CGI https=on not getting set with Amazon ELB

I am trying to troubleshoot why the CGI.https variable isn’t getting set correctly (currently an empty string instead of on). The setup is as follows: Cloudflare -> Amazon ELB -> Apache HTTPD -> Tomcat. Cloudflare is just doing DNS for us at the moment and the ELB is doing SSL termination. Amazon passes the header X-Forwarded-Proto which I can see is set to “https” when I dump getHttpRequestData() I have tried several variations of the Tomcat RemoteIPValve, currently it is set to:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
                    remoteIpHeader="x-forwarded-for" />

I have tried variations with trustedProxies, internalProxies, remoteIpProxiesHeader but still no luck. If I remove the protocolHeader part dumping CGI will show that the server_port is 80 and server_port_secure is 0 but when I add that attribute back to the valve it shows port 443 and server_port_secure set to 1. This leads me to believe the valve is working fine but CGI.https is still an empty string. Anyone have an idea of what I could be missing?



I always use CGI.SERVER_PORT_SECURE. I always preferred it over using CGI.https because I can test the 0|1 value as a boolean, i.e.

  // doSomething();

Instead of comparing a String, i.e. (CGI.https == "on").

What’s the benefit in using CGI.https?

Your method is much better in my opinion but the problem is that most of our old legacy code is using CGI.https. I could always do a mass find and replace and swap it out but I was hoping to avoid that.

I vote for “find and replace”, but you have another option:

You can make the CGI scope “writeable” (read-only by default), and in onRequestStart() set

    CGI.https = "on";
1 Like

FYI: The issue has been fixed today and is available in version