(tomcat) branch 9.0.x updated: Add a reverse proxy section to the security how-to

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 50b191dd31 Add a reverse proxy section to the security how-to
50b191dd31 is described below

commit 50b191dd31fcecb92132687a4edc04c01fe4d417
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 26 09:31:27 2025 +0100

    Add a reverse proxy section to the security how-to
---
 webapps/docs/changelog.xml      |  4 ++++
 webapps/docs/security-howto.xml | 17 +++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index da3526acff..3d466f5684 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -166,6 +166,10 @@
         considerations for enabling write access to the web application via
         WebDAV, HTTP PUT requests or similar. (markt)
       </add>
+      <add>
+        Documentation. Add a section on reverse proxies to the security
+        considerations page. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 2487c3cd33..cbb2ed5f72 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -632,6 +632,23 @@
     </ul>
   </section>
 
+  <section name="Reverse Proxies">
+    <p>All clients, including reverse proxies, are responsible for the
+    consequences of the data they present to Tomcat.</p>
+
+    <p>The servlet specification removes path parameters when normalizing
+    requests. HTTP servers do not normally do this. This creates the 
possibility
+    of a client using a <code>/..;a=b/</code> type sequence in a URI to bypass 
a
+    security constraint implemented in the reverse proxy. This possibility can
+    be avoided with appropriate configuration such as using the setting
+    <code>mapping=servlet</code> with httpd's mod_proxy.</p>
+
+    <p>If Tomcat is deployed behind a reverse proxy and that reverse proxy
+    implements one or more security constraints, it is recommended a defense in
+    depth approach is taken and Tomcat is secured as if the reverse proxy was
+    not in use.</p>
+  </section>
+
   <section name="General">
     <p>BASIC and FORM authentication pass user names and passwords in clear
     text. Web applications using these authentication mechanisms with clients


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org