CGI https=on not getting set with Amazon ELB


#1

I am trying to troubleshoot why the CGI.https variable isn’t getting set correctly (currently an empty string instead of on). The setup is as follows: Cloudflare -> Amazon ELB -> Apache HTTPD -> Tomcat. Cloudflare is just doing DNS for us at the moment and the ELB is doing SSL termination. Amazon passes the header X-Forwarded-Proto which I can see is set to “https” when I dump getHttpRequestData() I have tried several variations of the Tomcat RemoteIPValve, currently it is set to:


<Valve className="org.apache.catalina.valves.RemoteIpValve"
                    protocolHeader="x-forwarded-proto"
                    remoteIpHeader="x-forwarded-for" />

I have tried variations with trustedProxies, internalProxies, remoteIpProxiesHeader but still no luck. If I remove the protocolHeader part dumping CGI will show that the server_port is 80 and server_port_secure is 0 but when I add that attribute back to the valve it shows port 443 and server_port_secure set to 1. This leads me to believe the valve is working fine but CGI.https is still an empty string. Anyone have an idea of what I could be missing?

CGI
image

GetHttpRequestData
image


#2

I always use CGI.SERVER_PORT_SECURE. I always preferred it over using CGI.https because I can test the 0|1 value as a boolean, i.e.

if (CGI.SERVER_PORT_SECURE){
  // doSomething();
}

Instead of comparing a String, i.e. (CGI.https == "on").

What’s the benefit in using CGI.https?


#3

Your method is much better in my opinion but the problem is that most of our old legacy code is using CGI.https. I could always do a mass find and replace and swap it out but I was hoping to avoid that.


#4

I vote for “find and replace”, but you have another option:

You can make the CGI scope “writeable” (read-only by default), and in onRequestStart() set

if (CGI.SERVER_PORT_SECURE)
    CGI.https = "on";

#5

FYI: The issue has been fixed today and is available in version 5.2.9.16

https://luceeserver.atlassian.net/browse/LDEV-794