It has been a while since we looked into this, but as far as I can remember
we needed SECURE_ENABLED=false in order to have our apps supporting both
http and https at the same time. None of our app servers are configured to
use ssl that is always handled before the requests hit tapestry.
--
Chris
On Fri, Jul 22, 2016 at 1:23 PM, JumpStart <
geoff.callender.jumpst...@gmail.com> wrote:
> When you say you are avoiding absolute URLs, where have you noticed this?
> I can’t recall this being a problem.
>
> Now, I’m no expert on this kind of configuration, and its a while since I
> set this all up, so forgive me if I have my wires crossed. Also, our site’s
> load is small so far but growing so all of this will be up for review soon.
>
> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
> setting this in AppModule:
>
> public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
> }
>
> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
> terminating the SSL/TLS.
>
> We use:
>
> -Dtapestry.secure-enabled=true
>
> We tell mod_proxy this:
>
> ProxyPreserveHost On
>
> and we use the following to convert the request to AJP, because app
> preserves the HTTPS headers.
>
> ProxyPass /myapp ajp://app:8009/myapp retry=5
> ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>
> This all works great for us. So what’s the URL issue again?
>
> Geoff
>
> > On 22 Jul 2016, at 5:54 PM, Svein-Erik Løken <sv...@jacilla.no> wrote:
> >
> > Tanks for confirmation on this!
> >
> > What about make note on this in the documentation
> https://tapestry.apache.org/security.html? <
> https://tapestry.apache.org/security.html?>
> >
> > It's not obvious that X-Forwarded-Proto="https" should be set in the TLS
> termination proxy. Other X-Forwarded- is often set default in the proxy,
> like X-Forwarded-For.
> >
> > And the tapestry.secure-enabled = false.
> >
> >
> > Web sites need to be encrypted in the future to work in Chrome, Firefox…
> Google Will Soon Shame All Websites That Are Unencrypted
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
> <
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
> >.
> >
> >
> >
> > GeoLocation stopped to work I Chrome for desktop and Android, so I had
> to use encryption.
> >
> >
> >
> >
> > From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:
> ml-node+s1045711n5732784...@n5.nabble.com <mailto:
> ml-node+s1045711n5732784...@n5.nabble.com>]
> > Sent: 22. juli 2016 11:35
> > To: Svein-Erik Løken <sv...@jacilla.no <mailto:sv...@jacilla.no>>
> > Subject: Re: TLS termination proxy and Tapestry
> >
> > We are always setting tapestry.secure-enabled = false
> >
> > --
> > Chris
> >
> > On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
> >> wrote:
> >
> >> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> >> always set secure enables to false.
> >>
> >> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
> >>
> >>> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> >>> that setting X-Forwarded-Proto="https" in the header on the proxy
> >>> org.apache.tapestry5.services.Request::isSecure returns true . That's
> >> good!
> >>> In tapestry.production-mode=true I am getting absolute URLs. E.g.
> >>> http://example.com/index.mycompo.form.
> >>> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I
> am
> >>> getting a relative URL. (/index.mycompo.form).
> >>> I can see that with X-Forwarded-Proto="https" set,
> >>> org.apache.tapestry5.internal.services.
> >>> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> >>> That's good!
> >>>
> >>> For me it seems that this is the correct solution, but I find it nice
> if
> >>> some tapestry experts can confirm this!
> >>>
> >>>
> >>
> >
> > ________________________________
> > If you reply to this email, your message will be added to the discussion
> below:
> >
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
> >
> > To unsubscribe from users@tapestry.apache.org <mailto:
> users@tapestry.apache.org><mailto:users@tapestry.apache.org <mailto:
> users@tapestry.apache.org>> Mailing List Archives, click here<
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4
> >>.
> > NAML<
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >>
>
>
