https://issues.apache.org/bugzilla/show_bug.cgi?id=48653
Summary: RemoteIpValve : request.secure and request.scheme are
not forced to "false" and "http" if
X-Forwarded-Proto=http
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Mac OS X 10.4
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: [email protected]
ReportedBy: [email protected]
Created an attachment (id=24915)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24915)
Tomcat 7 patch with many unit tests, updated docs and few additional jmx
attributes fixes
When X-Forwarded-Proto="http", the incoming request attributes secure, scheme
and serverPort are not overridden as they are with "https".
If a request came as unsecured/http but the communication between apache and
tomcat is ssl, then request.isSecure(), request.getScheme() and
request.getServerPort() are wrong.
Proposed patch :
* introduce a httpServerPort configuration parameter
* modify logic for request.isSecure(), request.getScheme() , and
request.getServerPort() :
** if header "x-forwarded-proto" is null then keep incoming values
** else if header "x-forwarded-proto" is equal to "https" then override values
to true, https and 443
** else override values to false, http and 80
Note :
* "x-forwarded-proto", 80, 443 and "https" (as the ssl value for
x-forwarded-proto header) are configurable ; I use sample values in the bug
description to make it easier to understand.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
