(tomcat) branch main updated: Add a reverse proxy section to the security how-to

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new b791640738 Add a reverse proxy section to the security how-to
b791640738 is described below

commit b79164073880f030de56b52460c5d2019ab2270b
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 26 09:31:27 2025 +0100

    Add a reverse proxy section to the security how-to
---
 webapps/docs/changelog.xml      |  4 ++++
 webapps/docs/security-howto.xml | 17 +++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 62061b40ff..f6a20caad3 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -286,6 +286,10 @@
         considerations for enabling write access to the web application via
         WebDAV, HTTP PUT requests or similar. (markt)
       </add>
+      <add>
+        Documentation. Add a section on reverse proxies to the security
+        considerations page. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index f1cf98f5be..661c614aa2 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -594,6 +594,23 @@
     </ul>
   </section>
 
+  <section name="Reverse Proxies">
+    <p>All clients, including reverse proxies, are responsible for the
+    consequences of the data they present to Tomcat.</p>
+
+    <p>The servlet specification removes path parameters when normalizing
+    requests. HTTP servers do not normally do this. This creates the 
possibility
+    of a client using a <code>/..;a=b/</code> type sequence in a URI to bypass 
a
+    security constraint implemented in the reverse proxy. This possibility can
+    be avoided with appropriate configuration such as using the setting
+    <code>mapping=servlet</code> with httpd's mod_proxy.</p>
+
+    <p>If Tomcat is deployed behind a reverse proxy and that reverse proxy
+    implements one or more security constraints, it is recommended a defense in
+    depth approach is taken and Tomcat is secured as if the reverse proxy was
+    not in use.</p>
+  </section>
+
   <section name="General">
     <p>BASIC and FORM authentication pass user names and passwords in clear
     text. Web applications using these authentication mechanisms with clients


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org