My feeling is that it's for SSL/HTTPS set up in Jetty/Tomcat etc (no proxy in
front needed) use:
public void contributeMetaDataLocator(MappedConfiguration<String, String>
configuration) {
configuration.add(MetaDataConstants.SECURE_PAGE, "true");
}
-- or secure pages with annotation:
@Secure
-- or folders with:
public void contributeMetaDataLocator(MappedConfiguration<String,String>
configuration)
{
configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true");
}
If behind a TLS termination proxy use:
tapestry.security-enabled= false
The latter seems most intuitive also, because pages are unsecured in the
tapestry application/servlet. The TLS termination proxy takes care of the
security.
From: Dimitris Zenios [via Apache Tapestry Mailing List Archives]
[mailto:ml-node+s1045711n573279...@n5.nabble.com]
Sent: 22. juli 2016 14:52
To: Svein-Erik Løken <sv...@jacilla.no>
Subject: Re: TLS termination proxy and Tapestry
Forgot to mention that i also have tapestry.security-enabled= false in my
app setings
On Fri, Jul 22, 2016 at 3:50 PM, Dimitris Zenios
</user/SendEmail.jtp?type=node&node=5732791&i=0>
wrote:
> This is a snippet of nginx configuration that proxies the request to
> jetty on port 8080.Via this configuration i am able to have ssl and non ssl
> versions of the tapestry application.If i want to enforce only ssl version
> of tapestry i enforce it via nginx.Hope that was helpful
>
> location / {
> proxy_set_header X-Forwarded-Host $host;
> proxy_set_header X-Forwarded-Server $host;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_pass <a
> href="http://127.0.0.1:8080;";>http://127.0.0.1:8080;
> }
>
>
> On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken
> </user/SendEmail.jtp?type=node&node=5732791&i=1>
> wrote:
>
>> With my configuration with -Dtapestry.secure-enabled=true the private
>> String org.apache.tapestry5.internal.services.
>> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>>
>> Using:
>>
>> public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>> }
>> With -Dtapestry.secure-enabled=true also works.
>>
>> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
>> return true.
>>
>> Which one is the preferred method?
>>
>> S-E
>>
>>
>>
>> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
>> /user/SendEmail.jtp?type=node&node=5732791&i=2]
>> Sent: 22. juli 2016 13:24
>> To: Svein-Erik Løken </user/SendEmail.jtp?type=node&node=5732791&i=3>
>> Subject: Re: TLS termination proxy and Tapestry
>>
>> When you say you are avoiding absolute URLs, where have you noticed this?
>> I can’t recall this being a problem.
>>
>> Now, I’m no expert on this kind of configuration, and its a while since I
>> set this all up, so forgive me if I have my wires crossed. Also, our site’s
>> load is small so far but growing so all of this will be up for review soon.
>>
>> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
>> setting this in AppModule:
>>
>> public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>> configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>> }
>>
>> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
>> terminating the SSL/TLS.
>>
>> We use:
>>
>> -Dtapestry.secure-enabled=true
>>
>> We tell mod_proxy this:
>>
>> ProxyPreserveHost On
>>
>> and we use the following to convert the request to AJP, because app
>> preserves the HTTPS headers.
>>
>> ProxyPass /myapp ajp://app:8009/myapp retry=5
>> ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>>
>> This all works great for us. So what’s the URL issue again?
>>
>> Geoff
>>
>>
>>
>
________________________________________
If you reply to this email, your message will be added to the discussion below:
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732791.html
To unsubscribe from mailto:users@tapestry.apache.org Mailing List Archives,
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2375125&code=c3ZlaW5AamFjaWxsYS5ub3wyMzc1MTI1fC0xNTM4NzY2ODg4.
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
