Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to get tomcat to send redirects as https urls when apache handles ssl

Tags:

ssl

apache

xss

tomcat

mod-proxy

I'm a bit out of my depth here and nothing I have found quite addresses my problem. Si any and all suggestions are most welcome.

I've got tomcat6 running on CentOS 6.5 hidden behind an apache server (v2.2.15) and I am using Apache's mod_proxy to expose the tomcat webapps, which are running on port 8080. The tomcat hosts one production application and several development applications. On the apache side, both a Drupal site and the aforementioned tomcat production application are on the same domain and, thanks to rewrite rules, all requests to this domain are changed to https. The development sites are reached via subdomains and do not get re-written as https requests.

For the most part, this arrangement works fine. But parts of the tomcat apps are AJAX (calling a Java Struts 1.2 backend). Most of those requests are handled OK. But a few AJAX requests result in redirects (i.e., forward.setRedirect(true)) and that redirect is http (I guess because the container itself is not secure). As a result, I run into cross site scripting issues. I imagine I can use CORS headers to avoid the problem. But that seems like a hack. Is there a relatively painless way I can use to have tomcat send redirects back as https without making tomcat handle ssl directly?

Cris

like image 766
academic hobo Avatar asked Sep 01 '25 05:09

academic hobo

2 Answers

You could configure the RemoteIpValve in Tomcat:

Another feature of this valve is to replace the apparent scheme (http/https) and server port with the scheme presented by a proxy or a load balancer via a request header (e.g. "X-Forwarded-Proto").

To configure Apache to forward the original protocol in the X-Forwarded-Proto header, add a RequestHeader directive in your Apache config, e.g.:

<VirtualHost *:443>
    RequestHeader set X-Forwarded-Proto "https"
    ...

Note that in Tomcat 7, there is also a RemoteIpFilter.

like image 123
David Levesque Avatar answered Sep 03 '25 12:09

David Levesque

You don't need to do anything special. It already works. Make sure you set the "redirectPort" in server.xml to Apache's HTTPS port, usually 443, and add the following to your <security-constraint> sections for resources you want secured by HTTPS:

<user-data-constraint>
    <description>HTTPS</description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</‌​user-data-constraint>
like image 28
user207421 Avatar answered Sep 03 '25 11:09

user207421
Sign in to Comment

Related questions

How to get header request value in my laravel app on production?
413 Request Entity Too Large when sending image data

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!