TLS termination proxy and Tapestry

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS termination proxy and Tapestry

Svein-Erik Løken
Using HAProxy or Apache HTTP Server as a TLS termination proxy I found that setting X-Forwarded-Proto="https" in the header on the proxy org.apache.tapestry5.services.Request::isSecure returns true . That's good!
In tapestry.production-mode=true I am getting absolute URLs. E.g. http://example.com/index.mycompo.form.
By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am getting a relative URL. (/index.mycompo.form).
I can see that with X-Forwarded-Proto="https" set, org.apache.tapestry5.internal.services. RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE. That's good!

For me it seems that this is the correct solution, but I find it nice if some tapestry experts can confirm this!

Reply | Threaded
Open this post in threaded view
|

Re: TLS termination proxy and Tapestry

Dimitris Zenios
When i am doing ssl out of the servlet container (eg jetty,apache etc) i
always set secure enables to false.

On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden email]> wrote:

> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> that setting X-Forwarded-Proto="https" in the header on the proxy
> org.apache.tapestry5.services.Request::isSecure returns true . That's good!
> In tapestry.production-mode=true I am getting absolute URLs. E.g.
> http://example.com/index.mycompo.form.
> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
> getting a relative URL. (/index.mycompo.form).
> I can see that with X-Forwarded-Proto="https" set,
> org.apache.tapestry5.internal.services.
> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> That's good!
>
> For me it seems that this is the correct solution, but I find it nice if
> some tapestry experts can confirm this!
>
>
Reply | Threaded
Open this post in threaded view
|

Re: TLS termination proxy and Tapestry

Chris Poulsen
We are always setting tapestry.secure-enabled = false

--
Chris

On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden email]
> wrote:

> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> always set secure enables to false.
>
> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden email]> wrote:
>
> > Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> > that setting X-Forwarded-Proto="https" in the header on the proxy
> > org.apache.tapestry5.services.Request::isSecure returns true . That's
> good!
> > In tapestry.production-mode=true I am getting absolute URLs. E.g.
> > http://example.com/index.mycompo.form.
> > By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
> > getting a relative URL. (/index.mycompo.form).
> > I can see that with X-Forwarded-Proto="https" set,
> > org.apache.tapestry5.internal.services.
> > RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> > That's good!
> >
> > For me it seems that this is the correct solution, but I find it nice if
> > some tapestry experts can confirm this!
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

RE: TLS termination proxy and Tapestry

Svein-Erik Løken
Tanks for confirmation on this!

What about make note on this in the documentation https://tapestry.apache.org/security.html?

It's not obvious that X-Forwarded-Proto="https" should be set in the TLS termination proxy. Other X-Forwarded- is often set default in the proxy, like X-Forwarded-For.

And the tapestry.secure-enabled = false.


Web sites need to be encrypted in the future to work in Chrome, Firefox… Google Will Soon Shame All Websites That Are Unencrypted  http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https.



GeoLocation stopped to work I Chrome for desktop and Android, so I had to use encryption.




From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:[hidden email]]
Sent: 22. juli 2016 11:35
To: Svein-Erik Løken <[hidden email]>
Subject: Re: TLS termination proxy and Tapestry

We are always setting tapestry.secure-enabled = false

--
Chris

On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
> wrote:

> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> always set secure enables to false.
>
> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
>
> > Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> > that setting X-Forwarded-Proto="https" in the header on the proxy
> > org.apache.tapestry5.services.Request::isSecure returns true . That's
> good!
> > In tapestry.production-mode=true I am getting absolute URLs. E.g.
> > http://example.com/index.mycompo.form.
> > By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
> > getting a relative URL. (/index.mycompo.form).
> > I can see that with X-Forwarded-Proto="https" set,
> > org.apache.tapestry5.internal.services.
> > RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> > That's good!
> >
> > For me it seems that this is the correct solution, but I find it nice if
> > some tapestry experts can confirm this!
> >
> >
>

________________________________
If you reply to this email, your message will be added to the discussion below:
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
To unsubscribe from [hidden email]<mailto:[hidden email]> Mailing List Archives, click here<
NAML<
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
Reply | Threaded
Open this post in threaded view
|

Re: TLS termination proxy and Tapestry

JumpStart
When you say you are avoiding absolute URLs, where have you noticed this? I can’t recall this being a problem.

Now, I’m no expert on this kind of configuration, and its a while since I set this all up, so forgive me if I have my wires crossed. Also, our site’s load is small so far but growing so all of this will be up for review soon.

In production we run pure HTTPS. We force all HTTP traffic to HTTPS by setting this in AppModule:

        public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
                configuration.add(MetaDataConstants.SECURE_PAGE, "true");
        }

We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is terminating the SSL/TLS.

We use:

        -Dtapestry.secure-enabled=true

We tell mod_proxy this:

        ProxyPreserveHost On

and we use the following to convert the request to AJP, because app preserves the HTTPS headers.

        ProxyPass /myapp ajp://app:8009/myapp retry=5
        ProxyPassReverse /myapp ajp:app:8009/myapp retry=5

This all works great for us. So what’s the URL issue again?

Geoff

> On 22 Jul 2016, at 5:54 PM, Svein-Erik Løken <[hidden email]> wrote:
>
> Tanks for confirmation on this!
>
> What about make note on this in the documentation https://tapestry.apache.org/security.html? <https://tapestry.apache.org/security.html?>
>
> It's not obvious that X-Forwarded-Proto="https" should be set in the TLS termination proxy. Other X-Forwarded- is often set default in the proxy, like X-Forwarded-For.
>
> And the tapestry.secure-enabled = false.
>
>
> Web sites need to be encrypted in the future to work in Chrome, Firefox… Google Will Soon Shame All Websites That Are Unencrypted  http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https <http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https>.
>
>
>
> GeoLocation stopped to work I Chrome for desktop and Android, so I had to use encryption.
>
>
>
>
> From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:[hidden email] <mailto:[hidden email]>]
> Sent: 22. juli 2016 11:35
> To: Svein-Erik Løken <[hidden email] <mailto:[hidden email]>>
> Subject: Re: TLS termination proxy and Tapestry
>
> We are always setting tapestry.secure-enabled = false
>
> --
> Chris
>
> On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
>> wrote:
>
>> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
>> always set secure enables to false.
>>
>> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
>>
>>> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
>>> that setting X-Forwarded-Proto="https" in the header on the proxy
>>> org.apache.tapestry5.services.Request::isSecure returns true . That's
>> good!
>>> In tapestry.production-mode=true I am getting absolute URLs. E.g.
>>> http://example.com/index.mycompo.form.
>>> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I am
>>> getting a relative URL. (/index.mycompo.form).
>>> I can see that with X-Forwarded-Proto="https" set,
>>> org.apache.tapestry5.internal.services.
>>> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
>>> That's good!
>>>
>>> For me it seems that this is the correct solution, but I find it nice if
>>> some tapestry experts can confirm this!
>>>
>>>
>>
>
> ________________________________
> If you reply to this email, your message will be added to the discussion below:
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html>
> To unsubscribe from [hidden email] <mailto:[hidden email]><mailto:[hidden email] <mailto:[hidden email]>> Mailing List Archives, click here< href="" target="_top" rel="nofollow" link="external">
> NAML<
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml <http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>>

Reply | Threaded
Open this post in threaded view
|

Re: TLS termination proxy and Tapestry

Chris Poulsen
It has been a while since we looked into this, but as far as I can remember
we needed SECURE_ENABLED=false in order to have our apps supporting both
http and https at the same time. None of our app servers are configured to
use ssl that is always handled before the requests hit tapestry.

--
Chris

On Fri, Jul 22, 2016 at 1:23 PM, JumpStart <
[hidden email]> wrote:

> When you say you are avoiding absolute URLs, where have you noticed this?
> I can’t recall this being a problem.
>
> Now, I’m no expert on this kind of configuration, and its a while since I
> set this all up, so forgive me if I have my wires crossed. Also, our site’s
> load is small so far but growing so all of this will be up for review soon.
>
> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
> setting this in AppModule:
>
>         public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>         }
>
> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
> terminating the SSL/TLS.
>
> We use:
>
>         -Dtapestry.secure-enabled=true
>
> We tell mod_proxy this:
>
>         ProxyPreserveHost On
>
> and we use the following to convert the request to AJP, because app
> preserves the HTTPS headers.
>
>         ProxyPass /myapp ajp://app:8009/myapp retry=5
>         ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>
> This all works great for us. So what’s the URL issue again?
>
> Geoff
>
> > On 22 Jul 2016, at 5:54 PM, Svein-Erik Løken <[hidden email]> wrote:
> >
> > Tanks for confirmation on this!
> >
> > What about make note on this in the documentation
> https://tapestry.apache.org/security.html? <
> https://tapestry.apache.org/security.html?>
> >
> > It's not obvious that X-Forwarded-Proto="https" should be set in the TLS
> termination proxy. Other X-Forwarded- is often set default in the proxy,
> like X-Forwarded-For.
> >
> > And the tapestry.secure-enabled = false.
> >
> >
> > Web sites need to be encrypted in the future to work in Chrome, Firefox…
> Google Will Soon Shame All Websites That Are Unencrypted
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
> <
> http://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
> >.
> >
> >
> >
> > GeoLocation stopped to work I Chrome for desktop and Android, so I had
> to use encryption.
> >
> >
> >
> >
> > From: Chris Poulsen [via Apache Tapestry Mailing List Archives] [mailto:
> [hidden email] <mailto:
> [hidden email]>]
> > Sent: 22. juli 2016 11:35
> > To: Svein-Erik Løken <[hidden email] <mailto:[hidden email]>>
> > Subject: Re: TLS termination proxy and Tapestry
> >
> > We are always setting tapestry.secure-enabled = false
> >
> > --
> > Chris
> >
> > On Fri, Jul 22, 2016 at 11:29 AM, Dimitris Zenios <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=0>
> >> wrote:
> >
> >> When i am doing ssl out of the servlet container (eg jetty,apache etc) i
> >> always set secure enables to false.
> >>
> >> On 21 Jul 2016 12:07, "Svein-Erik Løken" <[hidden
> email]</user/SendEmail.jtp?type=node&node=5732784&i=1>> wrote:
> >>
> >>> Using HAProxy or Apache HTTP Server as a TLS termination proxy I found
> >>> that setting X-Forwarded-Proto="https" in the header on the proxy
> >>> org.apache.tapestry5.services.Request::isSecure returns true . That's
> >> good!
> >>> In tapestry.production-mode=true I am getting absolute URLs. E.g.
> >>> http://example.com/index.mycompo.form.
> >>> By setting -Dtapestry.secure-enabled=false seems to solve this. Now I
> am
> >>> getting a relative URL. (/index.mycompo.form).
> >>> I can see that with X-Forwarded-Proto="https" set,
> >>> org.apache.tapestry5.internal.services.
> >>> RequestSecurityManager::checkPageSecurity returns LinkSecurity.SECURE.
> >>> That's good!
> >>>
> >>> For me it seems that this is the correct solution, but I find it nice
> if
> >>> some tapestry experts can confirm this!
> >>>
> >>>
> >>
> >
> > ________________________________
> > If you reply to this email, your message will be added to the discussion
> below:
> >
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732784.html
> >
> > To unsubscribe from [hidden email] <mailto:
> [hidden email]><mailto:[hidden email] <mailto:
> [hidden email]>> Mailing List Archives, click here<
> <
>
>>.
> > NAML<
>
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> <
> http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >>
>
>
Reply | Threaded
Open this post in threaded view
|

RE: TLS termination proxy and Tapestry

Svein-Erik Løken
In reply to this post by JumpStart
With my configuration with -Dtapestry.secure-enabled=true the private String org.apache.tapestry5.internal.services. LinkImpl::buildURI(LinkSecurity security) return the absolute URI.

Using:

        public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
                configuration.add(MetaDataConstants.SECURE_PAGE, "true");
        }
With -Dtapestry.secure-enabled=true also works.

Still need to set X-Forwarded-Proto="https" to have request.isSecure() return true.

Which one is the preferred method?

S-E



From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:[hidden email]]
Sent: 22. juli 2016 13:24
To: Svein-Erik Løken <[hidden email]>
Subject: Re: TLS termination proxy and Tapestry

When you say you are avoiding absolute URLs, where have you noticed this? I can’t recall this being a problem.

Now, I’m no expert on this kind of configuration, and its a while since I set this all up, so forgive me if I have my wires crossed. Also, our site’s load is small so far but growing so all of this will be up for review soon.

In production we run pure HTTPS. We force all HTTP traffic to HTTPS by setting this in AppModule:

        public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
                configuration.add(MetaDataConstants.SECURE_PAGE, "true");
        }

We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is terminating the SSL/TLS.

We use:

        -Dtapestry.secure-enabled=true

We tell mod_proxy this:

        ProxyPreserveHost On

and we use the following to convert the request to AJP, because app preserves the HTTPS headers.

        ProxyPass /myapp ajp://app:8009/myapp retry=5
        ProxyPassReverse /myapp ajp:app:8009/myapp retry=5

This all works great for us. So what’s the URL issue again?

Geoff



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: TLS termination proxy and Tapestry

Dimitris Zenios
This  is a snippet of nginx configuration that proxies the request to jetty
on port 8080.Via this configuration i am able to have ssl and non ssl
versions of the tapestry application.If i want to enforce only ssl version
of tapestry i enforce it via nginx.Hope that was helpful

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass       <a href="http://127.0.0.1:8080;">http://127.0.0.1:8080;
    }


On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken <[hidden email]> wrote:

> With my configuration with -Dtapestry.secure-enabled=true the private
> String org.apache.tapestry5.internal.services.
> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>
> Using:
>
>         public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>         }
> With -Dtapestry.secure-enabled=true also works.
>
> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
> return true.
>
> Which one is the preferred method?
>
> S-E
>
>
>
> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
> [hidden email]]
> Sent: 22. juli 2016 13:24
> To: Svein-Erik Løken <[hidden email]>
> Subject: Re: TLS termination proxy and Tapestry
>
> When you say you are avoiding absolute URLs, where have you noticed this?
> I can’t recall this being a problem.
>
> Now, I’m no expert on this kind of configuration, and its a while since I
> set this all up, so forgive me if I have my wires crossed. Also, our site’s
> load is small so far but growing so all of this will be up for review soon.
>
> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
> setting this in AppModule:
>
>         public void contributeMetaDataLocator(MappedConfiguration<String,
> String> configuration) {
>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>         }
>
> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
> terminating the SSL/TLS.
>
> We use:
>
>         -Dtapestry.secure-enabled=true
>
> We tell mod_proxy this:
>
>         ProxyPreserveHost On
>
> and we use the following to convert the request to AJP, because app
> preserves the HTTPS headers.
>
>         ProxyPass /myapp ajp://app:8009/myapp retry=5
>         ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>
> This all works great for us. So what’s the URL issue again?
>
> Geoff
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: TLS termination proxy and Tapestry

Dimitris Zenios
Forgot to mention that i also have tapestry.security-enabled= false in my
app setings

On Fri, Jul 22, 2016 at 3:50 PM, Dimitris Zenios <[hidden email]>
wrote:

> This  is a snippet of nginx configuration that proxies the request to
> jetty on port 8080.Via this configuration i am able to have ssl and non ssl
> versions of the tapestry application.If i want to enforce only ssl version
> of tapestry i enforce it via nginx.Hope that was helpful
>
>     location / {
>         proxy_set_header X-Forwarded-Host $host;
>         proxy_set_header X-Forwarded-Server $host;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         proxy_set_header X-Forwarded-Proto $scheme;
>         proxy_pass       <a href="http://127.0.0.1:8080;">http://127.0.0.1:8080;
>     }
>
>
> On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken <[hidden email]>
> wrote:
>
>> With my configuration with -Dtapestry.secure-enabled=true the private
>> String org.apache.tapestry5.internal.services.
>> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>>
>> Using:
>>
>>         public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>         }
>> With -Dtapestry.secure-enabled=true also works.
>>
>> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
>> return true.
>>
>> Which one is the preferred method?
>>
>> S-E
>>
>>
>>
>> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
>> [hidden email]]
>> Sent: 22. juli 2016 13:24
>> To: Svein-Erik Løken <[hidden email]>
>> Subject: Re: TLS termination proxy and Tapestry
>>
>> When you say you are avoiding absolute URLs, where have you noticed this?
>> I can’t recall this being a problem.
>>
>> Now, I’m no expert on this kind of configuration, and its a while since I
>> set this all up, so forgive me if I have my wires crossed. Also, our site’s
>> load is small so far but growing so all of this will be up for review soon.
>>
>> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
>> setting this in AppModule:
>>
>>         public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>         }
>>
>> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
>> terminating the SSL/TLS.
>>
>> We use:
>>
>>         -Dtapestry.secure-enabled=true
>>
>> We tell mod_proxy this:
>>
>>         ProxyPreserveHost On
>>
>> and we use the following to convert the request to AJP, because app
>> preserves the HTTPS headers.
>>
>>         ProxyPass /myapp ajp://app:8009/myapp retry=5
>>         ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>>
>> This all works great for us. So what’s the URL issue again?
>>
>> Geoff
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: TLS termination proxy and Tapestry

Svein-Erik Løken
My feeling is that it's for SSL/HTTPS set up in Jetty/Tomcat etc  (no proxy in front needed) use:

    public void contributeMetaDataLocator(MappedConfiguration<String, String> configuration) {
        configuration.add(MetaDataConstants.SECURE_PAGE, "true");
    }

-- or secure pages with annotation:

@Secure

-- or folders with:

public void contributeMetaDataLocator(MappedConfiguration<String,String> configuration)
{
    configuration.add("admin:" + MetaDataConstants.SECURE_PAGE, "true");
}


If behind a TLS termination proxy use:
tapestry.security-enabled= false

The latter seems most intuitive also, because pages are unsecured in the tapestry application/servlet. The TLS termination proxy takes care of the security.


From: Dimitris Zenios [via Apache Tapestry Mailing List Archives] [mailto:[hidden email]]
Sent: 22. juli 2016 14:52
To: Svein-Erik Løken <[hidden email]>
Subject: Re: TLS termination proxy and Tapestry

Forgot to mention that i also have tapestry.security-enabled= false in my
app setings

On Fri, Jul 22, 2016 at 3:50 PM, Dimitris Zenios </user/SendEmail.jtp?type=node&node=5732791&i=0>
wrote:

> This  is a snippet of nginx configuration that proxies the request to
> jetty on port 8080.Via this configuration i am able to have ssl and non ssl
> versions of the tapestry application.If i want to enforce only ssl version
> of tapestry i enforce it via nginx.Hope that was helpful
>
>     location / {
>         proxy_set_header X-Forwarded-Host $host;
>         proxy_set_header X-Forwarded-Server $host;
>         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>         proxy_set_header X-Forwarded-Proto $scheme;
>         proxy_pass       <a href="<a href="http://127.0.0.1:8080;">http://127.0.0.1:8080;"><a href="http://127.0.0.1:8080;">http://127.0.0.1:8080;
>     }
>
>
> On Fri, Jul 22, 2016 at 3:31 PM, Svein-Erik Løken </user/SendEmail.jtp?type=node&node=5732791&i=1>
> wrote:
>
>> With my configuration with -Dtapestry.secure-enabled=true the private
>> String org.apache.tapestry5.internal.services.
>> LinkImpl::buildURI(LinkSecurity security) return the absolute URI.
>>
>> Using:
>>
>>         public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>         }
>> With -Dtapestry.secure-enabled=true also works.
>>
>> Still need to set X-Forwarded-Proto="https" to have request.isSecure()
>> return true.
>>
>> Which one is the preferred method?
>>
>> S-E
>>
>>
>>
>> From: JumpStart [via Apache Tapestry Mailing List Archives] [mailto:
>> /user/SendEmail.jtp?type=node&node=5732791&i=2]
>> Sent: 22. juli 2016 13:24
>> To: Svein-Erik Løken </user/SendEmail.jtp?type=node&node=5732791&i=3>
>> Subject: Re: TLS termination proxy and Tapestry
>>
>> When you say you are avoiding absolute URLs, where have you noticed this?
>> I can’t recall this being a problem.
>>
>> Now, I’m no expert on this kind of configuration, and its a while since I
>> set this all up, so forgive me if I have my wires crossed. Also, our site’s
>> load is small so far but growing so all of this will be up for review soon.
>>
>> In production we run pure HTTPS. We force all HTTP traffic to HTTPS by
>> setting this in AppModule:
>>
>>         public void contributeMetaDataLocator(MappedConfiguration<String,
>> String> configuration) {
>>                 configuration.add(MetaDataConstants.SECURE_PAGE, "true");
>>         }
>>
>> We’re using mod_proxy and mod_ssl in Apache, no HAProxy. So Apache is
>> terminating the SSL/TLS.
>>
>> We use:
>>
>>         -Dtapestry.secure-enabled=true
>>
>> We tell mod_proxy this:
>>
>>         ProxyPreserveHost On
>>
>> and we use the following to convert the request to AJP, because app
>> preserves the HTTPS headers.
>>
>>         ProxyPass /myapp ajp://app:8009/myapp retry=5
>>         ProxyPassReverse /myapp ajp:app:8009/myapp retry=5
>>
>> This all works great for us. So what’s the URL issue again?
>>
>> Geoff
>>
>>
>>
>

________________________________________
If you reply to this email, your message will be added to the discussion below:
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/TLS-termination-proxy-and-Tapestry-tp5732774p5732791.html 
To unsubscribe from mailto:[hidden email] Mailing List Archives,
http://apache-tapestry-mailing-list-archives.1045711.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml 

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]