[
https://issues.jboss.org/browse/WFLY-5725?page=com.atlassian.jira.plugin....
]
Francesco Marchioni edited comment on WFLY-5725 at 11/26/15 12:09 PM:
----------------------------------------------------------------------
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the
http-listener but it didn't work.
Here is the Apache configuration:
{{ SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e}}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the
application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the
application refuses to proceed and issue a redirect to an https fallback address.
was (Author: f_marchioni):
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the
http-listener but it didn't work.
Here is the Apache configuration:
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the
application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the
application refuses to proceed and issue a redirect to an https fallback address.
Attribute "secure" not migrated to Undertow subsystem
-----------------------------------------------------
Key: WFLY-5725
URL:
https://issues.jboss.org/browse/WFLY-5725
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Environment: RHEL 7.1
Reporter: Francesco Marchioni
Assignee: Stuart Douglas
Labels: ea, undertow
We need to migrate the following EAP 6 configuration from the web subsystem:
<subsystem xmlns="urn:jboss:domain:web:2.1"
default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1"
scheme="http" socket-binding="http"/>
<connector name="httpconfidential" protocol="HTTP/1.1"
scheme="http" socket-binding="httpsecure" secure="true"
enabled="true"/>
<virtual-server name="default-host"
enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
This configuration uses the *secure="true" * attribute to support the
transport-guarantee to CONFIDENTIAL which is required by our applications. (We don't
use https in EAP which is configured only on the Apache Web server that serves request to
EAP 6)
The configuration has been migrated into EAP 7.0.0 Alpha using the CLI
/subsystem=web:migrate command. Although no warnings are shown, the resulting
configuration *does not contain the attribute "secure"* :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="http" socket-binding="http"/>
<http-listener name="httpconfidential"
socket-binding="httpsecure"/>
<host name="default-host" alias="localhost,
example.com">
<location name="/" handler="welcome-content"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
</subsystem>
Is there any plan to provide backward compatiblity for the secure attribute in EAP 7 ?
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)