[midPoint] Midpoint does not seem to respect X-Forwarded-Port header
Frédéric Lohier
frederic at lohier.org
Tue May 19 13:38:29 CEST 2020
Yes indeed, but I suppose We can't do that with Midpoint in standalone mode
since Tomcat is embedded and we cannot update it.
As far as I know, Midpoint 4.0.2 is based on Spring Boot 2.1.8 which embed
Tomcat 9.0.24. Tomcat was patched in version 9.0.31 for this vulnerability.
-Frederic
On Mon, May 18, 2020, 19:54 Jason Everling <jeverling at bshp.edu> wrote:
> Just as an fyi, you can still use AJP, you just need to set the “secret”
> property in the connector and then within mod_jk workers file for your web
> server also set the “secret” to your secret you created in the connector.
> You also must have the patched/updated tomcat version that supports the new
> “secret” property.
>
>
>
> I don’t think proxy_ajp supports secret yet but mod_jk does.
>
>
>
> *From: *Frédéric Lohier <frederic at lohier.org>
> *Sent: *Monday, May 18, 2020 11:53 AM
> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
> *Subject: *[midPoint] Midpoint does not seem to respect X-Forwarded-Port
> header
>
>
>
> Hello,
>
>
>
> I have the exact same issue as https://jira.evolveum.com/browse/MID-5819
>
>
>
> I was using the workaround with the AJP connector, but since the Ghostcat
> vulnerability (
> https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Ghostcat+Vulnerability+of+Apache+Tomcat),
> using the AJP is no longer a viable option for us.
>
>
>
> I am absolutely sure that my apache proxy sends the X-Forwarded-Proto and
> X-Forwarded-Port headers (checked using mod_dumpio). I added the following :
>
>
>
> server.use-forward-headers: true
>
> server.tomcat.protocol-header: X-Forwarded-Proto
>
> server.tomcat.protocol-header-https-value: https
>
>
>
> to my Midpoint (4.0.2) application.yml file, but Midpoint keeps
> redirecting to http instead of https.
>
>
>
> I cannot reopen the MID-5819 issue. Should I open a new issue?
>
>
>
> -Frederic
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200519/5b1b8846/attachment.htm>
More information about the midPoint
mailing list