How should I configure my ElasticBeanstalk on AWS to allow encoded slashes in URLs ? (Using -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true)
I've created a directory called .ebextensions with a file tomcat.config in top-level directory of my source bundle (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html) with the content:
commands:
allow-encoded-slash:
command: export CATALINA_OPTS="$CATALINA_OPTS -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true"
cwd: /home/ec2-user
But it seems it has no effect, it doesn't appear in these dirs:
ls -la /tmp/deployment/application/ROOT/
ls -la /var/lib/tomcat7/webapps/ROOT/
We also tried to set the ALLOW_ENCODED_SLASH system property through the Edit Configuration dialog in the Elastic Beanstalk console. But, although the property seems to be present, Tomcat still doesn't let us use encoded slashes (%2F).
We think the ALLOW_ENCODED_SLASH system property is properly set because:
1) We see that property in the java command that starts Tomcat:
/usr/lib/jvm/jre/bin/java -DAWS_ACCESS_KEY_ID= -DAWS_SECRET_KEY= -DJDBC_CONNECTION_STRING= -DPARAM1= -DPARAM2= -DPARAM3= -DPARAM4= -DPARAM5= -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true -Dhazelcast.native.client=true -Dcom.sun.management.jmxremote -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8765 -XX:MaxPermSize=256m -Xmx1024m -Xms256m -classpath :/usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat7/temp -Djava.util.logging.config.file=/usr/share/tomcat7/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
2) And because we also get "true" when executing this from our web application:
System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH")
Does anyone know why Tomcat is still rejecting encoded slashes?
For example, this URL should return a JSON saying "Application not found: A/1":
http://our-site/campaigns/application/A%2F1/udid/U1
But, instead, it says:
The requested URL /v1/campaigns/application/A/1/udid/U1 was not found on this server.
It's strange because we have tried the ALLOW_ENCODED_SLASH system property in a local Tomcat and it works fine.
Lately we tried another property. This ones works both in my local Tomcat and in AWS:
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH
I'm completely puzzled... :-/
An ElasticBeanstalk has an apache (I guess for the Load Balancer) on front of Tomcat, so this is the first one who receives a request, and is where must be indicated that slashes must be not decoded.
In order to get this, we have used this virtualhost:
<VirtualHost *:80>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ retry=0
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
AllowEncodedSlashes NoDecode
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>
This URL is helpful to configure an EBS and his apache http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With