Secure redirects behind a proxy
The examples in this article assume that Tomcat is receiving requests from a proxy web server (such as Apache HTTP Server) but is expected to enforce the security constraint itself.
An example would be a constraint specified in an application web.xml:
Automatic SSL Forwarding
- Using an AJP connector only
- Using an HTTP connector for the non-secure connection
- Using an HTTP connector with SSL
- Using a clear-text HTTP connector for secure transport
The simplest configuration requires only an AJP connector. This configuration does not encrypt the connection between the proxy and Tomcat, but if encryption is unnecessary, this method is recommended.
An AJP connector is simple because the details of the request to the proxy are conveyed to Tomcat, which serves the request as if it had been made directly, and thus constructs all redirects relative to the proxy host. The only thing that the connector needs for the redirect to work is the redirectPort property, which should specify the secure (HTTPS) port on the proxy (not Tomcat).
An HTTP connector does not automatically convey the proxy_ﾄﾎs request information to Tomcat, as it has request headers of its own. Thus, for Tomcat to form proper redirect requests, specify the proxy host information as part of the connector, including the secure (HTTPS) port as redirectPort:
This connector cannot be re-used as the connector for the secure connection. For this purpose, a different HTTP connector is needed, either with SSL transport enabled or with properties indicating secure transport (see next sections).
If secure transmission is required between the proxy and Tomcat, use an HTTP connector with SSL. An HTTPS connector is simply an HTTP connector with added properties to specify SSL parameters.
The scheme and secure properties are redundant here as they are implied (in fact, overridden) by the use of SSL, but it is good to be explicit. There is no need for the redirectPort property, as the secure connector should not need to redirect for secure transport.
The Apache HTTP Server would be configured to access this connector with this example configuration:
# mod_proxy_http - secured https
# other SSL parameters (e.g. specifying the key/cert and logs) omitted
ProxyPass / https://backend.example.com:8443/
Note: You need SSLProxyEngine to enable SSL over the secured backend connection. You do not need a ProxyPassReverse as the connector above specified the proxy host information.
A non-secure connection between proxy and Tomcat might be desired (for performance reasons) for a client connection that is actually secure. A plain HTTP connector can be used with the secure property set to indicate to Tomcat that the transport is actually secure (satisfying security constraints so no redirect is needed).
The secure property designates this connector for secure transport. As such, do not re-use it to serve a proxy connection for a request that is not actually secured. There should be separate HTTP connectors for the two purposes. The scheme, proxyName, and proxyPort properties are for the purpose of Tomcat creating proxy-referencing URLs (as opposed to requiring ProxyPassReverse in the Apache HTTP server config).
Confidential or Internal Solution information
- sgardner, February 07, 2012