Lucee Apache->Tomcat SSL/HTTPS Details

Hi,
I remember some time ago an article on fixing the issue where Tomcat isn’t picking up the SSL/HTTPS configuration from Apache. Using the latest of everything including mod_cfml but when dumping HTTPS data using either HTTP or HTTPS the output is always the same:

https - on
request_method - GET
server_name - http://domain.com/ssltest.cfm
server_port - 80
server_port_secure - 0
server_protocol - HTTP/1.1

Anyone know what is required in the connectors that will bring HTTPS data?

Server is a CentOS 7 server with mod_cfml.

Thanks!

Was the first request after you start the service with http or https?

When you proxy your http / https requests to tomcat, the protocol of the proxy is http. Lucee doesn’t know what protocol is used before the proxy. You will have to pass this info with an additional header in the https apache virtual hosts config. Communication between client and webserver remains secure, only the communication behind your proxy internally is http:

<IfModule mod_proxy.c>
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPreserveHost On
        ProxyPassMatch ^/(index\.cfm)(/.*)?$ http://127.0.0.1:8888/$1$2
        ProxyPassReverse / http://127.0.0.1:8888/
</IfModule>

Check the header value of X-forwarded-Proto to let Lucee know the original protocol was https.

By default the Tomcat instance is configured with the HTTP/1.1 protocol, however it is possible to configure an instance with the HTTPS protocol: Apache Tomcat 8 (8.0.53) - SSL/TLS Configuration HOW-TO

@Jan_Verschueren That is what I was looking for! Will make sure bookmark it so I won’t forget in the future!

When calling a page with https:// the variable #CGI.HTTPS# isn’t working anymore with Lucee 5.2.9.31 and higher version up to yesterdays snapshot 5.3.2.45.

I get the value “off”

In apache config file httpd.conf ProxyPreserverHost is set:

<IfModule mod_proxy.c>
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPreserveHost On

In the file server.xml in the host configuration I have set
<Valve className="org.apache.catalina.valves.RemoteIpValve" />

Lucee 5.2.8.50 returns the correct value “on”.
Higher versions not.

I’m using CentOS 7, Apache, Tomcat 8.

Any ideas how I can solve this?

https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html

The valve has no default for protocol header, so that header is never read.

This is not a Lucee issue, it’s a Tomcat issue.

Configure the remoteIP valve to read the headers you’re passing.

i.e.


<Valve

className="org.apache.catalina.valves.RemoteIpValve"

remoteIpHeader="x-forwarded-for"

proxiesHeader="x-forwarded-by"

protocolHeader="x-forwarded-proto"

/>

1 Like

Thank you, this pointed me to the right direction and I found the solution.

In the server.xml file I added to the host-section

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

In the apache http.conf file, in the IfModule mod_proxy_c section there has to be the entry

<IfModule mod_proxy.c>
        ProxyPreserveHost On

In the apache SSL conf file in the VirtualHost Tag there has to be

RequestHeader set X-Forwarded-Proto "https"