dhis2-users team mailing list archive
-
dhis2-users team
-
Mailing list archive
-
Message #03012
Fwd: [Dhis2-devs] [Branch ~dhis2-devs-core/dhis2/trunk] Rev 12125: dhis2-tools - minor security issue with tomcat configuration. You need to
Hi
A week or two back Dominic from Ghana Health Service pointed out that
sometimes his browser ssl padlock indicator was green (as it should be) and
sometimes it went a more unhappy yellowish colour indicating that some
resources on the page were being served up through http rather than https.
Turns out he was right and it was due to the fact that tomcat server.xml
<Connector> element needs to be told that it is behind an ssl proxy.
Otherwise it returns Location headers in redirects as http:// rather than
https://. I think in most of our setups this is not a critically serious
problem as we tend to setup nginx to redirect those http requests back to
https anyway. But its not a good thing because:
1. transiting through the http redirect is a vulnerability - session id
cookies are sent back and forth in clear text
2. it is not reassuring for users to see their browser is lukewarm about
trusting the site; and
3. it makes redirects (eg from the login page to the dashboard page) slower
because two redirects are involved instead of one.
The fix is to add the attributes proxyPort="443" and scheme="https" to the
Connector element.
I've fixed this now in dhis2-tools but if you are implementing a proxied
setup differently, I suggest you add those attributes.
Thanks Dominic for spotting this - and sorry for doubting you :-)
Cheers
Bob
---------- Forwarded message ----------
From: <noreply@xxxxxxxxxxxxx>
Date: 17 September 2013 19:58
Subject: [Dhis2-devs] [Branch ~dhis2-devs-core/dhis2/trunk] Rev 12125:
dhis2-tools - minor security issue with tomcat configuration. You need to
To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
------------------------------------------------------------
revno: 12125
committer: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
branch nick: dhis2
timestamp: Tue 2013-09-17 19:55:30 +0100
message:
dhis2-tools - minor security issue with tomcat configuration. You need to
set scheme and proxyPort when proxied behind an ssl server for the dhis2
webapp
to send proper Location urls in redirects.
modified:
tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== modified file
'tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml'
--- tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml
2013-07-01 12:34:28 +0000
+++ tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml
2013-09-17 18:55:30 +0000
@@ -12,7 +12,7 @@
<Executor name="tomcatThreadPool" namePrefix="tomcat-http-"
maxThreads="100" minSpareThreads="10" />
- <Connector port="HTTPPORT" address="127.0.0.1" protocol="HTTP/1.1"
+ <Connector port="HTTPPORT" address="127.0.0.1" protocol="HTTP/1.1"
proxyPort="443" scheme="https"
executor="tomcatThreadPool" connectionTimeout="20000" />
<Engine name="Catalina" defaultHost="localhost">
_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
=== modified file 'tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml'
--- tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml 2013-07-01 12:34:28 +0000
+++ tools/dhis2-tools-deb/pkg/usr/share/dhis2-tools/skel/conf/server.xml 2013-09-17 18:55:30 +0000
@@ -12,7 +12,7 @@
<Executor name="tomcatThreadPool" namePrefix="tomcat-http-"
maxThreads="100" minSpareThreads="10" />
- <Connector port="HTTPPORT" address="127.0.0.1" protocol="HTTP/1.1"
+ <Connector port="HTTPPORT" address="127.0.0.1" protocol="HTTP/1.1" proxyPort="443" scheme="https"
executor="tomcatThreadPool" connectionTimeout="20000" />
<Engine name="Catalina" defaultHost="localhost">
