https://bz.apache.org/bugzilla/show_bug.cgi?id=57830
--- Comment #3 from Bill Barker <billbar...@apache.org> --- (In reply to Mark Thomas from comment #1) > Moving this to an enhancement request. > > I can see the benefit of this but is would be non-trivial to implement - > particularly for HTTPS. > > For NIO and NIO2 (and much like SNI support) it would require the server to > process some data before passing it to the SSL engine. Unlike SNI, the data > would not be left in the bufffer for the SSL engine to process. > > APR/native needs further investigation to determine what changes would be > required to implement this. My reading of the ProxyProtocol spec linked above states that it is agnostic to the transport protocol between the proxy server and the receiver. Otherwise it can't work if you are using SSH tunneling which is one of the target configurations. That means that the "PROXY ..." line is encrypted over SSL/TSL just like everything else in the payload. This in turn means that all of the code that is required to support this comes at the point of reading the initial request line and no special handling is required for SSL/TSL. It would be a huge security hole if the proxy was allowed to inject a plain text (for version 1) payload in front of the encrypted payload. Both of them would have to be encrypted if you are using an encrypted connection between the proxy and the receiver. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
