Secure traffic on reverse proxy and ShibUseHeaders

Cantor, Scott cantor.2 at
Wed Nov 28 10:22:04 EST 2012

> I think I'm going to go with Tomcat using HTTPS APR connector, and passing
> the details in the header using mod_proxy_http (https), as the tunnelling
> would be adding another layer of complexity (as we have *lots* of different
> tomcats and other containers to proxy to)

It's a personal opinion, I guess, I think HTTP proxying is much more complex than AJP proxying.

> It's really good to know the spoof checking stuff should keep me safe in
> Apache. Is there any risk that the Apache 2.4 API changes could have
> stopped this working?

There were no changes to header behavior. Apache has very simple code for translating headers into CGI variable names, which means I can predict whether a given header will match a header I control by just applying the same logic.

IIS has undocumented, and in some cases, flat broken rules for this translation. They actually violate the CGI conventions on this, and spent more time defending that decision on a blog than just fixing the bug because they had code that depended on the broken way of doing it.

And then on top of that, they do very questionable things inside the ASP and ASP.NET APIs to expose headers that results in different behavior depending on how you do it.

-- Scott

More information about the users mailing list