RE: Mod_SSL+Tomcat

[Cliff Woolley]

Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/   Work: (540) 463-8089 Pager: (540) 462-2303>>> [EMAIL PROTECTED] 06/06/00 03:54AM >>> >Include the mod_jserv/tomcat stuff in httpd.conf >in the SSL block ... >(ie between <IfDefine SSL> and </IfDefine>) Errr... not quite.  =-)  Anything within <IfDefine> is executed if that -D command line argument to apache is present.  So with your method, the jserv/tomcat stuff would be enabled if the -DSSL argument were given to apache, and disabled otherwise, regardless of whether the individual requestion *used* SSL or not.   The previous response had it right... put the configuration for the servlets/jsps within the <VirtualHost> block of the VirtualHost that requires SSL, like this:  (Note: my example uses the JServ directive "ApJServMount" to illustrate because I'm uncertain of the Tomcat syntax, though the idea is the same.)     <VirtualHost my.secure.site.com:443>      SSLEngine on    # other SSL commands    <Location />       SSLRequireSSL    </Location>      ApJServMount  /servlet  ajpv12://localhost:8007/myservletzone   </VirtualHost>     By these means, the servlet is only mapped into the namespace of the SSL-protected virtual host and no other.  Now, protecting direct access to port 8007 (ie, bypassing apache altogether) is another matter entirely.  =-)   Hope this helps.   --Cliff