Hi
A week or two back Dominic from Ghana Health Service pointed out that sometimes his browser ssl padlock indicator was green (as it should be) and sometimes it went a more unhappy yellowish colour indicating that some resources on the page were being served up through http rather than https.
Turns out he was right and it was due to the fact that tomcat server.xml element needs to be told that it is behind an ssl proxy. Otherwise it returns Location headers in redirects as http:// rather than https://. I think in most of our setups this is not a critically serious problem as we tend to setup nginx to redirect those http requests back to https anyway. But its not a good thing because:
-
transiting through the http redirect is a vulnerability - session id cookies are sent back and forth in clear text
-
it is not reassuring for users to see their browser is lukewarm about trusting the site; and
-
it makes redirects (eg from the login page to the dashboard page) slower because two redirects are involved instead of one.
The fix is to add the attributes proxyPort=“443” and scheme=“https” to the Connector element.
I’ve fixed this now in dhis2-tools but if you are implementing a proxied setup differently, I suggest you add those attributes.
Thanks Dominic for spotting this - and sorry for doubting you
Cheers
Bob
revision-diff.txt (765 Bytes)
···
---------- Forwarded message ----------
From: noreply@launchpad.net
Date: 17 September 2013 19:58
Subject: [Dhis2-devs] [Branch ~dhis2-devs-core/dhis2/trunk] Rev 12125: dhis2-tools - minor security issue with tomcat configuration. You need to
To: DHIS 2 developers dhis2-devs@lists.launchpad.net
revno: 12125
committer: Bob Jolliffe bobjolliffe@gmail.com
branch nick: dhis2
timestamp: Tue 2013-09-17 19:55:30 +0100
message:
dhis2-tools - minor security issue with tomcat configuration. You need to
set scheme and proxyPort when proxied behind an ssl server for the dhis2 webapp
to send proper Location urls in redirects.
modified:
tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml
–
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file ‘tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml’
— tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml 2013-07-01 12:34:28 +0000
+++ tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml 2013-09-17 18:55:30 +0000
@@ -12,7 +12,7 @@
<Executor name="tomcatThreadPool" namePrefix="tomcat-http-"
maxThreads="100" minSpareThreads="10" />
- <Connector port=“HTTPPORT” address=“127.0.0.1” protocol=“HTTP/1.1”
-
<Connector port=“HTTPPORT” address=“127.0.0.1” protocol=“HTTP/1.1” proxyPort=“443” scheme=“https”
executor="tomcatThreadPool" connectionTimeout="20000" />
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp