How should I configure my ElasticBeanstalk on AWS to allow encoded slashes in URLs ? (Using -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true)
I've created a directory called .ebextensions with a file tomcat.config in top-level directory of my source bundle (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html) with the content:
commands:
allow-encoded-slash:
command: export CATALINA_OPTS="$CATALINA_OPTS -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
cwd: /home/ec2-user
But it seems it has no effect, it doesn't appear in these dirs:
ls -la /tmp/deployment/application/ROOT/
ls -la /var/lib/tomcat7/webapps/ROOT/
We also tried to set the ALLOW_ENCODED_SLASH system property through the Edit Configuration dialog in the Elastic Beanstalk console. But, although the property seems to be present, Tomcat still doesn't let us use encoded slashes (%2F).
We think the ALLOW_ENCODED_SLASH system property is properly set because:
1) We see that property in the java command that starts Tomcat:
/usr/lib/jvm/jre/bin/java -DAWS_ACCESS_KEY_ID= -DAWS_SECRET_KEY= -DJDBC_CONNECTION_STRING= -DPARAM1= -DPARAM2= -DPARAM3= -DPARAM4= -DPARAM5= -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dhazelcast.native.client=true -Dcom.sun.management.jmxremote -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8765 -XX:MaxPermSize=256m -Xmx1024m -Xms256m -classpath :/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat7/temp -Djava.util.logging.config.file=/usr/share/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
2) And because we also get "true" when executing this from our web application:
System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH")
Does anyone know why Tomcat is still rejecting encoded slashes?
For example, this URL should return a JSON saying "Application not found: A/1":
http://our-site/campaigns/application/A%2F1/udid/U1
But, instead, it says:
The requested URL /v1/campaigns/application/A/1/udid/U1 was not found on this server.
It's strange because we have tried the ALLOW_ENCODED_SLASH system property in a local Tomcat and it works fine.
Lately we tried another property. This ones works both in my local Tomcat and in AWS:
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH
I'm completely puzzled... :-/
An ElasticBeanstalk has an apache (I guess for the Load Balancer) on front of Tomcat, so this is the first one who receives a request, and is where must be indicated that slashes must be not decoded.
In order to get this, we have used this virtualhost:
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
AllowEncodedSlashes NoDecode
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
This URL is helpful to configure an EBS and his apache http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html
Note that if you have an apache httpd in front of the tomcat both need to be configured to allow slashes
for tomcat the property is -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true (best placed in CATALINA_OPTS in the tomcat conf file)
for apache the directive AllowEncodedSlashes needs to be set to NoDecode furthermore the ProxyPass directive needs to be set to nocanon otherwise tomcat will recieve an encoded slash as %252F instead of %2F
So the correct apache configuration looks like this:
<VirtualHost *:80>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/ nocanon
ProxyPreserveHost on
AllowEncodedSlashes NoDecode
</VirtualHost>
How should I configure my ElasticBeanstalk on AWS to allow encoded slashes in URLs ? (Using -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true)
I've created a directory called .ebextensions with a file tomcat.config in top-level directory of my source bundle (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html) with the content:
commands:
allow-encoded-slash:
command: export CATALINA_OPTS="$CATALINA_OPTS -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
cwd: /home/ec2-user
But it seems it has no effect, it doesn't appear in these dirs:
ls -la /tmp/deployment/application/ROOT/
ls -la /var/lib/tomcat7/webapps/ROOT/
We also tried to set the ALLOW_ENCODED_SLASH system property through the Edit Configuration dialog in the Elastic Beanstalk console. But, although the property seems to be present, Tomcat still doesn't let us use encoded slashes (%2F).
We think the ALLOW_ENCODED_SLASH system property is properly set because:
1) We see that property in the java command that starts Tomcat:
/usr/lib/jvm/jre/bin/java -DAWS_ACCESS_KEY_ID= -DAWS_SECRET_KEY= -DJDBC_CONNECTION_STRING= -DPARAM1= -DPARAM2= -DPARAM3= -DPARAM4= -DPARAM5= -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dhazelcast.native.client=true -Dcom.sun.management.jmxremote -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8765 -XX:MaxPermSize=256m -Xmx1024m -Xms256m -classpath :/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat7/temp -Djava.util.logging.config.file=/usr/share/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
2) And because we also get "true" when executing this from our web application:
System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH")
Does anyone know why Tomcat is still rejecting encoded slashes?
For example, this URL should return a JSON saying "Application not found: A/1":
http://our-site/campaigns/application/A%2F1/udid/U1
But, instead, it says:
The requested URL /v1/campaigns/application/A/1/udid/U1 was not found on this server.
It's strange because we have tried the ALLOW_ENCODED_SLASH system property in a local Tomcat and it works fine.
Lately we tried another property. This ones works both in my local Tomcat and in AWS:
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH
I'm completely puzzled... :-/
An ElasticBeanstalk has an apache (I guess for the Load Balancer) on front of Tomcat, so this is the first one who receives a request, and is where must be indicated that slashes must be not decoded.
In order to get this, we have used this virtualhost:
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
AllowEncodedSlashes NoDecode
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
This URL is helpful to configure an EBS and his apache http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html
Note that if you have an apache httpd in front of the tomcat both need to be configured to allow slashes
for tomcat the property is -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true (best placed in CATALINA_OPTS in the tomcat conf file)
for apache the directive AllowEncodedSlashes needs to be set to NoDecode furthermore the ProxyPass directive needs to be set to nocanon otherwise tomcat will recieve an encoded slash as %252F instead of %2F
So the correct apache configuration looks like this:
<VirtualHost *:80>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/ nocanon
ProxyPreserveHost on
AllowEncodedSlashes NoDecode
</VirtualHost>
0 commentaires:
Enregistrer un commentaire