[Dhis2-devs] [Branch ~dhis2-devs-core/dhis2/trunk] Rev 12125: dhis2-tools - minor security issue with tomcat configuration. You need to


A week or two back Dominic from Ghana Health Service pointed out that sometimes his browser ssl padlock indicator was green (as it should be) and sometimes it went a more unhappy yellowish colour indicating that some resources on the page were being served up through http rather than https.

Turns out he was right and it was due to the fact that tomcat server.xml element needs to be told that it is behind an ssl proxy. Otherwise it returns Location headers in redirects as http:// rather than https://. I think in most of our setups this is not a critically serious problem as we tend to setup nginx to redirect those http requests back to https anyway. But its not a good thing because:

  1. transiting through the http redirect is a vulnerability - session id cookies are sent back and forth in clear text

  2. it is not reassuring for users to see their browser is lukewarm about trusting the site; and

  3. it makes redirects (eg from the login page to the dashboard page) slower because two redirects are involved instead of one.

The fix is to add the attributes proxyPort=“443” and scheme=“https” to the Connector element.

I’ve fixed this now in dhis2-tools but if you are implementing a proxied setup differently, I suggest you add those attributes.

Thanks Dominic for spotting this - and sorry for doubting you :slight_smile:



revision-diff.txt (765 Bytes)


---------- Forwarded message ----------
From: noreply@launchpad.net

Date: 17 September 2013 19:58
Subject: [Dhis2-devs] [Branch ~dhis2-devs-core/dhis2/trunk] Rev 12125: dhis2-tools - minor security issue with tomcat configuration. You need to
To: DHIS 2 developers dhis2-devs@lists.launchpad.net

revno: 12125

committer: Bob Jolliffe bobjolliffe@gmail.com

branch nick: dhis2

timestamp: Tue 2013-09-17 19:55:30 +0100


dhis2-tools - minor security issue with tomcat configuration. You need to

set scheme and proxyPort when proxied behind an ssl server for the dhis2 webapp

to send proper Location urls in redirects.





Your team DHIS 2 developers is subscribed to branch lp:dhis2.

To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file ‘tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml’

— tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml 2013-07-01 12:34:28 +0000

+++ tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml 2013-09-17 18:55:30 +0000

@@ -12,7 +12,7 @@

 <Executor name="tomcatThreadPool" namePrefix="tomcat-http-"

        maxThreads="100" minSpareThreads="10" />
  • <Connector port=“HTTPPORT” address=“” protocol=“HTTP/1.1”
  • <Connector port=“HTTPPORT” address=“” protocol=“HTTP/1.1” proxyPort=“443” scheme=“https”

       executor="tomcatThreadPool" connectionTimeout="20000" />

Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp