(tomcat) branch 11.0.x updated: Add a reverse proxy section to the security how-to

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new d2048d5f87 Add a reverse proxy section to the security how-to
d2048d5f87 is described below

commit d2048d5f878648b14381f238f5b8e37e863a7318
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 26 09:31:27 2025 +0100

    Add a reverse proxy section to the security how-to
---
 webapps/docs/changelog.xml      |  4 ++++
 webapps/docs/security-howto.xml | 17 +++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ec4d13c6cb..248ad32d6c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -170,6 +170,10 @@
         considerations for enabling write access to the web application via
         WebDAV, HTTP PUT requests or similar. (markt)
       </add>
+      <add>
+        Documentation. Add a section on reverse proxies to the security
+        considerations page. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index f1cf98f5be..661c614aa2 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -594,6 +594,23 @@
     </ul>
   </section>
 
+  <section name="Reverse Proxies">
+    <p>All clients, including reverse proxies, are responsible for the
+    consequences of the data they present to Tomcat.</p>
+
+    <p>The servlet specification removes path parameters when normalizing
+    requests. HTTP servers do not normally do this. This creates the 
possibility
+    of a client using a <code>/..;a=b/</code> type sequence in a URI to bypass 
a
+    security constraint implemented in the reverse proxy. This possibility can
+    be avoided with appropriate configuration such as using the setting
+    <code>mapping=servlet</code> with httpd's mod_proxy.</p>
+
+    <p>If Tomcat is deployed behind a reverse proxy and that reverse proxy
+    implements one or more security constraints, it is recommended a defense in
+    depth approach is taken and Tomcat is secured as if the reverse proxy was
+    not in use.</p>
+  </section>
+
   <section name="General">
     <p>BASIC and FORM authentication pass user names and passwords in clear
     text. Web applications using these authentication mechanisms with clients


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org