Re: Weird problerm accessing request headers from tomcat
Hi Andre, see below. You are not going to hear me slapping my face, but definitely doing a! :-) Cheers Martin -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de - Original Message From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Fri, May 27, 2011 6:01:28 PM Subject: Re: Weird problerm accessing request headers from tomcat Hi. I believe that you are making the often-made confusion between environment values (or variables), and HTTP headers content. In particular, here : seems you are right. Apache1 inserts the following variables into the requests it forwards to Apache1 (I suppose you meant Apache2 here) No. It does not do that. It adds some HTTP headers. This is different, see below. . Apache1 (I suppose you meant Apache2 here) can see them, I have checked that using cgi-bin/printenv (some values anonymized): HTTP_X_FORWARDED_FOR=aa.bb.cc.dd HTTP_X_FORWARDED_HOST=xxx.yyy.net HTTP_X_FORWARDED_PORT=443 HTTP_X_FORWARDED_PROTOCOL=https HTTP_X_FORWARDED_SERVER=aaa.bbb.ccc Your check does not show that at all. It shows something that is just confusing enough to get you confused as to what you are seeing. ;-) But you have excuses for your confusion, because the Apache documentation itself is very confusing as to environment variables. Indeed, the documentation leaves this pretty diffuse. What the cgi-bin script sees, are indeed environment values. These are set by the Apache process (Apache2), just before it executes the cgi-bin script. So the cgi-bin script sees them in its environment when it runs. (like with $ENV{'HTTP_X_FORWARDED_PORT'}) But there is no one-to-one relationship between what Apache finds in HTTP request headers, and the environment values which it sets for the cgi-bin scripts that it runs. Apache does convert some of the request HTTP header values into cgi-bin environment variables, but : - the name of the environment variable may be different from the corresponding HTTP header label (you see this yourself above : a HTTP header named X-forwarded-for: has been passed to the cgi-bin script as the environment value named HTTP_X_FORWARDED_FOR) - not all HTTP headers are converted and passed that way - some environment values passed to the cgi-bin script are not, and never were, HTTP headers of the request (for example, the cgi-bin environment values QUERY_STRING, or SCRIPT_FILENAME) Ok, that definitely explains what I am seeing. On the other hand : When a HTTP proxy server forwards a HTTP request to another HTTP server via the HTTP protocol, it forwards *all* the request headers and request content to this other server, as a HTTP request (otherwise, it would not be a valid HTTP proxy server). But it cannot forward environment values, because there is no defined way of doing this over the HTTP protocol. (*) But now I see your second post, and your problem is in fact much simpler. By doing this : h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_HOST: #{header['X_FORWARDED_HOST']} / what you are actually trying to retrieve, is the content of the HTTP request header X_FORWARDED_HOST: (I guess), but this HTTP header does not exist in the request. What you are giving as a HTTP header name, is actually what the cgi-bin environment value name was for your cgi-bin. Which, as I try to explain at long length above, is not the same thing. So you get back a null, and you think that the header was not there. But it is there, only under its real HTTP header name. Try something like value=X_FORWARDED_HOST: #{header['X-Forwarded-for']} / instead. Yup, using X-Forewarded-Host works as expected. Thanks a big lot. (Noise of self-slap on face ?). As I said above: no self slapping. Just amazement on how much there is still to learn after all these years :-) (*) However, when the proxy protocol used is AJP (as it is between Apache and Tomcat when using the mod_jk connector, or the mod_proxy_ajp connector), /then/ some additional values /can/ be passed along with the request (because the AJP protocol allows that). On the Tomcat side, these then appear as request attributes which the webapp can retrieve (via request.getAttribute(name)), but not as environment values of the Tomcat process for example. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Weird problerm accessing request headers from tomcat
Hi, sorry for the crosspost, but I am not sure where to ask. I am trying to understand a weird problem accessing HTTP request headers from a jsf page. The setup is as follows: apache1 - apache2 - mod_jk - tomcat Apache1 is accessible from the Internet and forwards requests to my application to apache2. I have no direct control over the setup of apache1 and I cannot look at the configuration. Apache2 (2.0.63 on Linux) is answering requests from the intranet and forwards them via mod_jk (1.2.30) to two loadbanced tomcats (Linux, 6.0.32). Apache1 inserts the following variables into the requests it forwards to Apache1. Apache1 can see them, I have checked that using cgi-bin/printenv (some values anonymized): HTTP_X_FORWARDED_FOR=aa.bb.cc.dd HTTP_X_FORWARDED_HOST=xxx.yyy.net HTTP_X_FORWARDED_PORT=443 HTTP_X_FORWARDED_PROTOCOL=https HTTP_X_FORWARDED_SERVER=aaa.bbb.ccc If I try to read those variables from the tomcat application using this facelett code: h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_HOST: #{header['X_FORWARDED_HOST']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_PROTOCOL: #{header['X_FORWARDED_PROTOCOL']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_PORT: #{header['X_FORWARDED_PORT']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_FOR: #{header['X_FORWARDED_FOR']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_SERVER: #{header['X_FORWARDED_SERVER']} / br / Only X_FORWARDED_PORT and X_FORWARDED_PROTOCOL are set. The other three are empty/null. It seem that somewhere they get dropped between Apache2, mod_jk and Tomcat. Now, I know that _PORT and _PROTOCOL are inserted at Apache1 using 'RequestHeader set X_FORWARDED_PROTOCOL https', while I do not know how the other three are generated. If I add 'RequestHeader set X_FORWARDED_HOST xxx.yyy.net' to the configuration from apache2, the application sees that header as well. Confused? so am I :-( Happy weekend Martin -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Weird problerm accessing request headers from tomcat
when your Apache2 is configured as reverse-proxy you are fowarding IP,RequestedHost and Proxy-Server specifically: When acting in a reverse-proxy mode (using the ProxyPass directive, for example), mod_proxy_http adds several request headers in order to pass information to the origin server. These headers are: X-Forwarded-ForThe IP address of the client.X-Forwarded-HostThe original host requested by the client in the Host HTTP request header.X-Forwarded-ServerThe hostname of the proxy server. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html is this not the case? Martin __ Date: Fri, 27 May 2011 05:53:14 -0700 From: spamt...@knobisoft.de Subject: Weird problerm accessing request headers from tomcat To: users@tomcat.apache.org; us...@httpd.apache.org Hi, sorry for the crosspost, but I am not sure where to ask. I am trying to understand a weird problem accessing HTTP request headers from a jsf page. The setup is as follows: apache1 - apache2 - mod_jk - tomcat Apache1 is accessible from the Internet and forwards requests to my application to apache2. I have no direct control over the setup of apache1 and I cannot look at the configuration. Apache2 (2.0.63 on Linux) is answering requests from the intranet and forwards them via mod_jk (1.2.30) to two loadbanced tomcats (Linux, 6.0.32). Apache1 inserts the following variables into the requests it forwards to Apache1. Apache1 can see them, I have checked that using cgi-bin/printenv (some values anonymized): HTTP_X_FORWARDED_FOR=aa.bb.cc.dd HTTP_X_FORWARDED_HOST=xxx.yyy.net HTTP_X_FORWARDED_PORT=443 HTTP_X_FORWARDED_PROTOCOL=https HTTP_X_FORWARDED_SERVER=aaa.bbb.ccc If I try to read those variables from the tomcat application using this facelett code: h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_HOST: #{header['X_FORWARDED_HOST']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_PROTOCOL: #{header['X_FORWARDED_PROTOCOL']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_PORT: #{header['X_FORWARDED_PORT']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_FOR: #{header['X_FORWARDED_FOR']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_SERVER: #{header['X_FORWARDED_SERVER']} / br / Only X_FORWARDED_PORT and X_FORWARDED_PROTOCOL are set. The other three are empty/null. It seem that somewhere they get dropped between Apache2, mod_jk and Tomcat. Now, I know that _PORT and _PROTOCOL are inserted at Apache1 using 'RequestHeader set X_FORWARDED_PROTOCOL https', while I do not know how the other three are generated. If I add 'RequestHeader set X_FORWARDED_HOST xxx.yyy.net' to the configuration from apache2, the application sees that header as well. Confused? so am I :-( Happy weekend Martin -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Weird problerm accessing request headers from tomcat
Hi Martin, the reverse proxy (gateway) in my case would be apache1 me thinks. apache2 definitely does not use mod_proxy/ProxyPass. It is just loadbalancing two tomcat instances using mod_jk. My problem is (maybe I was not clear) that apache2 does see the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers apparently added by apache1, but that those are not visible in the requests reaching tomcat. If, just as an experiment, I use RequestHeader set in the apache2 ssl configuration, tomcat sees them. Same is true for the _PORT and _PROTOCOL headers that are added on apache1 via RequestHeader set. Did I express myself better this time? There must be some handling differences between headers added from mod_proxy (if that is used by apache1 I will not find out before some time next week) and those added by mod_headers. Thanks Martin :-) -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de - Original Message From: Martin Gainty mgai...@hotmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Fri, May 27, 2011 3:29:32 PM Subject: RE: Weird problerm accessing request headers from tomcat when your Apache2 is configured as reverse-proxy you are fowarding IP,RequestedHost and Proxy-Server specifically: When acting in a reverse-proxy mode (using the ProxyPass directive, for example), mod_proxy_http adds several request headers in order to pass information to the origin server. These headers are: X-Forwarded-ForThe IP address of the client.X-Forwarded-HostThe original host requested by the client in the Host HTTP request header.X-Forwarded-ServerThe hostname of the proxy server. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html is this not the case? Martin __ Date: Fri, 27 May 2011 05:53:14 -0700 From: spamt...@knobisoft.de Subject: Weird problerm accessing request headers from tomcat To: users@tomcat.apache.org; us...@httpd.apache.org Hi, sorry for the crosspost, but I am not sure where to ask. I am trying to understand a weird problem accessing HTTP request headers from a jsf page. The setup is as follows: apache1 - apache2 - mod_jk - tomcat Apache1 is accessible from the Internet and forwards requests to my application to apache2. I have no direct control over the setup of apache1 and I cannot look at the configuration. Apache2 (2.0.63 on Linux) is answering requests from the intranet and forwards them via mod_jk (1.2.30) to two loadbanced tomcats (Linux, 6.0.32). Apache1 inserts the following variables into the requests it forwards to Apache1. Apache1 can see them, I have checked that using cgi-bin/printenv (some values anonymized): HTTP_X_FORWARDED_FOR=aa.bb.cc.dd HTTP_X_FORWARDED_HOST=xxx.yyy.net HTTP_X_FORWARDED_PORT=443 HTTP_X_FORWARDED_PROTOCOL=https HTTP_X_FORWARDED_SERVER=aaa.bbb.ccc If I try to read those variables from the tomcat application using this facelett code: h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_HOST: #{header['X_FORWARDED_HOST']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_PROTOCOL: #{header['X_FORWARDED_PROTOCOL']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_PORT: #{header['X_FORWARDED_PORT']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_FOR: #{header['X_FORWARDED_FOR']} / br / h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_SERVER: #{header['X_FORWARDED_SERVER']} / br / Only X_FORWARDED_PORT and X_FORWARDED_PROTOCOL are set. The other three are empty/null. It seem that somewhere they get dropped between Apache2, mod_jk and Tomcat. Now, I know that _PORT and _PROTOCOL are inserted at Apache1 using 'RequestHeader set X_FORWARDED_PROTOCOL https', while I do not know how the other three are generated. If I add 'RequestHeader set X_FORWARDED_HOST xxx.yyy.net' to the configuration from apache2, the application sees that header as well. Confused? so am I :-( Happy weekend Martin -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Weird problerm accessing request headers from tomcat
Hi. I believe that you are making the often-made confusion between environment values (or variables), and HTTP headers content. In particular, here : Apache1 inserts the following variables into the requests it forwards to Apache1 (I suppose you meant Apache2 here) No. It does not do that. It adds some HTTP headers. This is different, see below. . Apache1 (I suppose you meant Apache2 here) can see them, I have checked that using cgi-bin/printenv (some values anonymized): HTTP_X_FORWARDED_FOR=aa.bb.cc.dd HTTP_X_FORWARDED_HOST=xxx.yyy.net HTTP_X_FORWARDED_PORT=443 HTTP_X_FORWARDED_PROTOCOL=https HTTP_X_FORWARDED_SERVER=aaa.bbb.ccc Your check does not show that at all. It shows something that is just confusing enough to get you confused as to what you are seeing. ;-) But you have excuses for your confusion, because the Apache documentation itself is very confusing as to environment variables. What the cgi-bin script sees, are indeed environment values. These are set by the Apache process (Apache2), just before it executes the cgi-bin script. So the cgi-bin script sees them in its environment when it runs. (like with $ENV{'HTTP_X_FORWARDED_PORT'}) But there is no one-to-one relationship between what Apache finds in HTTP request headers, and the environment values which it sets for the cgi-bin scripts that it runs. Apache does convert some of the request HTTP header values into cgi-bin environment variables, but : - the name of the environment variable may be different from the corresponding HTTP header label (you see this yourself above : a HTTP header named X-forwarded-for: has been passed to the cgi-bin script as the environment value named HTTP_X_FORWARDED_FOR) - not all HTTP headers are converted and passed that way - some environment values passed to the cgi-bin script are not, and never were, HTTP headers of the request (for example, the cgi-bin environment values QUERY_STRING, or SCRIPT_FILENAME) On the other hand : When a HTTP proxy server forwards a HTTP request to another HTTP server via the HTTP protocol, it forwards *all* the request headers and request content to this other server, as a HTTP request (otherwise, it would not be a valid HTTP proxy server). But it cannot forward environment values, because there is no defined way of doing this over the HTTP protocol. (*) But now I see your second post, and your problem is in fact much simpler. By doing this : h:outputText style=font: bold 14px sans-serif; value=X_FORWARDED_HOST: #{header['X_FORWARDED_HOST']} / what you are actually trying to retrieve, is the content of the HTTP request header X_FORWARDED_HOST: (I guess), but this HTTP header does not exist in the request. What you are giving as a HTTP header name, is actually what the cgi-bin environment value name was for your cgi-bin. Which, as I try to explain at long length above, is not the same thing. So you get back a null, and you think that the header was not there. But it is there, only under its real HTTP header name. Try something like value=X_FORWARDED_HOST: #{header['X-Forwarded-for']} / instead. (Noise of self-slap on face ?). (*) However, when the proxy protocol used is AJP (as it is between Apache and Tomcat when using the mod_jk connector, or the mod_proxy_ajp connector), /then/ some additional values /can/ be passed along with the request (because the AJP protocol allows that). On the Tomcat side, these then appear as request attributes which the webapp can retrieve (via request.getAttribute(name)), but not as environment values of the Tomcat process for example. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org