From a5c34084e440f7c3b20c0e6e20767db44f3c365d Mon Sep 17 00:00:00 2001
From: Stephan Merker <stephan.merker@sap.com>
Date: Tue, 23 Jun 2026 12:51:34 +0200
Subject: [PATCH] fix #1289: allowSchemeMismatch=true for tomcat server.xml

Typically, tomcat runs behind a reverse proxy (gorouter) and TLS is terminated there. This leads to a scheme mismatch between the protocol reported in http headers and what tomcat actually sees. Due to  https://bz.apache.org/bugzilla/show_bug.cgi?id=70091 http2 routes don't work anymore with tomcat 10.1.55 and 11.0.22.

Fix is to configure allowSchemeMismatch='true' for UpgradeProtocol in server.xml.
Requires tomcat >=10.1.56 or 11.0.23.
---
 src/java/resources/files/tomcat/conf/server.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/java/resources/files/tomcat/conf/server.xml b/src/java/resources/files/tomcat/conf/server.xml
index b147786ba9..b7bf16948d 100644
--- a/src/java/resources/files/tomcat/conf/server.xml
+++ b/src/java/resources/files/tomcat/conf/server.xml
@@ -20,7 +20,7 @@
 
     <Service name='Catalina'>
         <Connector port='${http.port}' bindOnInit='false' connectionTimeout='20000' keepAliveTimeout='120000'>
-            <UpgradeProtocol className='org.apache.coyote.http2.Http2Protocol' />
+            <UpgradeProtocol className='org.apache.coyote.http2.Http2Protocol' allowSchemeMismatch='true'/>
         </Connector>
 
         <Engine defaultHost='localhost' name='Catalina'>