Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, On 10/1/14 10:26 AM, Christopher Schultz wrote: I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? That would allow me to use port 80 for regular web traffic and not have to worry about proper checking to make sure that the connection was in fact coming from the ELB and not directly into the web server. I have some information for those wanting to do this. Here is a write-up someone did for how to get Apache to log things appropriately when using AWS ELB: http://knowledgevoid.com/blog/2012/01/13/logging-the-correct-ip-address-using-apache-2-2-x-and-amazons-elastic-load-balancer/ Here are the two configurations I was able to get working and a few notes about them. I would highly recommend that anyone using ELB set up an ELB-only VirtualHost that only handles requests being proxied through the ELB. This will protect you against some misconfigurations, etc. that might allow remote users to get access to resources they should not, or be able to forge certain parts of the request. Something like this: VirtualHost *:81 (remaining configuration) /VirtualHost Remember that you will have to Listen 81 somewhere. If you have httpd 2.4, then you have mod_remoteip out of the box. That's nice: # Trust AWS ELB's X-Forwarded-For header # This will set REMOTE_ADDR to the client's real IP RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 10.0.0.0/8 # Handle ELB requests; maintain client information SetEnvIf X-Forwarded-Proto https HTTPS=On SetEnvIf X-Forwarded-Port (.*) JK_LOCAL_PORT=$1 That last SetEnvIf is nearly entirely useless (because nobody really cares about users' port numbers), but I put it in there for completeness. Also, mod_remoteip will adjust the value of the REMOTE_ADDR environment variable -- which is visible to CGI-style programs as well as mod_jk/Tomcat/etc. but *it will not work in log files* if you use %h as your remote-ip log format. You will have to use %a instead. On AWS Linux, the httpd package comes with both combined and common log formats defined using %h so you'll have to change those to %a. If you have httpd 2.2. instead, you'll have to do things a bit differently (unless you want to use the back-port of mod_remoteip for httpd 2.2): # Handle ELB requests; maintain client information SetEnvIf X-Forwarded-Proto https HTTPS=On SetEnvIf X-Forwarded-For (.*) REMOTE_ADDR=$1 JK_REMOTE_ADDR=$1 SetEnvIf X-Forwarded-Port (.*) JK_LOCAL_PORT=$1 Location / Order deny,allow Deny from all Allow from 10.0.0.0/8 /Location If you want to log properly, I think the best thing to do is change %h (or %a) in your log formats to %{X-Forwarded-For}i or, if you want to be super-correct, you want to do something like this: # The following line has been split over multiple lines. # httpd doesn't support this; it's for email readability only SetEnvIf X-Forwarded-For \ ^.*?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+) \ XFFCLIENTIP=$1 LogFormat ... %{XFFCLIENTIP}e ... format-name CustomLog access_log format-name This won't get you the right client IP address in error.log, though. I'm not exactly sure how to do that. Apparently, setting REMOTE_ADDR is only useful for CGI-style interaction and has no effect on how httpd does logging, etc. It also seems that you cannot re-define a LogFormat. I tried re-defining my combined log format in a VirtualHost and it did not work. Using a different LogFormat
[OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? That would allow me to use port 80 for regular web traffic and not have to worry about proper checking to make sure that the connection was in fact coming from the ELB and not directly into the web server. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULA8qAAoJEBzwKT+lPKRYMf4P/2yONDv5rQFgHguhMeWv8BJs jbv8bLOOK5Vf+r5idJgyEgOFEI4jbEKfGdhIvD5BasT4PZF65sn3AsOXQpav9GA4 kgomQHDipou3u5PFGi2d3xQQsDB9MjOTfAmmvQFNEnPxtisYQA+wNHGGxJDwyHIZ tJkS4jP8mA3vxLaoCLoSiOi2MEGr2nbj5Xcfd75F2IXfci9QEhGEgsUxyFq+K+Vb p+GVv4px55+zO9sLaIk6SiaNOGI3p86W+IX5spvoxO2Qxah+DVSoq9HRGryWd/Wn O3ZwSGqCHYKsPI1xHECaN/58pAR7polyU5nEFmzWbxFhc31Q2hpDkZuyZ3SIY2u1 7lLY+Zx41nizjfjeYeIcMtZ4OBj0uHBSj5qzLehF7zItZoRqEhgv2b4yn8vJjIj0 GF4wpVqAqSWaIJ2F1C9ZjTnL9LhTJHZBurpt1JDSe7ALS/s4EoEQ/rbaz9kEUMNq BBThIapN+VXCwaqsA7hQliCWRoGuP2kNFStsatgeaNaBZd5Cf8cg8iTSUcoDR4UW Z4CHSi/4H6uD3wmcI6Jca7dfJEY+eNGM3zLsUF1hQPYP9MG6Fohy6h/UGGhlRehh sXZ6bL0oVfGVxSM9gMCDQzB4ptb9zuqU5UgWjKEB50lbwXgMLUm7XP3/C/bY7Zgt cXABRHoZSqoq2tPV1Lov =g2oZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. Maybe i'm missing something, but you can check that X-Forwarded-Proto header contains https? Seems a bit risky, maybe additionally adding another check that the incomming request comes from ELB's IP(s)? 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? Just pass a custom header. BTW Are you encrypting the w --- t connections as well? BTW I recall a setup i've made times ago, where the SSL termination was on the apache webservers, ex: LB (tcp) https --- apache httpd (SSL Termination doing client certificate verification) / mod_jk --- AJP --- Tomcat I was able to send client's certificate information as headers to tomcat. But not sure this is your situation. For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? Maybe this can help: RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC] RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0] This way you send to tomcat as REMOTE_ADDR the contents of the X-Forwarded-For header That would allow me to use port 80 for regular web traffic and not have to worry about proper checking to make sure that the connection was in fact coming from the ELB and not directly into the web server. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULA8qAAoJEBzwKT+lPKRYMf4P/2yONDv5rQFgHguhMeWv8BJs jbv8bLOOK5Vf+r5idJgyEgOFEI4jbEKfGdhIvD5BasT4PZF65sn3AsOXQpav9GA4 kgomQHDipou3u5PFGi2d3xQQsDB9MjOTfAmmvQFNEnPxtisYQA+wNHGGxJDwyHIZ tJkS4jP8mA3vxLaoCLoSiOi2MEGr2nbj5Xcfd75F2IXfci9QEhGEgsUxyFq+K+Vb p+GVv4px55+zO9sLaIk6SiaNOGI3p86W+IX5spvoxO2Qxah+DVSoq9HRGryWd/Wn O3ZwSGqCHYKsPI1xHECaN/58pAR7polyU5nEFmzWbxFhc31Q2hpDkZuyZ3SIY2u1 7lLY+Zx41nizjfjeYeIcMtZ4OBj0uHBSj5qzLehF7zItZoRqEhgv2b4yn8vJjIj0 GF4wpVqAqSWaIJ2F1C9ZjTnL9LhTJHZBurpt1JDSe7ALS/s4EoEQ/rbaz9kEUMNq BBThIapN+VXCwaqsA7hQliCWRoGuP2kNFStsatgeaNaBZd5Cf8cg8iTSUcoDR4UW Z4CHSi/4H6uD3wmcI6Jca7dfJEY+eNGM3zLsUF1hQPYP9MG6Fohy6h/UGGhlRehh sXZ6bL0oVfGVxSM9gMCDQzB4ptb9zuqU5UgWjKEB50lbwXgMLUm7XP3/C/bY7Zgt cXABRHoZSqoq2tPV1Lov =g2oZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Frederik, On 10/1/14 11:15 AM, Frederik Nosi wrote: Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote: All, I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port 443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. Maybe i'm missing something, but you can check that X-Forwarded-Proto header contains https? Seems a bit risky, maybe additionally adding another check that the incomming request comes from ELB's IP(s)? Yes, I can check this. I can also ensure that the port is only accessible from the ELB. I'm less worried about this and more worried about getting everything else working first. Protecting the connection itself will not be a problem. 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? Just pass a custom header. BTW Are you encrypting the w --- t connections as well? BTW I recall a setup i've made times ago, where the SSL termination was on the apache webservers, ex: LB (tcp) https --- apache httpd (SSL Termination doing client certificate verification) / mod_jk --- AJP --- Tomcat I was able to send client's certificate information as headers to tomcat. But not sure this is your situation. I don't need to use client certificates, but being able to support them would be nice. AWS ELB seems to support TCP pass-through but you can't do it for port 443. If you want to use port 443, you can either choose HTTPS/SSL or TCP/SSL. If you choose HTTPS/SSL then you have to use either HTTP or HTTPS as the back-end protocol. For some reason, choosing HTTPS causes endless stalling when trying to make a connection. Using TCP/SSL - TCP/SSL (what I would call TCP pass-through) ought to allow me to do SSL termination at the web server level, accept client certificates, and have mod_ssk work without any modification at all. I think in order to do this, I have to configure Apache httpd to accept connections using the proxy protocol, and I'm not sure how to do that. For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? Maybe this can help: RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC] RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0] This way you send to tomcat as REMOTE_ADDR the contents of the X-Forwarded-For header Why use mod_rewrite (slow) when you can use mod_setenvif (fast)? SetEnvIf X-Forwarded-For (.*) JK_REMOTE_ADDR=$1 What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to pretend that the connection is HTTPS. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULCZeAAoJEBzwKT+lPKRYHQcP/1tdeiy0lWAHcQ2vG4HrpACy ni5Ac17Z5gSeqQyol66/NiOPBnRM9NaZqLg6wpIps+8SaZuKnHir2IgnWXOBo7lQ 81aJokPIivwO74ang6lnfJJR2vYCYLn7eONI6+qqSWlk+Mw2CoLbsGoPxVeeBBe7 AE+2QZnzj9NtuhlGiIKvlPQXmJBs/VgBiEq23wFsikLisY0eHMkwGcYnuPZ9KYil qHxxmfntPgMH+uhCcxwGHrXlLJLCCGZCFv3xQHkCKC5Ndb9mnGBY1b0IcplPwOvQ zbRVHdJcewE36hHECE5r2Z4a44ThKMLPEz1wZVCJm5ljEZiyuVq181ukkotBdvT8 y3/WuHwzZV8z6mdCNGBoB/Y4RdXfyfwaIKFZwlM3OhBcPVD+jki82dE/7tLZ3mlZ AUj5pBGuoePVV8hnrukLi+DM4sJ6CZ6zLq0OKX3MzfF8n8/kG7vr20ntTi7mjTDs Suk3lLr2L+Y7LBOzeepbThGK3CtCMm3OGZisuN90Pf9yrnuxDRJigpPUSeKdO0uQ rJMx9gqRWiBl2jbWO6bsF4Aqy4wGVA+zyG9oTWMWDegU3uXHVAZdVb/R1YRZ18Qk wH826ul3NMaUUGmWS6rpGpKpFm8V4UZ+qtz8eaMkBet3YOzYLBqJQ4xj5Co2K+g+ ZNKUGsHHHFYdVK9HyKcL =PcDT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Hi Christopher, On 10/01/2014 06:05 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Frederik, On 10/1/14 11:15 AM, Frederik Nosi wrote: Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote: All, I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port 443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. Maybe i'm missing something, but you can check that X-Forwarded-Proto header contains https? Seems a bit risky, maybe additionally adding another check that the incomming request comes from ELB's IP(s)? Yes, I can check this. I can also ensure that the port is only accessible from the ELB. I'm less worried about this and more worried about getting everything else working first. Protecting the connection itself will not be a problem. Maybe i didn't got your question right, what you're interested first, is letting know to tomcat that the client is using a secure connection? If so you can just pass a custom header from apache to tomcat, but this seems too easy :-) 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? Just pass a custom header. BTW Are you encrypting the w --- t connections as well? BTW I recall a setup i've made times ago, where the SSL termination was on the apache webservers, ex: LB (tcp) https --- apache httpd (SSL Termination doing client certificate verification) / mod_jk --- AJP --- Tomcat I was able to send client's certificate information as headers to tomcat. But not sure this is your situation. I don't need to use client certificates, but being able to support them would be nice. AWS ELB seems to support TCP pass-through but you can't do it for port 443. If you want to use port 443, you can either choose HTTPS/SSL or TCP/SSL. If you choose HTTPS/SSL then you have to use either HTTP or HTTPS as the back-end protocol. For some reason, choosing HTTPS causes endless stalling when trying to make a connection. I would get a tcpdump from the apache frontend, maybe you can get more info this way. Using TCP/SSL - TCP/SSL (what I would call TCP pass-through) ought to allow me to do SSL termination at the web server level, accept client certificates, and have mod_ssk work without any modification at all. I think in order to do this, I have to configure Apache httpd to accept connections using the proxy protocol, and I'm not sure how to do that. Hmm, didn't knowed about this protocol before. From some quick googling and reading, seems interesting, as at your endpoint the connection comes from ELBs'IP not from the client's IP, this protocol adds the missing info, real client ip. http://blog.haproxy.com/haproxy/proxy-protocol/ So using this seems you need to add another piece to you'r infrastructure. For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? Maybe this can help: RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC] RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0] This way you send to tomcat as REMOTE_ADDR the contents of the X-Forwarded-For header Why use mod_rewrite (slow) when you can use mod_setenvif (fast)? SetEnvIf X-Forwarded-For (.*) JK_REMOTE_ADDR=$1 Indeed is better your way What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to pretend that the connection is HTTPS. Then the easier solution seems using ELB for SSL termination and using the X-Forwarded-Proto header, passing from apache to tomcat [...] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Frederik, On 10/1/14 12:52 PM, Frederik Nosi wrote: Hi Christopher, On 10/01/2014 06:05 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Frederik, On 10/1/14 11:15 AM, Frederik Nosi wrote: Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote: All, I'm interested in using AWS ELB for SSL termination but allowing the client's TLS connection information to be forwarded all the way through the chain to Tomcat. The setup looks like this: ELB /\ / \ /\ w0w1 / \ / \ t0 t1 t0 t1 (t0 and t1 are repeated because otherwise the diagram would be even more difficult to read). w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat. The client's connection is TLS terminated at ELB and whether the connections between ELB/wx/tx are encrypted should be immaterial. I'm using mod_jk from httpd - Tomcat. ELB provides the following HTTP headers to wx: X-Forwarded-For (client's IP) X-Forwarded-Port 443 X-Forwarded-Proto https Unfortunately, it looks like I can't get things like the cipher default, etc. but I'm okay with that for the time being. I'm wondering two things: 1. How can I get Apache httpd to trust that the connection is encrypted? I want to be able to use RequireSSL for certain resources and have httpd trust that the connection coming from the ELB is in fact secure. Maybe i'm missing something, but you can check that X-Forwarded-Proto header contains https? Seems a bit risky, maybe additionally adding another check that the incomming request comes from ELB's IP(s)? Yes, I can check this. I can also ensure that the port is only accessible from the ELB. I'm less worried about this and more worried about getting everything else working first. Protecting the connection itself will not be a problem. Maybe i didn't got your question right, what you're interested first, is letting know to tomcat that the client is using a secure connection? If so you can just pass a custom header from apache to tomcat, but this seems too easy :-) No, I'm interested in convincing Apache httpd that the original connection was encrypted. Basically, I want the equivalent of Tomcat's secure=true configuration option. 2. How can I use that connection information to tell mod_jk that things are to be trusted as well? Just pass a custom header. BTW Are you encrypting the w --- t connections as well? BTW I recall a setup i've made times ago, where the SSL termination was on the apache webservers, ex: LB (tcp) https --- apache httpd (SSL Termination doing client certificate verification) / mod_jk --- AJP --- Tomcat I was able to send client's certificate information as headers to tomcat. But not sure this is your situation. I don't need to use client certificates, but being able to support them would be nice. AWS ELB seems to support TCP pass-through but you can't do it for port 443. If you want to use port 443, you can either choose HTTPS/SSL or TCP/SSL. If you choose HTTPS/SSL then you have to use either HTTP or HTTPS as the back-end protocol. For some reason, choosing HTTPS causes endless stalling when trying to make a connection. I would get a tcpdump from the apache frontend, maybe you can get more info this way. Yes, obviously I can do that. I was hoping that resorting to packet-tracing would not be necessary. Using TCP/SSL - TCP/SSL (what I would call TCP pass-through) ought to allow me to do SSL termination at the web server level, accept client certificates, and have mod_ssk work without any modification at all. I think in order to do this, I have to configure Apache httpd to accept connections using the proxy protocol, and I'm not sure how to do that. Hmm, didn't knowed about this protocol before. From some quick googling and reading, seems interesting, as at your endpoint the connection comes from ELBs'IP not from the client's IP, this protocol adds the missing info, real client ip. http://blog.haproxy.com/haproxy/proxy-protocol/ So using this seems you need to add another piece to you'r infrastructure. For #2, I might just be able to use SetEnv to set REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say yes, this is encrypted. Should I set up a separate VirtualHost on a different (non-80) port that is configured only for ELB connections and then force SSL to on regardless of the actual incoming connections? Maybe this can help: RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC] RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0] This way you send to tomcat as REMOTE_ADDR the contents of the X-Forwarded-For header Why use mod_rewrite (slow) when you can use mod_setenvif (fast)? SetEnvIf X-Forwarded-For (.*) JK_REMOTE_ADDR=$1 Indeed is better your way What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Am 01.10.2014 19:18, schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- ... What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to pretend that the connection is HTTPS. Then the easier solution seems using ELB for SSL termination and using the X-Forwarded-Proto header, passing from apache to tomcat Yes. Just looking for a way to say oh, the connection is also encrypted. If I remember correctly this needs only one line in Apache httpd to forward it to Tomcat SetEnvIf X-Forwarded-Proto https HTTPS=on mod_jk should use this information and mark it as a secure connection for you. Then you can require a secure connection in your webapp web.xml or check it in httpd with the same environment variable: Order Deny,Allow Deny from all Allow from env=HTTPS If the httpd is only a helper process to pass this information to Tomcat you can also use the Proxy-Valves: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support Something like this should serve your purpose: Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=x-forwarded-proto portHeader=x-forwarded-port / Togehter with transport-guarantee CONFIDENTIAL in your web.xml this would eliminate the need to configure anything on Apache httpd at all. - Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Stefan, On 10/1/14 2:18 PM, Stefan Mayr wrote: Am 01.10.2014 19:18, schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- ... What I'm mainly looking for is a way to say the incoming connection (from ELB) is HTTP and I want to pretend that the connection is HTTPS. Then the easier solution seems using ELB for SSL termination and using the X-Forwarded-Proto header, passing from apache to tomcat Yes. Just looking for a way to say oh, the connection is also encrypted. If I remember correctly this needs only one line in Apache httpd to forward it to Tomcat SetEnvIf X-Forwarded-Proto https HTTPS=on This is where I have gotten so far, actually. I've been trying to get mod_remoteip to handle the client's IP address for me -- especially for logging -- but I'm having some difficulty and have asked a question over on the httpd users' list about that. mod_jk should use this information and mark it as a secure connection for you. Then you can require a secure connection in your webapp web.xml or check it in httpd with the same environment variable: Order Deny,Allow Deny from all Allow from env=HTTPS I didn't know that you could do Allow from env=HTTPS. I'll definitely do that. I was also doing Allow from 10.0.0.0/8 so that only my ELB could access the VirtualHost I'm configuring. If the httpd is only a helper process to pass this information to Tomcat you can also use the Proxy-Valves: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support Something like this should serve your purpose: Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=x-forwarded-proto portHeader=x-forwarded-port / I'd prefer to handle this at the httpd level if for no other reason than logging. Together with transport-guarantee CONFIDENTIAL in your web.xml this would eliminate the need to configure anything on Apache httpd at all. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULEqCAAoJEBzwKT+lPKRYKSUP/13RcT/81IevhKnZpWq8yj4A eJeGk2FXG3dzziO/NQq5OGUYftDCjIeY/Iwu7r5JbdjncDO6R+SMyTEBQ09rXD8L aQCVt+mXFPU4XOeNC292o+ju1FwUS8dyEj3nPOslIarM4jOTgFo5FoZnTO/ML8pg ho9hIUZsIQb0Tf+YlSND8gMl3Lz/N0TQFTOALcub32gGJb7PztYhqj3lEttWkFL0 5Jg368WGL22aDP3VFXjNruOiLTDV0JQH9XOojMGBV5J/5logbqTvAQpVQew3KLHW 1M0xF4Hu99JyNUdRUa8LB8gmMKcVtTArVWpjb0aKV7tXr6/dszHT0PMfRRZNCII5 ObZB+8ZGOnV6YWXgefkwiERFwa2ibjRaup/D+R6GwY4aJjJ8bR+e9Zs2HzS3nPAA 3YP5zGYYFcAu2bkw3IPCTUYdM1PHJxNIVEQ/NaMR1rEltD3v1lFjkSgq5FDl/17c oV9aUgCtIRyz5ZDVS8j4zjEak6+wEn7mJZ3BNU4S9wpkuKJgi/e7l/PfqbcFNwlF RS0f2j6Z9JtYNtjlNjYdpMbnnwhN3LKOBBmXQ/77PVi0WMms5Yj1HDwZxFvQNfGx xPu+ACMweviCdza7dm7aWTx+wBg8cx5SPwn9oONpQyn54ssJzw33wOobfNDtCkPG GeMPjnzD3XHwjXAM6c61 =STcf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
Hi Christopher, Am 01.10.2014 20:40, schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- ... I've been trying to get mod_remoteip to handle the client's IP address for me -- especially for logging -- but I'm having some difficulty and have asked a question over on the httpd users' list about that. ... mod_remoteip can do more for you (if you need it). Just for the purpose of logging the X-Forwarded-For-Header you could define a custom LogFormat and add request headers like \%{X-Forwarded-For}i\ to it. - Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Forward TLS connection information from AWS ELB - httpd - Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Stefan, On 10/1/14 5:33 PM, Stefan Mayr wrote: Hi Christopher, Am 01.10.2014 20:40, schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- ... I've been trying to get mod_remoteip to handle the client's IP address for me -- especially for logging -- but I'm having some difficulty and have asked a question over on the httpd users' list about that. ... mod_remoteip can do more for you (if you need it). Just for the purpose of logging the X-Forwarded-For-Header you could define a custom LogFormat and add request headers like \%{X-Forwarded-For}i\ to it. Yes, but I don't need mod_remoteip if all I want to do is log the client's IP. What I was hoping to to us to use mode_remoteip to just substitute the client's IP for everything. That doesn't seem to be working for me at all. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULHPeAAoJEBzwKT+lPKRY7T8P/iyLcWtf2V/COmPjPFiVQqnX cmgDnzt8kzK4FX3fuERAjNLCK3l7ulhHHRn7hEScy3AFixF4sbFotYrAzaTdryiu tJdx1KRpfN+faZoMZiwNo0zSXFOYeVim3Nn1ydI3MewU8D6cism//EAyHTp5owAu ZJC7vMtEk7pxJkLI6ECJWx4u3ubpxeop3W4lePAzqC+1WecE0UtxRAC4KAzZq5Vr e0xhE2c4WoNuoZcW3CvlhHhSZmnV+c86ROc/LqfaFAHlr8OnUcL7nJu1lCDR8aqr YbMKpIMB7U/2YxEv0t4eFjKqHAtgRLfW9lrowLKQ04QJoXRvSYbFQrKsXypaTnk3 /0fnnKcFNFU+tgKwSM26nAXrMvd9RGflePTxaVnaBnKVGC6hJURltBcBtyhQD93j pxdCap6FG6tn7rbWC0tgbNcdak4VYZOdcq9hY81a8Vebw7fEX1JfUF8NGUmBY5dg KhFa79gkUlEnHUq+UQs7PvROFmP+/ylssXKRFnbNN7MauNQzn+nP3UbKM8WP+htB Puct3J9Lh1e+tMPbnRPGWUyQr0HReHnp+TRM22Mv+wEPpKQP1ALRhBMuFnLiYKPm 4E3IaLLAGZTq7kIHLPSUBZU01+3pRANpZAXH05Qygd35gszuhlpjT0KqWa5B9Mw3 KcmWAgMrAYZQGSa/nwGC =RNwv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org