-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Stefan,
On 10/1/14 2:18 PM, Stefan Mayr wrote: > Am 01.10.2014 19:18, schrieb Christopher Schultz: >> -----BEGIN PGP SIGNED MESSAGE----- > ... >>>> What I'm mainly looking for is a way to say "the incoming >>>> connection (from ELB) is HTTP and I want to pretend that the >>>> connection is HTTPS". >>> >>> Then the easier solution seems using ELB for SSL termination >>> and using the X-Forwarded-Proto header, passing from apache to >>> tomcat >> >> Yes. Just looking for a way to say "oh, the connection is also >> encrypted". > > If I remember correctly this needs only one line in Apache httpd > to forward it to Tomcat > > SetEnvIf X-Forwarded-Proto https HTTPS=on This is where I have gotten so far, actually. I've been trying to get mod_remoteip to handle the client's IP address for me -- especially for logging -- but I'm having some difficulty and have asked a question over on the httpd users' list about that. > mod_jk should use this information and mark it as a secure > connection for you. Then you can require a secure connection in > your webapp web.xml or check it in httpd with the same environment > variable: > > Order Deny,Allow Deny from all Allow from env=HTTPS I didn't know that you could do "Allow from env=HTTPS". I'll definitely do that. I was also doing "Allow from 10.0.0.0/8" so that only my ELB could access the VirtualHost I'm configuring. > If the httpd is only a helper process to pass this information to > Tomcat you can also use the Proxy-Valves: > http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Proxies_Support > > Something like this should serve your purpose: <Valve > className="org.apache.catalina.valves.RemoteIpValve" > protocolHeader="x-forwarded-proto" portHeader="x-forwarded-port" > /> I'd prefer to handle this at the httpd level if for no other reason than logging. > Together with transport-guarantee CONFIDENTIAL in your web.xml > this would eliminate the need to configure anything on Apache httpd > at all. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULEqCAAoJEBzwKT+lPKRYKSUP/13RcT/81IevhKnZpWq8yj4A eJeGk2FXG3dzziO/NQq5OGUYftDCjIeY/Iwu7r5JbdjncDO6R+SMyTEBQ09rXD8L aQCVt+mXFPU4XOeNC292o+ju1FwUS8dyEj3nPOslIarM4jOTgFo5FoZnTO/ML8pg ho9hIUZsIQb0Tf+YlSND8gMl3Lz/N0TQFTOALcub32gGJb7PztYhqj3lEttWkFL0 5Jg368WGL22aDP3VFXjNruOiLTDV0JQH9XOojMGBV5J/5logbqTvAQpVQew3KLHW 1M0xF4Hu99JyNUdRUa8LB8gmMKcVtTArVWpjb0aKV7tXr6/dszHT0PMfRRZNCII5 ObZB+8ZGOnV6YWXgefkwiERFwa2ibjRaup/D+R6GwY4aJjJ8bR+e9Zs2HzS3nPAA 3YP5zGYYFcAu2bkw3IPCTUYdM1PHJxNIVEQ/NaMR1rEltD3v1lFjkSgq5FDl/17c oV9aUgCtIRyz5ZDVS8j4zjEak6+wEn7mJZ3BNU4S9wpkuKJgi/e7l/PfqbcFNwlF RS0f2j6Z9JtYNtjlNjYdpMbnnwhN3LKOBBmXQ/77PVi0WMms5Yj1HDwZxFvQNfGx xPu+ACMweviCdza7dm7aWTx+wBg8cx5SPwn9oONpQyn54ssJzw33wOobfNDtCkPG GeMPjnzD3XHwjXAM6c61 =STcf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
