We use Apache web servers to communicate with our OFBiz servers using a combination of mod_jk and mod_proxy. For our mod_proxy configuration, we forward secure requests (https) from Apache to a non-secure port (8080) on Tomcat/OFBiz.
Our application is an AJAX/Dojo application that posts normal HTTP requests to the web server, but when we do this we frequently get the following messages: 2010-03-01 13:32:18,890 (http-0.0.0.0-8080-6) [ RequestHandler.java:186:ERROR] Got a insecure (non-https) form POST to a secure (http) request [jsonservice], returning error 2010-03-01 13:32:18,906 (http-0.0.0.0-8080-6) [ RequestHandler.java:204:WARN ] HTTPS is disabled for this site, so we can't tell if this was encrypted or not which means if a form was POSTed and it was not over HTTPS we don't know, but it would be vulnerable to an XSRF and other attacks: Not accepting insecure form data posted to a secure request I understand the reason for the error message and the potential security problems if our Tomcat/OFBiz application server was the front-facing server, but in our environment the Tomcat/OFBiz servers are only accessible via Apache. The request from the user is secure. I don't believe the error causes any problems for us (transaction roll backs, etc), but we would like to eliminate all false error messages in our logs so we can focus on more critical ones. What is the recommendation from the community for avoiding these types of messages when using Apache to Tomcat configuration? Are others working around these issues when they use Apache mod_proxy? Brett
