Hi Christopher,
On 10/01/2014 06:05 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Frederik,
On 10/1/14 11:15 AM, Frederik Nosi wrote:
Hi Christopher, On 10/01/2014 04:26 PM, Christopher Schultz wrote:
All,
I'm interested in using AWS ELB for SSL termination but allowing
the client's TLS connection information to be forwarded all the
way through the chain to Tomcat.
The setup looks like this:
ELB /\ / \ / \ w0 w1 / \ / \ t0 t1 t0 t1
(t0 and t1 are repeated because otherwise the diagram would be
even more difficult to read).
w0 and w1 are running Apache httpd, t0 and t1 are running Tomcat.
The client's connection is TLS terminated at ELB and whether the
connections between ELB/wx/tx are encrypted should be immaterial.
I'm using mod_jk from httpd -> Tomcat.
ELB provides the following HTTP headers to wx: X-Forwarded-For
(client's IP) X-Forwarded-Port 443 X-Forwarded-Proto https
Unfortunately, it looks like I can't get things like the cipher
default, etc. but I'm okay with that for the time being.
I'm wondering two things:
1. How can I get Apache httpd to trust that the connection is
encrypted? I want to be able to use "RequireSSL" for certain
resources and have httpd trust that the connection coming from the
ELB is in fact secure.
Maybe i'm missing something, but you can check that
X-Forwarded-Proto header contains https? Seems a bit risky, maybe
additionally adding another check that the incomming request
comes from ELB's IP(s)?
Yes, I can check this. I can also ensure that the port is only
accessible from the ELB. I'm less worried about this and more worried
about getting everything else working first. Protecting the connection
itself will not be a problem.
Maybe i didn't got your question right, what you're interested first, is
letting know to tomcat that the client is using a secure connection? If
so you can just pass a custom header from apache to tomcat, but this
seems too easy :-)
2. How can I use that connection information to tell mod_jk that
things are to be trusted as well?
Just pass a custom header. BTW Are you encrypting the w <---> t
connections as well? BTW I recall a setup i've made times ago,
where the SSL termination was on the apache webservers, ex:
LB (tcp) <---- https ---> apache httpd (SSL Termination doing
client certificate verification) / mod_jk <--- AJP ---> Tomcat
I was able to send client's certificate information as headers
to tomcat. But not sure this is your situation.
I don't need to use client certificates, but being able to support
them would be nice.
AWS ELB seems to support TCP pass-through but you can't do it for port
443. If you want to use port 443, you can either choose "HTTPS/SSL" or
"TCP/SSL". If you choose "HTTPS/SSL" then you have to use either HTTP
or HTTPS as the back-end protocol. For some reason, choosing HTTPS
causes endless stalling when trying to make a connection.
I would get a tcpdump from the apache frontend, maybe you can get more
info this way.
Using TCP/SSL -> TCP/SSL (what I would call TCP pass-through) ought to
allow me to do SSL termination at the web server level, accept client
certificates, and have mod_ssk work without any modification at all. I
think in order to do this, I have to configure Apache httpd to accept
connections using the "proxy protocol", and I'm not sure how to do that.
Hmm, didn't knowed about this protocol before. From some quick googling
and reading, seems interesting, as at your endpoint the connection comes
from ELBs'IP not from the client's IP, this protocol adds the missing
info, real client ip.
http://blog.haproxy.com/haproxy/proxy-protocol/
So using this seems you need to add another piece to you'r infrastructure.
For #2, I might just be able to use SetEnv to set
REMOTE_ADDR=X-Forwarded-For, but I'm not sure how to say "yes, this
is encrypted". Should I set up a separate VirtualHost on a
different (non-80) port that is configured only for ELB connections
and then force SSL to "on" regardless of the actual incoming
connections?
Maybe this can help:
RewriteEngine on RewriteCond %{HTTP:X-Forwarded-For} ^(.*)$ [NC]
RewriteRule ^(.*)$ - [env=JK_REMOTE_ADDR:%0]
This way you send to tomcat as REMOTE_ADDR the contents of the
X-Forwarded-For header
Why use mod_rewrite (slow) when you can use mod_setenvif (fast)?
SetEnvIf X-Forwarded-For "(.*)" JK_REMOTE_ADDR=$1
Indeed is better your way
What I'm mainly looking for is a way to say "the incoming connection
(from ELB) is HTTP and I want to pretend that the connection is HTTPS".
Then the easier solution seems using ELB for SSL termination and using
the X-Forwarded-Proto header, passing from apache to tomcat
[...]
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
