Bug 48653 - RemoteIpValve : request.secure and request.scheme are not forced to "false" and "http" if X-Forwarded-Proto=http
RemoteIpValve : request.secure and request.scheme are not forced to "false" a...
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
6.0.24
All All
: P2 normal (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2010-02-01 09:26 UTC by Cyrille Le Clerc
Modified: 2010-02-22 19:56 UTC (History)
0 users



Attachments
Tomcat 7 patch with many unit tests, updated docs and few additional jmx attributes fixes (20.47 KB, patch)
2010-02-01 09:26 UTC, Cyrille Le Clerc
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cyrille Le Clerc 2010-02-01 09:26:02 UTC
Created attachment 24915 [details]
Tomcat 7 patch with many unit tests, updated docs and few additional jmx attributes fixes 

When X-Forwarded-Proto="http", the incoming request attributes secure, scheme
and serverPort are not overridden as they are with "https". 

If a request came as unsecured/http but the communication between apache and
tomcat is ssl, then request.isSecure(), request.getScheme() and
request.getServerPort() are wrong. 

Proposed patch :

* introduce a httpServerPort configuration parameter
* modify logic for request.isSecure(), request.getScheme() , and
request.getServerPort() :
** if header "x-forwarded-proto" is null then keep incoming values
** else if header "x-forwarded-proto" is equal to "https" then override values
to true, https and 443
** else override values to false, http and 80


Note :

* "x-forwarded-proto", 80, 443 and "https" (as the ssl value for
x-forwarded-proto header) are configurable ; I use sample values in the bug
description to make it easier to understand.
Comment 1 Mark Thomas 2010-02-02 05:32:02 UTC
Thanks again for the patch. It has been applied to 7.0.x and proposed for 6.0.x
Comment 2 Mark Thomas 2010-02-22 19:56:50 UTC
Patch applied to 6.0.x and will be included in 6.0.25 onwards. Many thanks.