryiu
tJdx1KRpfN+faZoMZiwNo0zSXFOYeVim3Nn1ydI3MewU8D6cism//EAyHTp5owAu
ZJC7vMtEk7pxJkLI6ECJWx4u3ubpxeop3W4lePAzqC+1WecE0UtxRAC4KAzZq5Vr
e0xhE2c4WoNuoZcW3CvlhHhSZmnV+c86ROc/LqfaFAHlr8OnUcL7nJu1lCDR8aqr
YbMKpIMB7U/2YxEv0t4eFjKqHAtgRLfW9lrowLKQ04QJoXRvSYbFQrKsXypaTnk3
/0fnnKcFNFU+tgKwSM26nAXrMvd9RGflePTxaVnaBnKVGC6hJURltBcBtyhQD93j
pxdCap6FG6tn7rbWC0tgbNcdak4VYZOdcq9hY81a8Vebw7fEX1JfUF8NGUmBY5dg
KhFa79gkUlEnHUq+UQs7PvROFmP+/ylssXKRFnbNN7MauNQzn+nP3UbKM8WP+htB
Puct3J9Lh1e+tMPbnRPGWUyQr0HReHnp+TRM22Mv+wEPpKQP1ALRhBMuFnLiYKPm
4E3IaLLAGZTq7kIHLPSUBZU01+3pRANpZAXH05Qygd35gszuhlpjT0KqWa5B9Mw3
KcmWAgMrAYZQGSa/nwGC
=RNwv
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
