Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-20633

(7.3.z) UNDERTOW-1787 - Issues when undertow is setup behind apache proxy

XMLWordPrintable

    • False
    • False
    • +
    • Undefined
    • Hide

      The uploaded index.jsp shows the different spec attributes. Just convert it in a war app:

      jar cvf test.war index.jsp
      

      Deploy in the wildfly server and check the different options (direct access, behind a proxy, EAP 6 vs EAP 7.3,...). You will see the commended issues.

      Show
      The uploaded index.jsp shows the different spec attributes. Just convert it in a war app: jar cvf test.war index.jsp Deploy in the wildfly server and check the different options (direct access, behind a proxy, EAP 6 vs EAP 7.3,...). You will see the commended issues.

      When undertow/EAP is behind an apache proxy (ProxyPass directive, using the SSLHeaderHandler to recover SSL information from the headers) there are several issues:

      1. The session ID is obtained decoding a base64 from the header SSL_SESSION_ID value but this header is not a base64 is just an hex array (see apache doc). So the session id is incorrectly set.

      2. Related to the previous one although not related to the proxy setting, the attribute javax.servlet.request.ssl_session_id is by spec a String but undertow is setting just the byte array. The old jbossweb (EAP 6) returned also the hex dump of the byte array.

      In EAP 6 the returned attribute is just an HEX dump of the byte array:

      SSL Session ID: 2105840a61cd715fb9feeddbdd60badd73ed194c715c4bc5fa0a8c6503912799
      

      But in EAP 7.3 is the byte array itself:

      SSL Session ID: [B@6057a05
      

      3. The attribute javax.servlet.request.key_size is also sent by the apache proxy in the header SSL_CIPHER_USEKEYSIZE. Right now it is not taken into account and that spec attribute is always 0 when undertow is behind an apache proxy. This was also OK in EAP 6 / jbossweb.

      4. Finally the attribute javax.servlet.request.X509Certificate is set to the certificate in the connection if the proxy sends "(null)" in the header SSL_CLIENT_CERT. The apache proxy can be configured to request the certificate as optional, and when the final client did not send any certificate, teh proxy sends "(null)" in SSL_CLIENT_CERT. Right now it defaults to connection (and it can show the certificate configured in the apache server, the one configured in the proxy to communicate with the undertow server, which is wrong).

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-engineering-lgao Lin Gao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: