<div dir="auto"><div>Yes indeed, but I suppose We can't do that with Midpoint in standalone mode since Tomcat is embedded and we cannot update it.</div><div dir="auto">As far as I know, Midpoint 4.0.2 is based on Spring Boot 2.1.8 which embed Tomcat 9.0.24. Tomcat was patched in version 9.0.31 for this vulnerability.</div><div dir="auto"><br></div><div dir="auto">-Frederic</div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Mon, May 18, 2020, 19:54 Jason Everling <<a href="mailto:jeverling@bshp.edu">jeverling@bshp.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="#954F72"><div class="m_3160140966010461373WordSection1"><p class="MsoNormal"><span class="m_3160140966010461373DefaultFontHxMailStyle">Just as an fyi, you can still use AJP, you just need to set the “secret” property in the connector and then within mod_jk workers file for your web server also set the “secret” to your secret you created in the connector. You also must have the patched/updated tomcat version that supports the new “secret” property.<u></u><u></u></span></p><p class="MsoNormal"><span class="m_3160140966010461373DefaultFontHxMailStyle"><u></u> <u></u></span></p><p class="MsoNormal"><span class="m_3160140966010461373DefaultFontHxMailStyle">I don’t think proxy_ajp supports secret yet but mod_jk does.<u></u><u></u></span></p><p class="MsoNormal"><span class="m_3160140966010461373DefaultFontHxMailStyle"><u></u> <u></u></span></p><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:frederic@lohier.org" target="_blank" rel="noreferrer">Frédéric Lohier</a><br><b>Sent: </b>Monday, May 18, 2020 11:53 AM<br><b>To: </b><a href="mailto:midpoint@lists.evolveum.com" target="_blank" rel="noreferrer">midPoint General Discussion</a><br><b>Subject: </b>[midPoint] Midpoint does not seem to respect X-Forwarded-Port header</p></div><p class="MsoNormal"><span class="m_3160140966010461373DefaultFontHxMailStyle"><u></u> <u></u></span></p><div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">Hello,<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">I have the exact same issue as <a href="https://jira.evolveum.com/browse/MID-5819" target="_blank" rel="noreferrer"><span style="color:#4285f4">https://jira.evolveum.com/browse/MID-5819</span></a><u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">I was using the workaround with the AJP connector, but since the Ghostcat vulnerability (<a href="https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Ghostcat+Vulnerability+of+Apache+Tomcat" target="_blank" rel="noreferrer"><span style="color:#4285f4">https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Ghostcat+Vulnerability+of+Apache+Tomcat</span></a>), using the AJP is no longer a viable option for us.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">I am absolutely sure that my apache proxy sends the X-Forwarded-Proto and X-Forwarded-Port headers (checked using mod_dumpio). I added the following :<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">server.use-forward-headers: true<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">server.tomcat.protocol-header: X-Forwarded-Proto<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">server.tomcat.protocol-header-https-value: https<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">to my Midpoint (4.0.2) application.yml file, but Midpoint keeps redirecting to http instead of https.<u></u><u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><u></u> <u></u></span></p></div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">I cannot reopen the MID-5819 issue. Should I open a new issue?<u></u><u></u></span></p></div><div><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#888888"><u></u> <u></u></span></p></div></div></div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:#888888">-Frederic<u></u><u></u></span></p><p class="MsoNormal"><span class="m_3160140966010461373DefaultFontHxMailStyle"><u></u> <u></u></span></p></div></div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank" rel="noreferrer">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div></div></div>