On 18/06/2010 00:36, Matthew Peterson wrote:
Out of interest, what are some of the security risks around non-trusted
proxies injecting the x-forwarded-* headers?
Mainly an issue if you use the RemoteAddressValve or a similar mechanism
to secure your webapp based on client IP address. If an
On 17/06/2010 01:41, Matt Peterson wrote:
I can't find any documentation on the order of events for the Connector, so
I'm not sure what other decisions get made based on the request attributes,
but assume there are others.
This is *open* source...
Is there another solution to handling
Hello Matt,
I think the RemoteIpValve does what you need : it looks at http
headers filled in the request by preceding network components (layer 7
load balancer, ssl accelerator, etc) such as 'x-forwarded-for' to get
the real ip address and 'x-forwarded-proto' to get the http/https
protocol. A
are some of the security risks around non-trusted proxies
injecting the x-forwarded-* headers?
Thanks for your help,
Matt.
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Thursday, 17 June 2010 10:28 PM
To: Tomcat Users List
Subject: Re: HTTP connector to be aware
.
-Original Message-
From: Cyrille Le Clerc [mailto:clecl...@xebia.fr]
Sent: Friday, 18 June 2010 8:30 AM
To: Tomcat Users List; Matthew Peterson
Subject: Re: HTTP connector to be aware of proxied SSL requests
Hello Matt,
I think the RemoteIpValve does what you need : it looks at http
headers filled
Hi All,
We have a hardware load balancer terminating SSL requests before making a
plain-text connection with Tomcat. So that all contexts are aware that the
request is actually a secure request, we have implemented the RemoteIpValve
with a LB injected header. This works well for our apps.
