【问题标题】:Apache webserver with AJP connection to Tomcat - empty TLS attributes in request object具有 AJP 连接到 Tomcat 的 Apache 网络服务器 - 请求对象中的空 TLS 属性
【发布时间】:2021-08-30 03:40:38
【问题描述】:

我们使用 Apache (2.4.41) 网络服务器作为 tomcat (8.5) 的反向代理,它运行一个自行实现的负载平衡器。 Apache 网络服务器执行前端 TLS 工作并通过 AJP (mod_proxy_ajp) 与 tomcat 对话。在我们的负载均衡器中,我们使用 request.getAttributeNames() 来评估请求属性。一段时间以来,出现了带有以下键的空请求属性:

  • org.apache.tomcat.util.net.secure_protocol_version
  • javax.servlet.request.key_size
  • javax.servlet.request.cipher_suite
  • javax.servlet.request.ssl_session_id

我阅读了文档和源代码,但无法弄清楚为什么这些空属性仍然存在于请求中。根据 tomcat request 中 getAttributeNames() 的 javadoc,此方法不应获取大多数 TLS 特定属性:

/**
 * Return the names of all request attributes for this Request, or an
 * empty <code>Enumeration</code> if there are none. Note that the attribute
 * names returned will only be those for the attributes set via
 * {@link #setAttribute(String, Object)}. Tomcat internal attributes will
 * not be included although they are accessible via
 * {@link #getAttribute(String)}. The Tomcat internal attributes include:
 * <ul>
 * <li>{@link Globals#DISPATCHER_TYPE_ATTR}</li>
 * <li>{@link Globals#DISPATCHER_REQUEST_PATH_ATTR}</li>
 * <li>{@link Globals#ASYNC_SUPPORTED_ATTR}</li>
 * <li>{@link Globals#CERTIFICATES_ATTR} (SSL connections only)</li>
 * <li>{@link Globals#CIPHER_SUITE_ATTR} (SSL connections only)</li>
 * <li>{@link Globals#KEY_SIZE_ATTR} (SSL connections only)</li>
 * <li>{@link Globals#SSL_SESSION_ID_ATTR} (SSL connections only)</li>
 * <li>{@link Globals#SSL_SESSION_MGR_ATTR} (SSL connections only)</li>
 * <li>{@link Globals#PARAMETER_PARSE_FAILED_ATTR}</li>
 * </ul>
 * The underlying connector may also expose request attributes. These all
 * have names starting with "org.apache.tomcat" and include:
 * <ul>
 * <li>{@link Globals#SENDFILE_SUPPORTED_ATTR}</li>
 * </ul>
 * Connector implementations may return some, all or none of these
 * attributes and may also support additional attributes.
 *
 * @return the attribute names enumeration
 */
 @Override
 public Enumeration<String> getAttributeNames() {

也许有些人可以对此有所了解。提前致谢!

【问题讨论】:

    标签: apache tomcat reverse-proxy tls1.2 ajp


    【解决方案1】:

    Javadoc 并不完全正确:正如您在引用的 source code 中看到的那样,getAttributeNames 没有列出这些内部属性除非您已经为其中之一调用了 getAttribute

            if (!sslAttributesParsed && TLSUtil.isTLSRequestAttribute(name)) {
                coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, coyoteRequest);
                attr = coyoteRequest.getAttribute(Globals.CERTIFICATES_ATTR);
                if (attr != null) {
                    attributes.put(Globals.CERTIFICATES_ATTR, attr);
                }
                attr = coyoteRequest.getAttribute(Globals.CIPHER_SUITE_ATTR);
                if (attr != null) {
                    attributes.put(Globals.CIPHER_SUITE_ATTR, attr);
                }
                ...
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2013-08-12
      • 1970-01-01
      • 2017-10-23
      • 2012-11-01
      • 2020-12-09
      • 1970-01-01
      • 1970-01-01
      • 2011-08-13
      相关资源
      最近更新 更多