RewriteValve does not work on HTTPS

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

RewriteValve does not work on HTTPS

happyhua
Best tomcat team,

Hereby I have a question about an issue I found by using RewriteValve on tomcat 9.30

The rewrite.config is very simple:

RewriteCond %{HTTP_HOST} =youkoop.com
RewriteRule ^.*$ https://www.youkoop.com [R=301,L]

All I want is just redirect a naked root domain to a www domain with HTTPS.

The redirection works on HTTP but not HTTPS.




https://youkoop.com => https://www.youkoop.com does not work



I believe that there is something wrong with RewriteValve, or probably related to he new sslhostconfig element, which is introduced from 8.5, because the same rule works before on tomcat 8.0.


Best regards,

Hua


P.S. I originally make a bug report here: https://bz.apache.org/bugzilla/show_bug.cgi?id=64112

Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

Olaf Kock

On 04.02.20 20:31, Hua Zhang wrote:

> Best tomcat team,
>
> Hereby I have a question about an issue I found by using RewriteValve
> on tomcat 9.30
>
> The rewrite.config is very simple:
>
> /RewriteCond %{HTTP_HOST} =youkoop.com <http://youkoop.com>
> RewriteRule ^.*$ https://www.youkoop.com [R=301,L]
> /
>
> All I want is just redirect a naked root domain to a www domain with
> HTTPS.
>
> The redirection works on HTTP but not HTTPS.
>
> http://youkoop.com => https://www.youkoop.com *works*
>
Note: Images don't get through in this mailing list. I can imagine what
"works" means, but for your next example: Please elaborate what "does
not work" means.
>
> *https*://youkoop.com <http://youkoop.com> =>
> https://www.youkoop.com *does not work*

First thing to test: Does https://youkoop.com work without the redirect,
then with the "wrong" host name? Otherwise it might be as simple as a
misconfigured TLS host that's never invoked because of a certificate
mismatch.

Olaf

Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

happyhua
What I mean with word 'works' is: the RewriteRule has been executed.

That is not the case by HTTPS. The rule has not been executed while the
RewriteCond is fulfilled.

Olaf Kock <[hidden email]> 于 2020年2月4日周二 下午9:06写道:

>
> On 04.02.20 20:31, Hua Zhang wrote:
> > Best tomcat team,
> >
> > Hereby I have a question about an issue I found by using RewriteValve
> > on tomcat 9.30
> >
> > The rewrite.config is very simple:
> >
> > /RewriteCond %{HTTP_HOST} =youkoop.com <http://youkoop.com>
> > RewriteRule ^.*$ https://www.youkoop.com [R=301,L]
> > /
> >
> > All I want is just redirect a naked root domain to a www domain with
> > HTTPS.
> >
> > The redirection works on HTTP but not HTTPS.
> >
> > http://youkoop.com => https://www.youkoop.com *works*
> >
> Note: Images don't get through in this mailing list. I can imagine what
> "works" means, but for your next example: Please elaborate what "does
> not work" means.
> >
> > *https*://youkoop.com <http://youkoop.com> =>
> > https://www.youkoop.com *does not work*
>
> First thing to test: Does https://youkoop.com work without the redirect,
> then with the "wrong" host name? Otherwise it might be as simple as a
> misconfigured TLS host that's never invoked because of a certificate
> mismatch.
>
> Olaf
>
>
Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

Felix Schumacher
Am 04.02.2020 22:16, schrieb Hua Zhang:
> What I mean with word 'works' is: the RewriteRule has been executed.
>
> That is not the case by HTTPS. The rule has not been executed while the
> RewriteCond is fulfilled.

Can you give us more information on your setup? Is there any
Proxy/Loadbalancer in front of your tomcat? If so, can you show us
details on that setup?
What is the value of the host request header in both cases?

Felix

>
> Olaf Kock <[hidden email]> 于 2020年2月4日周二 下午9:06写道:
>
>>
>> On 04.02.20 20:31, Hua Zhang wrote:
>> > Best tomcat team,
>> >
>> > Hereby I have a question about an issue I found by using RewriteValve
>> > on tomcat 9.30
>> >
>> > The rewrite.config is very simple:
>> >
>> > /RewriteCond %{HTTP_HOST} =youkoop.com <http://youkoop.com>
>> > RewriteRule ^.*$ https://www.youkoop.com [R=301,L]
>> > /
>> >
>> > All I want is just redirect a naked root domain to a www domain with
>> > HTTPS.
>> >
>> > The redirection works on HTTP but not HTTPS.
>> >
>> > http://youkoop.com => https://www.youkoop.com *works*
>> >
>> Note: Images don't get through in this mailing list. I can imagine
>> what
>> "works" means, but for your next example: Please elaborate what "does
>> not work" means.
>> >
>> > *https*://youkoop.com <http://youkoop.com> =>
>> > https://www.youkoop.com *does not work*
>>
>> First thing to test: Does https://youkoop.com work without the
>> redirect,
>> then with the "wrong" host name? Otherwise it might be as simple as a
>> misconfigured TLS host that's never invoked because of a certificate
>> mismatch.
>>
>> Olaf
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

happyhua
Thank you for the response. I am finally able to confirm the issue.

When I put the following line in comment, everything works fine. I mean as
expected.

*<!-- <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-->*


If the above line UpgradeProtocol is activated, I observe now at least two
weird situations.

1) As mentioned before, RewriteValve does not work as expected.
2) Besides it, I observed that serviet behaviors weird. According to the
log file it seems that a servlet is sometimes called *twice by one request*.

This is a snapshot of my log files. You can see that two https-443-exec are
called almost at the same time.

06-Feb-2020 13:38:04.676 SEVERE *[https-openssl-apr-443-exec-9]*
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
for servlet [uploadServlet] in context with path [] threw exception
        org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
Stream ended unexpectedly
06-Feb-2020 13:38:04.999 SEVERE *[https-openssl-apr-443-exec-2]*
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
for servlet [uploadServlet] in context with path [] threw exception
        org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
Stream ended unexpectedly


Best regards,

Hua


On Wed, Feb 5, 2020 at 2:15 PM Felix Schumacher <
[hidden email]> wrote:

> Am 04.02.2020 22:16, schrieb Hua Zhang:
> > What I mean with word 'works' is: the RewriteRule has been executed.
> >
> > That is not the case by HTTPS. The rule has not been executed while the
> > RewriteCond is fulfilled.
>
> Can you give us more information on your setup? Is there any
> Proxy/Loadbalancer in front of your tomcat? If so, can you show us
> details on that setup?
> What is the value of the host request header in both cases?
>
> Felix
> >
> > Olaf Kock <[hidden email]> 于 2020年2月4日周二 下午9:06写道:
> >
> >>
> >> On 04.02.20 20:31, Hua Zhang wrote:
> >> > Best tomcat team,
> >> >
> >> > Hereby I have a question about an issue I found by using RewriteValve
> >> > on tomcat 9.30
> >> >
> >> > The rewrite.config is very simple:
> >> >
> >> > /RewriteCond %{HTTP_HOST} =youkoop.com <http://youkoop.com>
> >> > RewriteRule ^.*$ https://www.youkoop.com [R=301,L]
> >> > /
> >> >
> >> > All I want is just redirect a naked root domain to a www domain with
> >> > HTTPS.
> >> >
> >> > The redirection works on HTTP but not HTTPS.
> >> >
> >> > http://youkoop.com => https://www.youkoop.com *works*
> >> >
> >> Note: Images don't get through in this mailing list. I can imagine
> >> what
> >> "works" means, but for your next example: Please elaborate what "does
> >> not work" means.
> >> >
> >> > *https*://youkoop.com <http://youkoop.com> =>
> >> > https://www.youkoop.com *does not work*
> >>
> >> First thing to test: Does https://youkoop.com work without the
> >> redirect,
> >> then with the "wrong" host name? Otherwise it might be as simple as a
> >> misconfigured TLS host that's never invoked because of a certificate
> >> mismatch.
> >>
> >> Olaf
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

remm
On Thu, Feb 6, 2020 at 2:56 PM Hua Zhang <[hidden email]> wrote:

> Thank you for the response. I am finally able to confirm the issue.
>
> When I put the following line in comment, everything works fine. I mean as
> expected.
>
> *<!-- <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> -->*
>
>
> If the above line UpgradeProtocol is activated, I observe now at least two
> weird situations.
>
> 1) As mentioned before, RewriteValve does not work as expected.
> 2) Besides it, I observed that serviet behaviors weird. According to the
> log file it seems that a servlet is sometimes called *twice by one
> request*.
>
> This is a snapshot of my log files. You can see that two https-443-exec are
> called almost at the same time.
>
> 06-Feb-2020 13:38:04.676 SEVERE *[https-openssl-apr-443-exec-9]*
> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
> for servlet [uploadServlet] in context with path [] threw exception
>
> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> Stream ended unexpectedly
> 06-Feb-2020 13:38:04.999 SEVERE *[https-openssl-apr-443-exec-2]*
> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
> for servlet [uploadServlet] in context with path [] threw exception
>
> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> Stream ended unexpectedly
>

Ok, so your problem seems to be about HTTP/2 rather than the rewrite valve:
HTTP/2 is usually not used without TLS and ALPN. You should continue to
post more details. Something you can try is use the NIO connector (with
OpenSSL or JSSE) rather than APR, it would be a more common configuration.

Rémy

>
>
> Best regards,
>
> Hua
>
>
> On Wed, Feb 5, 2020 at 2:15 PM Felix Schumacher <
> [hidden email]> wrote:
>
> > Am 04.02.2020 22:16, schrieb Hua Zhang:
> > > What I mean with word 'works' is: the RewriteRule has been executed.
> > >
> > > That is not the case by HTTPS. The rule has not been executed while the
> > > RewriteCond is fulfilled.
> >
> > Can you give us more information on your setup? Is there any
> > Proxy/Loadbalancer in front of your tomcat? If so, can you show us
> > details on that setup?
> > What is the value of the host request header in both cases?
> >
> > Felix
> > >
> > > Olaf Kock <[hidden email]> 于 2020年2月4日周二 下午9:06写道:
> > >
> > >>
> > >> On 04.02.20 20:31, Hua Zhang wrote:
> > >> > Best tomcat team,
> > >> >
> > >> > Hereby I have a question about an issue I found by using
> RewriteValve
> > >> > on tomcat 9.30
> > >> >
> > >> > The rewrite.config is very simple:
> > >> >
> > >> > /RewriteCond %{HTTP_HOST} =youkoop.com <http://youkoop.com>
> > >> > RewriteRule ^.*$ https://www.youkoop.com [R=301,L]
> > >> > /
> > >> >
> > >> > All I want is just redirect a naked root domain to a www domain with
> > >> > HTTPS.
> > >> >
> > >> > The redirection works on HTTP but not HTTPS.
> > >> >
> > >> > http://youkoop.com => https://www.youkoop.com *works*
> > >> >
> > >> Note: Images don't get through in this mailing list. I can imagine
> > >> what
> > >> "works" means, but for your next example: Please elaborate what "does
> > >> not work" means.
> > >> >
> > >> > *https*://youkoop.com <http://youkoop.com> =>
> > >> > https://www.youkoop.com *does not work*
> > >>
> > >> First thing to test: Does https://youkoop.com work without the
> > >> redirect,
> > >> then with the "wrong" host name? Otherwise it might be as simple as a
> > >> misconfigured TLS host that's never invoked because of a certificate
> > >> mismatch.
> > >>
> > >> Olaf
> > >>
> > >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

happyhua
Nope, I also tested it with NIO instead of APR, same issues happen.
RewriteValve does not function as expected. Besides it, there are also two
https-443-exec executed by one request.

There is definitely something wrong with Http2Protocol. And it results in
this case a problem in RewriteValve.

And what kind of extra information do you want to have. I cannot send any
pictures in the email. You want the server.xml configuration? Except that
file, almost every other configuration file is untouched. No load balancer,
no any proxy here. Just a straight forward connection to tomcat instance.

Here an remark, you can only reproduce errors if Http2Protocol is indeed
activated, namely you see in browser h2 protocol is used by request. In
Eclipse, I cannot reproduce the issue, since I cannot get h2 protocol
working there.


Hua

Rémy Maucherat <[hidden email]> 于 2020年2月6日周四 下午3:06写道:

> On Thu, Feb 6, 2020 at 2:56 PM Hua Zhang <[hidden email]> wrote:
>
> > Thank you for the response. I am finally able to confirm the issue.
> >
> > When I put the following line in comment, everything works fine. I mean
> as
> > expected.
> >
> > *<!-- <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> />
> > -->*
> >
> >
> > If the above line UpgradeProtocol is activated, I observe now at least
> two
> > weird situations.
> >
> > 1) As mentioned before, RewriteValve does not work as expected.
> > 2) Besides it, I observed that serviet behaviors weird. According to the
> > log file it seems that a servlet is sometimes called *twice by one
> > request*.
> >
> > This is a snapshot of my log files. You can see that two https-443-exec
> are
> > called almost at the same time.
> >
> > 06-Feb-2020 13:38:04.676 SEVERE *[https-openssl-apr-443-exec-9]*
> > org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
> > for servlet [uploadServlet] in context with path [] threw exception
> >
> > org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> > Stream ended unexpectedly
> > 06-Feb-2020 13:38:04.999 SEVERE *[https-openssl-apr-443-exec-2]*
> > org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
> > for servlet [uploadServlet] in context with path [] threw exception
> >
> > org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> > Stream ended unexpectedly
> >
>
> Ok, so your problem seems to be about HTTP/2 rather than the rewrite valve:
> HTTP/2 is usually not used without TLS and ALPN. You should continue to
> post more details. Something you can try is use the NIO connector (with
> OpenSSL or JSSE) rather than APR, it would be a more common configuration.
>
> Rémy
>
> >
> >
> > Best regards,
> >
> > Hua
>
Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

Pierre Chiu
I just want to concur I have the same issue.
Removing that one line upgradeprotocol
and rewrite works again.



On Thu, Feb 6, 2020 at 3:28 PM Hua Zhang <[hidden email]> wrote:

> Nope, I also tested it with NIO instead of APR, same issues happen.
> RewriteValve does not function as expected. Besides it, there are also two
> https-443-exec executed by one request.
>
> There is definitely something wrong with Http2Protocol. And it results in
> this case a problem in RewriteValve.
>
> And what kind of extra information do you want to have. I cannot send any
> pictures in the email. You want the server.xml configuration? Except that
> file, almost every other configuration file is untouched. No load balancer,
> no any proxy here. Just a straight forward connection to tomcat instance.
>
> Here an remark, you can only reproduce errors if Http2Protocol is indeed
> activated, namely you see in browser h2 protocol is used by request. In
> Eclipse, I cannot reproduce the issue, since I cannot get h2 protocol
> working there.
>
>
> Hua
>
> Rémy Maucherat <[hidden email]> 于 2020年2月6日周四 下午3:06写道:
>
> > On Thu, Feb 6, 2020 at 2:56 PM Hua Zhang <[hidden email]> wrote:
> >
> > > Thank you for the response. I am finally able to confirm the issue.
> > >
> > > When I put the following line in comment, everything works fine. I mean
> > as
> > > expected.
> > >
> > > *<!-- <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol"
> > />
> > > -->*
> > >
> > >
> > > If the above line UpgradeProtocol is activated, I observe now at least
> > two
> > > weird situations.
> > >
> > > 1) As mentioned before, RewriteValve does not work as expected.
> > > 2) Besides it, I observed that serviet behaviors weird. According to
> the
> > > log file it seems that a servlet is sometimes called *twice by one
> > > request*.
> > >
> > > This is a snapshot of my log files. You can see that two https-443-exec
> > are
> > > called almost at the same time.
> > >
> > > 06-Feb-2020 13:38:04.676 SEVERE *[https-openssl-apr-443-exec-9]*
> > > org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
> > > for servlet [uploadServlet] in context with path [] threw exception
> > >
> > > org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> > > Stream ended unexpectedly
> > > 06-Feb-2020 13:38:04.999 SEVERE *[https-openssl-apr-443-exec-2]*
> > > org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
> > > for servlet [uploadServlet] in context with path [] threw exception
> > >
> > > org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> > > Stream ended unexpectedly
> > >
> >
> > Ok, so your problem seems to be about HTTP/2 rather than the rewrite
> valve:
> > HTTP/2 is usually not used without TLS and ALPN. You should continue to
> > post more details. Something you can try is use the NIO connector (with
> > OpenSSL or JSSE) rather than APR, it would be a more common
> configuration.
> >
> > Rémy
> >
> > >
> > >
> > > Best regards,
> > >
> > > Hua
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

Mark Thomas-2
The issue appears to be that the following RewriteCond does not match
when the request is served over HTTP/2 (with TLS) but it does if the
request is served over HTTP/1.1 with TLS.

RewriteCond %{HTTP_HOST} localhost

(Note the RewriteCond quoted at the start of this thread is invalid)

I'm wondering if this is related to the thread about
HttpServletRequest.getRemoteAddr() returning null at the start of a
request. It looks as if the request information may be being populated
too late.

Mark



On 06/02/2020 20:42, Pierre Chiu wrote:

> I just want to concur I have the same issue.
> Removing that one line upgradeprotocol
> and rewrite works again.
>
>
>
> On Thu, Feb 6, 2020 at 3:28 PM Hua Zhang <[hidden email]> wrote:
>
>> Nope, I also tested it with NIO instead of APR, same issues happen.
>> RewriteValve does not function as expected. Besides it, there are also two
>> https-443-exec executed by one request.
>>
>> There is definitely something wrong with Http2Protocol. And it results in
>> this case a problem in RewriteValve.
>>
>> And what kind of extra information do you want to have. I cannot send any
>> pictures in the email. You want the server.xml configuration? Except that
>> file, almost every other configuration file is untouched. No load balancer,
>> no any proxy here. Just a straight forward connection to tomcat instance.
>>
>> Here an remark, you can only reproduce errors if Http2Protocol is indeed
>> activated, namely you see in browser h2 protocol is used by request. In
>> Eclipse, I cannot reproduce the issue, since I cannot get h2 protocol
>> working there.
>>
>>
>> Hua
>>
>> Rémy Maucherat <[hidden email]> 于 2020年2月6日周四 下午3:06写道:
>>
>>> On Thu, Feb 6, 2020 at 2:56 PM Hua Zhang <[hidden email]> wrote:
>>>
>>>> Thank you for the response. I am finally able to confirm the issue.
>>>>
>>>> When I put the following line in comment, everything works fine. I mean
>>> as
>>>> expected.
>>>>
>>>> *<!-- <UpgradeProtocol
>> className="org.apache.coyote.http2.Http2Protocol"
>>> />
>>>> -->*
>>>>
>>>>
>>>> If the above line UpgradeProtocol is activated, I observe now at least
>>> two
>>>> weird situations.
>>>>
>>>> 1) As mentioned before, RewriteValve does not work as expected.
>>>> 2) Besides it, I observed that serviet behaviors weird. According to
>> the
>>>> log file it seems that a servlet is sometimes called *twice by one
>>>> request*.
>>>>
>>>> This is a snapshot of my log files. You can see that two https-443-exec
>>> are
>>>> called almost at the same time.
>>>>
>>>> 06-Feb-2020 13:38:04.676 SEVERE *[https-openssl-apr-443-exec-9]*
>>>> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
>>>> for servlet [uploadServlet] in context with path [] threw exception
>>>>
>>>> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
>>>> Stream ended unexpectedly
>>>> 06-Feb-2020 13:38:04.999 SEVERE *[https-openssl-apr-443-exec-2]*
>>>> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
>>>> for servlet [uploadServlet] in context with path [] threw exception
>>>>
>>>> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
>>>> Stream ended unexpectedly
>>>>
>>>
>>> Ok, so your problem seems to be about HTTP/2 rather than the rewrite
>> valve:
>>> HTTP/2 is usually not used without TLS and ALPN. You should continue to
>>> post more details. Something you can try is use the NIO connector (with
>>> OpenSSL or JSSE) rather than APR, it would be a more common
>> configuration.
>>>
>>> Rémy
>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Hua
>>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

Mark Thomas-2
On 06/02/2020 23:00, Mark Thomas wrote:

> The issue appears to be that the following RewriteCond does not match
> when the request is served over HTTP/2 (with TLS) but it does if the
> request is served over HTTP/1.1 with TLS.
>
> RewriteCond %{HTTP_HOST} localhost
>
> (Note the RewriteCond quoted at the start of this thread is invalid)
>
> I'm wondering if this is related to the thread about
> HttpServletRequest.getRemoteAddr() returning null at the start of a
> request. It looks as if the request information may be being populated
> too late.

Nope. Unrelated.

The root cause here is that the RewriteCond is looking for an HTTP Host
header but HTTP/2 does not have any such header.

HTTP/2 has the pseudo-header ":authority" that replaces the Host header.
While you could argue that a strict interpretation of the mod_rewrite
docs (since the rewrite valve aims to emulate a sub-set of mod_rewrite
behaviour) means that "host" != ":authority" I think the reasonable
thing to do in this instance is to look at the ":authority" value if the
request is using HTTP/2. I'll work on a patch.

Mark


>
> Mark
>
>
>
> On 06/02/2020 20:42, Pierre Chiu wrote:
>> I just want to concur I have the same issue.
>> Removing that one line upgradeprotocol
>> and rewrite works again.
>>
>>
>>
>> On Thu, Feb 6, 2020 at 3:28 PM Hua Zhang <[hidden email]> wrote:
>>
>>> Nope, I also tested it with NIO instead of APR, same issues happen.
>>> RewriteValve does not function as expected. Besides it, there are also two
>>> https-443-exec executed by one request.
>>>
>>> There is definitely something wrong with Http2Protocol. And it results in
>>> this case a problem in RewriteValve.
>>>
>>> And what kind of extra information do you want to have. I cannot send any
>>> pictures in the email. You want the server.xml configuration? Except that
>>> file, almost every other configuration file is untouched. No load balancer,
>>> no any proxy here. Just a straight forward connection to tomcat instance.
>>>
>>> Here an remark, you can only reproduce errors if Http2Protocol is indeed
>>> activated, namely you see in browser h2 protocol is used by request. In
>>> Eclipse, I cannot reproduce the issue, since I cannot get h2 protocol
>>> working there.
>>>
>>>
>>> Hua
>>>
>>> Rémy Maucherat <[hidden email]> 于 2020年2月6日周四 下午3:06写道:
>>>
>>>> On Thu, Feb 6, 2020 at 2:56 PM Hua Zhang <[hidden email]> wrote:
>>>>
>>>>> Thank you for the response. I am finally able to confirm the issue.
>>>>>
>>>>> When I put the following line in comment, everything works fine. I mean
>>>> as
>>>>> expected.
>>>>>
>>>>> *<!-- <UpgradeProtocol
>>> className="org.apache.coyote.http2.Http2Protocol"
>>>> />
>>>>> -->*
>>>>>
>>>>>
>>>>> If the above line UpgradeProtocol is activated, I observe now at least
>>>> two
>>>>> weird situations.
>>>>>
>>>>> 1) As mentioned before, RewriteValve does not work as expected.
>>>>> 2) Besides it, I observed that serviet behaviors weird. According to
>>> the
>>>>> log file it seems that a servlet is sometimes called *twice by one
>>>>> request*.
>>>>>
>>>>> This is a snapshot of my log files. You can see that two https-443-exec
>>>> are
>>>>> called almost at the same time.
>>>>>
>>>>> 06-Feb-2020 13:38:04.676 SEVERE *[https-openssl-apr-443-exec-9]*
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
>>>>> for servlet [uploadServlet] in context with path [] threw exception
>>>>>
>>>>> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
>>>>> Stream ended unexpectedly
>>>>> 06-Feb-2020 13:38:04.999 SEVERE *[https-openssl-apr-443-exec-2]*
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
>>>>> for servlet [uploadServlet] in context with path [] threw exception
>>>>>
>>>>> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
>>>>> Stream ended unexpectedly
>>>>>
>>>>
>>>> Ok, so your problem seems to be about HTTP/2 rather than the rewrite
>>> valve:
>>>> HTTP/2 is usually not used without TLS and ALPN. You should continue to
>>>> post more details. Something you can try is use the NIO connector (with
>>>> OpenSSL or JSSE) rather than APR, it would be a more common
>>> configuration.
>>>>
>>>> Rémy
>>>>
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Hua
>>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: RewriteValve does not work on HTTPS

happyhua
Thank you for the information and fix, Mark.

On Fri, Feb 7, 2020 at 12:31 AM Mark Thomas <[hidden email]> wrote:

> On 06/02/2020 23:00, Mark Thomas wrote:
> > The issue appears to be that the following RewriteCond does not match
> > when the request is served over HTTP/2 (with TLS) but it does if the
> > request is served over HTTP/1.1 with TLS.
> >
> > RewriteCond %{HTTP_HOST} localhost
> >
> > (Note the RewriteCond quoted at the start of this thread is invalid)
> >
> > I'm wondering if this is related to the thread about
> > HttpServletRequest.getRemoteAddr() returning null at the start of a
> > request. It looks as if the request information may be being populated
> > too late.
>
> Nope. Unrelated.
>
> The root cause here is that the RewriteCond is looking for an HTTP Host
> header but HTTP/2 does not have any such header.
>
> HTTP/2 has the pseudo-header ":authority" that replaces the Host header.
> While you could argue that a strict interpretation of the mod_rewrite
> docs (since the rewrite valve aims to emulate a sub-set of mod_rewrite
> behaviour) means that "host" != ":authority" I think the reasonable
> thing to do in this instance is to look at the ":authority" value if the
> request is using HTTP/2. I'll work on a patch.
>
> Mark
>
>