On 17/06/2015 19:08, Jeffrey Janner wrote:
> I’ve been deploying letting Tomcat do it all when it came to connectors
> and SSL, with the app forcing everything to SSL in the
> <security-constraints> section. Now I’m setting up a haproxy front-end
> that will both terminate the SSL and take care of the redirect from HTTP
> to HTTPS for me and tomcat only running a standard HTTP port on 8080.
>
> So my question is, Is it still important for the app to know that it
> operating “secure”, and if so, what settings are a must?
Yes it is extremely important.
You need secure="true" for everything received over HTTPS and
secure="false" for everything received over HTTP.
It is simpler in your case since Tomcat only ever sees traffic that has
been received over HTTPS.
There are several ways to ensure secure="true"
In your case, setting on the connector is the simplest and best option.
If proxying over AJP, the AJP connector takes care of it.
The RemoteIP[Valve|Filter] or the SSLValve can handle this if proxying
over HTTP.
There are several reasons it is important (the first reason is the big one):
1. cookies created over secure connections will have the secure flag set
which will ensure that browsers never send the cookie over HTTP. I once
watched a customer go very white while I was explaining this when they
realised that their banking app was sending authentication cookies over
HTTP connections.
2. The user data constraint in web.xml will only be satisfied if
secure="true"
HTH,
Mark
>
> Here is the old setup:
>
>
>
> SERVER.XML:
>
> <Service name="Catalina">
>
> <Connector address="${IP_ADDRESS}" port="80" maxHttpHeaderSize="8192"
>
> maxThreads="50" enableLookups="false" redirectPort="443"
> acceptCount="100"
>
> connectionTimeout="20000" disableUploadTimeout="true"
> compression="on"
>
>
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,text/javascript,text/rtf,text/richtext"
>
> />
>
> <Connector address="${IP_ADDRESS}" port="443" maxHttpHeaderSize="8192"
>
> maxThreads="150" enableLookups="false" acceptCount="100"
>
> connectionTimeout="20000" disableUploadTimeout="true"
> compression="on"
>
>
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,text/javascript,text/rtf,text/richtext"
>
> scheme="https" secure="true" SSLEnabled="true"
>
> SSLHonorCipherOrder="true"
>
> SSLCipherSuite="list-of-ciphers"
>
> SSLCertificateFile="path-to-server.crt"
>
> SSLCertificateKeyFile="path-to-server.key"
>
> SSLCertificateChainFile="path-to-server_chain.crt"
>
> SSLPassword="password" />
>
> <Engine name="Catalina" defaultHost="localhost ">
>
> <Host name="localhost " appBase=" webapps"
>
> unpackWARs="true" autoDeploy="false" deployXML = "false">
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>
> prefix="localhost_access_log." suffix=".txt"
>
> pattern="%h %l %u %t "%r" %s %b" />
>
> </Host>
>
> </Engine>
>
> </Service>
>
>
>
> CONTEXT.XML: No tomcat-level parameters specified
>
>
>
> WEB.XML: (only the important bits, assume servlets and filters won’t change)
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>Everything</web-resource-name>
>
> <url-pattern>/*</url-pattern>
>
> </web-resource-collection>
>
> <user-data-constraint>
>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
> </user-data-constraint>
>
> </security-constraint>
>
>
>
> Here is the new setup:
>
> SERVER.XML:
>
> <Service name="Catalina">
>
> <Connector port="${tomcatPort}" protocol="HTTP/1.1"
>
> connectionTimeout="20000"
>
> redirectPort="8443" />
>
> <Engine name="Catalina" defaultHost="localhost " jvmRoute=”serverX”>
>
> <Host name="localhost " appBase=" webapps"
>
> unpackWARs="true" autoDeploy="false" deployXML = "false">
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>
> prefix="localhost_access_log." suffix=".txt"
>
> pattern="%h %l %u %t "%r" %s %b" />
>
> </Host>
>
> </Engine>
>
> </Service>
>
>
>
> CONTEXT.XML: no changes
>
> WEB.XML: drop the <security-constraints> section?
>
>
>
> Am I missing something from a security standpoint here?
>
> And yes, I’m aware I need to adjust some parameters in the <Connector>
> that are left out in the second example. I’m just interested in things
> like secure-cookie, etc.
>
>
>
>
>
> Jeffrey Janner
>
> Sr. Network Administrator
>
> [email protected] <mailto:[email protected]>
>
> *PolyDyne Software Inc.*
>
> Main: 512.343.9100
>
> Direct: 512.583.8930
>
>
>
> */ /**/cid:[email protected]/*
>
> */ /*
>
> *Speed, Intelligence & Savings in Sourcing*
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]