When undertow/EAP is behind an apache proxy (ProxyPass directive, using the SSLHeaderHandler to recover SSL information from the headers) there are several issues:
1. The session ID is obtained decoding a base64 from the header SSL_SESSION_ID value but this header is not a base64 is just an hex array (see apache doc). So the session id is incorrectly set.
2. Related to the previous one although not related to the proxy setting, the attribute javax.servlet.request.ssl_session_id is by spec a String but undertow is setting just the byte array. The old jbossweb (EAP 6) returned also the hex dump of the byte array.
In EAP 6 the returned attribute is just an HEX dump of the byte array:
SSL Session ID: 2105840a61cd715fb9feeddbdd60badd73ed194c715c4bc5fa0a8c6503912799
But in EAP 7.3 is the byte array itself:
SSL Session ID: [B@6057a05
3. The attribute javax.servlet.request.key_size is also sent by the apache proxy in the header SSL_CIPHER_USEKEYSIZE. Right now it is not taken into account and that spec attribute is always 0 when undertow is behind an apache proxy. This was also OK in EAP 6 / jbossweb.
4. Finally the attribute javax.servlet.request.X509Certificate is set to the certificate in the connection if the proxy sends "(null)" in the header SSL_CLIENT_CERT. The apache proxy can be configured to request the certificate as optional, and when the final client did not send any certificate, teh proxy sends "(null)" in SSL_CLIENT_CERT. Right now it defaults to connection (and it can show the certificate configured in the apache server, the one configured in the proxy to communicate with the undertow server, which is wrong).
UNDERTOW-1787 Issues when undertow is setup behind apache proxy
- is incorporated by
JBEAP-20288 [GSS] (7.3.z) Upgrade undertow from 2.0.32.SP1-redhat to 2.0.33.SP2-redhat