On 12/18/24 8:21 AM, Devine, Harry (FAA) wrote:
So my Tomcat server.xml, near the bottom, has:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="" docBase="guacamole" debug="0"
reloadable="true" />
<Valve className="org.apache.catalina.valves.RemoteIpValve"
internalProxies="127.0.0.1"
remoteIpHeader="x-forwarded-for"
remoteIpProxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto" />
So long as your reverse proxy is always connecting from 127.0.0.1 (and
never any other address, such as an IPv6 address), this looks fine.
Beware that "internalProxies" actually accepts a regular expression, so
you'll need to escape those periods to have this truly mean what you intend.
See:
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve/Attributes
...
Do I need any Apache proxy headers set? I saw something about X-
Forwarded-Proto, but I assumed that the Valve in server.xml would be
setting that. I just can’t seem to find out what I’m missing.
The references to those headers that you see in the Valve will result in
the Valve _consuming_ those headers. It's the proxy that needs to set
them such that Tomcat can read and consider them based on the Valve
configuration.
Apache HTTPD's mod_proxy should be adding many of these headers by default:
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers
I don't recall offhand whether "X-Forwarded-Proto" is automatically
added by HTTPD. It's not explicitly listed in the documentation above.
You might need to manually add it for SAML to pass its own validation.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
