We use Apache web servers to communicate with our OFBiz servers using a
combination of mod_jk and mod_proxy. For our mod_proxy configuration, we forward secure requests (https) from Apache to a non-secure port (8080) on Tomcat/OFBiz. Our application is an AJAX/Dojo application that posts normal HTTP requests to the web server, but when we do this we frequently get the following messages: 2010-03-01 13:32:18,890 (http-0.0.0.0-8080-6) [ RequestHandler.java:186:ERROR] Got a insecure (non-https) form POST to a secure (http) request [jsonservice], returning error 2010-03-01 13:32:18,906 (http-0.0.0.0-8080-6) [ RequestHandler.java:204:WARN ] HTTPS is disabled for this site, so we can't tell if this was encrypted or not which means if a form was POSTed and it was not over HTTPS we don't know, but it would be vulnerable to an XSRF and other attacks: Not accepting insecure form data posted to a secure request I understand the reason for the error message and the potential security problems if our Tomcat/OFBiz application server was the front-facing server, but in our environment the Tomcat/OFBiz servers are only accessible via Apache. The request from the user is secure. I don't believe the error causes any problems for us (transaction roll backs, etc), but we would like to eliminate all false error messages in our logs so we can focus on more critical ones. What is the recommendation from the community for avoiding these types of messages when using Apache to Tomcat configuration? Are others working around these issues when they use Apache mod_proxy? Brett |
On 4/03/2010, at 10:50 AM, Brett Palmer wrote:
> We use Apache web servers to communicate with our OFBiz servers using a > combination of mod_jk and mod_proxy. For our mod_proxy configuration, we > forward secure requests (https) from Apache to a non-secure port (8080) on > Tomcat/OFBiz. > Hi Brett Why do you transfer from https to http? If you stopped doing that wouldn't all your problems go away? Regards Scott smime.p7s (3K) Download Attachment |
Scott,
We don't really have a good reason for turning it off. Here were some of the reasons: - The initial thought was secure connections between web and application servers was not necessary as these are behind the firewall. - We also thought we might be improving performance by not encrypting requests between servers, but we never verified these benefits. - We also use mod_jk and it communicates insecurely using is own AJP protocol. Is your recommendation to turn on security and have mod_proxy communicate directly to port 8443? Brett On Thu, Mar 4, 2010 at 11:00 AM, Scott Gray <[hidden email]>wrote: > On 4/03/2010, at 10:50 AM, Brett Palmer wrote: > > > We use Apache web servers to communicate with our OFBiz servers using a > > combination of mod_jk and mod_proxy. For our mod_proxy configuration, we > > forward secure requests (https) from Apache to a non-secure port (8080) > on > > Tomcat/OFBiz. > > > > > Hi Brett > > Why do you transfer from https to http? If you stopped doing that wouldn't > all your problems go away? > > Regards > Scott |
I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution.
The options as I see it are: 1. Switch back to using https 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another configuration to disable the warnings It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that maintaining it should be your highest priority. Regards Scott On 4/03/2010, at 11:21 AM, Brett Palmer wrote: > Scott, > > We don't really have a good reason for turning it off. Here were some of > the reasons: > > - The initial thought was secure connections between web and application > servers was not necessary as these are behind the firewall. > - We also thought we might be improving performance by not encrypting > requests between servers, but we never verified these benefits. > - We also use mod_jk and it communicates insecurely using is own AJP > protocol. > > Is your recommendation to turn on security and have mod_proxy communicate > directly to port 8443? > > > Brett > > > > On Thu, Mar 4, 2010 at 11:00 AM, Scott Gray <[hidden email]>wrote: > >> On 4/03/2010, at 10:50 AM, Brett Palmer wrote: >> >>> We use Apache web servers to communicate with our OFBiz servers using a >>> combination of mod_jk and mod_proxy. For our mod_proxy configuration, we >>> forward secure requests (https) from Apache to a non-secure port (8080) >> on >>> Tomcat/OFBiz. >>> >> >> >> Hi Brett >> >> Why do you transfer from https to http? If you stopped doing that wouldn't >> all your problems go away? >> >> Regards >> Scott smime.p7s (3K) Download Attachment |
Scott Gray wrote:
> I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution. > > The options as I see it are: > 1. Switch back to using https > 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another configuration to disable the warnings > > It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that maintaining it should be your highest priority. I agree with this. Don't assume the network behind the firewall is safe. Enable security wherever and whenever possible. |
Administrator
|
Also you might be interested by mod_proxy_ajp, a simple setting here
http://cwiki.apache.org/confluence/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD Jacques From: "Adrian Crum" <[hidden email]> > Scott Gray wrote: >> I don't have a recommendation as such, it was just a thought to get you to the quickest possible solution. >> >> The options as I see it are: >> 1. Switch back to using https >> 2. Submit patches so that these warnings/error aren't logged for every request, perhaps just at startup or perhaps have another >> configuration to disable the warnings >> >> It wasn't clear to me how you are ensuring the same level of security that OFBiz provides OOTB but I would recommend that >> maintaining it should be your highest priority. > > I agree with this. Don't assume the network behind the firewall is safe. Enable security wherever and whenever possible. > |
Thanks that was a helpful link.
We are still trying to determine what performs better, mod_jk or mod_proxy. We thought we found some bottlenecks under heavy loads with mod_Jk but we never confirmed that. I'll update the group on our findings as we discover them. Brett On Thu, Mar 4, 2010 at 1:35 PM, Jacques Le Roux < [hidden email]> wrote: > Also you might be interested by mod_proxy_ajp, a simple setting here > > http://cwiki.apache.org/confluence/display/OFBIZ/FAQ+-+Tips+-+Tricks+-+Cookbook+-+HowTo#FAQ-Tips-Tricks-Cookbook-HowTo-HTTPD > > Jacques > > From: "Adrian Crum" <[hidden email]> > > Scott Gray wrote: >> >>> I don't have a recommendation as such, it was just a thought to get you >>> to the quickest possible solution. >>> >>> The options as I see it are: >>> 1. Switch back to using https >>> 2. Submit patches so that these warnings/error aren't logged for every >>> request, perhaps just at startup or perhaps have another configuration to >>> disable the warnings >>> >>> It wasn't clear to me how you are ensuring the same level of security >>> that OFBiz provides OOTB but I would recommend that maintaining it should be >>> your highest priority. >>> >> >> I agree with this. Don't assume the network behind the firewall is safe. >> Enable security wherever and whenever possible. >> >> > > |
Free forum by Nabble | Edit this page |