<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Ubuntu;
panose-1:2 11 5 4 3 6 2 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.DefaultFontHxMailStyle
{mso-style-name:"Default Font HxMail Style";
font-family:"Ubuntu",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span class=DefaultFontHxMailStyle>Just as an fyi, you can still use AJP, you just need to set the “secret” property in the connector and then within mod_jk workers file for your web server also set the “secret” to your secret you created in the connector. You also must have the patched/updated tomcat version that supports the new “secret” property.<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle>I don’t think proxy_ajp supports secret yet but mod_jk does.<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:frederic@lohier.org">Frédéric Lohier</a><br><b>Sent: </b>Monday, May 18, 2020 11:53 AM<br><b>To: </b><a href="mailto:midpoint@lists.evolveum.com">midPoint General Discussion</a><br><b>Subject: </b>[midPoint] Midpoint does not seem to respect X-Forwarded-Port header</p></div><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>Hello,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>I have the exact same issue as <a href="https://jira.evolveum.com/browse/MID-5819"><span style='color:#4285F4'>https://jira.evolveum.com/browse/MID-5819</span></a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>I was using the workaround with the AJP connector, but since the Ghostcat vulnerability (<a href="https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Ghostcat+Vulnerability+of+Apache+Tomcat"><span style='color:#4285F4'>https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Ghostcat+Vulnerability+of+Apache+Tomcat</span></a>), using the AJP is no longer a viable option for us.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>I am absolutely sure that my apache proxy sends the X-Forwarded-Proto and X-Forwarded-Port headers (checked using mod_dumpio). I added the following :<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>server.use-forward-headers: true<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>server.tomcat.protocol-header: X-Forwarded-Proto<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>server.tomcat.protocol-header-https-value: https<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>to my Midpoint (4.0.2) application.yml file, but Midpoint keeps redirecting to http instead of https.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>I cannot reopen the MID-5819 issue. Should I open a new issue?<o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#888888'><o:p> </o:p></span></p></div></div></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#888888'>-Frederic<o:p></o:p></span></p><p class=MsoNormal><span class=DefaultFontHxMailStyle><o:p> </o:p></span></p></div></body></html>