|Summary:||RemoteIpValve : request.secure and request.scheme are not forced to "false" and "http" if X-Forwarded-Proto=http|
|Product:||Tomcat 6||Reporter:||Cyrille Le Clerc <cyrille.leclerc>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||Tomcat 7 patch with many unit tests, updated docs and few additional jmx attributes fixes|
Description Cyrille Le Clerc 2010-02-01 09:26:02 UTC
Created attachment 24915 [details] Tomcat 7 patch with many unit tests, updated docs and few additional jmx attributes fixes When X-Forwarded-Proto="http", the incoming request attributes secure, scheme and serverPort are not overridden as they are with "https". If a request came as unsecured/http but the communication between apache and tomcat is ssl, then request.isSecure(), request.getScheme() and request.getServerPort() are wrong. Proposed patch : * introduce a httpServerPort configuration parameter * modify logic for request.isSecure(), request.getScheme() , and request.getServerPort() : ** if header "x-forwarded-proto" is null then keep incoming values ** else if header "x-forwarded-proto" is equal to "https" then override values to true, https and 443 ** else override values to false, http and 80 Note : * "x-forwarded-proto", 80, 443 and "https" (as the ssl value for x-forwarded-proto header) are configurable ; I use sample values in the bug description to make it easier to understand.
Comment 1 Mark Thomas 2010-02-02 05:32:02 UTC
Thanks again for the patch. It has been applied to 7.0.x and proposed for 6.0.x
Comment 2 Mark Thomas 2010-02-22 19:56:50 UTC
Patch applied to 6.0.x and will be included in 6.0.25 onwards. Many thanks.