When you say you are avoiding absolute URLs, where have you noticed this? I
can’t recall this being a problem.
Now, I’m no expert on this kind of configuration, and its a while since I set
this all up, so forgive me if I have my wires crossed. Also, our site’s load is
small so far but growing so all of this will be up for review soon.
In production we run pure HTTPS. We force all HTTP traffic to HTTPS by setting
this in AppModule:
public void contributeMetaDataLocator(MappedConfiguration<String,
String> configuration) {
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
terminating the SSL/TLS.
We use:
-Dtapestry.secure-enabled=true
We tell mod_proxy this:
ProxyPreserveHost On
and we use the following to convert the request to AJP, because app preserves
the HTTPS headers.
ProxyPass /myapp ajp://app:8009/myapp retry=5
ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
This all works great for us. So what’s the URL issue again?
Geoff
> On 22 Jul 2016, at 5:54 PM, Svein-Erik Løken <sv...@jacilla.no> wrote:
>
> Tanks for confirmation on this!
>
> What about make note on this in the documentation
> https://tapestry.apache.org/security.html?
> <https://tapestry.apache.org/security.html?>
>
> It's not obvious that X-Forwarded-Proto="https" should be set in the TLS
> termination proxy. Other X-Forwarded- is often set default in the proxy, like
> X-Forwarded-For.
>
> And the tapestry.secure-enabled = false.
>
>
> Web sites need to be encrypted in the future to work in Chrome, Firefox…
> Google Will Soon Shame All Websites That Are Unencrypted
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
>
> <http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https>.
>
>
>
> GeoLocation stopped to work I Chrome for desktop and Android, so I had to use
> encryption.
>
>
>
>
> From: Chris Poulsen [via Apache Tapestry Mailing List Archives]
> [mailto:ml-node+s1045711n5732784...@n5.nabble.com
> <mailto:ml-node+s1045711n5732784...@n5.nabble.com>]
> Sent: 22. juli 2016 11:35
> To: Svein-Erik Løken <sv...@jacilla.no <mailto:sv...@jacilla.no>>
> Subject: Re: TLS termination proxy and Tapestry
>
> We are always setting tapestry.secure-enabled = false
>
> --
> Chris
>
> On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
>> wrote:
>
>> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
>> always set secure enables to false.
>>
>> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden
>> email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
>>
>>> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
>>> that setting X-Forwarded-Proto="https" in the header on the proxy
>>> org.apache.tapestry5.services.Request::isSecure returns true . That's
>> good!
>>> In tapestry.production-mode=true I am getting absolute URLs. E.g.
>>> http://example.com/index.mycompo.form.
>>> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
>>> getting a relative URL. (/index.mycompo.form).
>>> I can see that with X-Forwarded-Proto="https" set,
>>> org.apache.tapestry5.internal.services.
>>> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
>>> That's good!
>>>
>>> For me it seems that this is the correct solution, but I find it nice if
>>> some tapestry experts can confirm this!
>>>
>>>
>>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
>
> <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html>
> To unsubscribe from users@tapestry.apache.org
> <mailto:users@tapestry.apache.org><mailto:users@tapestry.apache.org
> <mailto:users@tapestry.apache.org>> Mailing List Archives, click
> here<http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4
>
> <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4>>.
> NAML<http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
>
> <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>
