Showing posts with label ssl. Show all posts
Showing posts with label ssl. Show all posts

08 February 2017

Google recaptcha behind a SSL Forward Proxy

If your machine/mobile device behind a SSL Forward Proxy, then there's a possibility that google recaptcha might not work on some browsers.

The reason is, the recaptcha tries to connect to 2 domains to do its work, and one of them is not so famous that you might not ever hit by the browser so there's a possibility that you can see such a message if you ever hit it:

But recaptcha connects to this server using AJAX calls, so it will not prompt.

So, you need to allow the link by opening the domain inside the browser (that you have problem not displaying recaptcha ) then take the risk and accept the new certificate.

The two domains are: https://www.google.com/ and https://www.gstatic.com/

Just opening the above 2 links in the browser that have the problem and accept the certificate will solve it.
Posted by at No comments:
Labels: , , , , ,

05 September 2016

shell script to import certificates into java cacerts

I am not the original author, I just some small enhancements



 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#! /bin/bash

if [ $# -eq 0 ]; then
    echo -e "usage: $0 <host>\nexample: $0 abc.com"
    exit -1
fi

KEYTOOL=../../bin/keytool
HOST=$1
PORT=443
KEYSTOREFILE=cacerts
KEYSTOREFILE_BKUP=$KEYSTOREFILE.`date '+%Y%m%d%H%M'`.'original'
KEYSTOREPASS=changeit

if [ ! -f $KEYSTOREFILE ]; then
    echo -e "You must run this script from the directory jdk/jre/lib/security"
    exit -1
fi

#backup the cacerts file
echo -e "\n\n**** BAKCING UP THE $KEYSTOREFILE TO $KEYSTOREFILE_BKUP ****\n\n"
cp $KEYSTOREFILE $KEYSTOREFILE_BKUP


# get the SSL certificate
echo -e "\n\n**** SAVING THE CERTIFCATE TO ${HOST}.cert ****\n\n"
openssl s_client -connect ${HOST}:${PORT} </dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${HOST}.cert

echo -e "\n\n**** USING keytool AT $KEYTOOL ****\n\n"

# create a keystore and import certificate
echo -e "\n\n**** IMPORTING THE CERTIFICATE... ****\n\n"
"$KEYTOOL" -import -noprompt -trustcacerts \
    -alias ${HOST} -file ${HOST}.cert \
    -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS}

echo -e "\n\n**** PRINTING THE CERTIFICATE AFTER IMPORTED ... ****\n\n"
# verify we've got it.
"$KEYTOOL" -list -v -keystore ${KEYSTOREFILE} -storepass ${KEYSTOREPASS} -alias ${HOST} | grep --color=always $HOST
Posted by at No comments:
Labels: , ,

29 May 2015

Configure tomcat (on HTTP) to work with HTTPS Load Balancer/Reverse Proxy

Introduction:

The following pattern is common when deploying java webapps on tomcat.

(HTTPS) LB/Reverse Proxy <--> (HTTP)Tomcat <--> Webapp

Usually, the HTTPS certificate is being installed on the Load Balancer/Reverse Proxy, then the LB/RP will communicate with internal tomcat on HTTP/AJP. (see References)

Note:

The following configurations is required only if LB/RP to connect to tomcat on HTTP.

If the communication done on AJP, then no configuration is required to pass HTTPS information to tomcat.
As one of the design goals of AJP is :
"Adding support for SSL, so that isSecure() and getScheme() will function correctly within the servlet container. The client certificates and cipher suite will be available to servlets as request attributes
(quote from https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html)

Update:

If you use HTTP connector, still the below configuration is not required, just tell tomcat (thought the connector configurations), on which scheme the response should be returned by using:

<Connector protocol="HTTP/1.1" port="8081" proxyName="linux-server" proxyPort="443" scheme="https" secure="true"/>

references: 

There are 2 steps required in case of the communication done on HTTP:

1. On the LB/RP you need to configure it to send its http scheme (in this case https) as a request header to the tomcat servers.

In apache2, you may need to use the following line in apache2.conf (depends on your LB/RP)

RequestHeader add x-forwarded-proto “https”
2. On tomcat side, you need to tell it to use the protocol scheme of the LB/RP that is being sent in the headers.

To do so, you need to add the following valve to conf/server.xml
<Valve className="org.apache.catalina.valves.RemoteIpValve” 
    remoteIpHeader="x-forwarded-for” 
    proxiesHeader="x-forwarded-by” 
    protocolHeader="x-forwarded-proto" />
Also don't forget to add proxyName and proxyPort to the connector you will use to receive connections from the LB/RP like this;
<Connector port="8081" proxyName="my_web_server.com" proxyPort="80"/>

See sample server.xml

And thats it, just restart tomcat and it will work like expected.
Tested with Apache2 on ubuntu and tomcat8

 References:

https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Proxies_Support
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Proxy_Support
http://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
http://stackoverflow.com/questions/5741210/handling-x-forwarded-proto-in-java-apache-tomcat
http://support.citrix.com/article/CTX123676
https://www.wikiwand.com/en/List_of_HTTP_header_fields
http://serverfault.com/questions/181177/rewriting-302-app-server-redirect-urls-with-apache-proxy-in-the-middle
http://www.wikiwand.com/en/Reverse_proxy
https://www.mulesoft.com/tcat/tomcat-connectors
http://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
http://discussions.citrix.com/topic/315307-http-x-forwarded-proto/
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)