Hi I am using the following set up Apache (1.3.22) with mod_ssl 2.8.5 to secure a website
some pages within that web site are actually java servlets run under Tomcat (4.0.1) via mod_webapp Apache and Tomcat are both running on the same machine So as I understand it what should happen is User connects to Apache via SSL (secure because its encrypted) Apache connects to Tomcat internally (sercure because it doesn't leave the machine - is this correct?) Tomcat runs the java pages to generate the html, sending it back to apache Apache send the html back to the user along the SSL connection I'm not 100% sure i'm right in saying that the connection between apache and tomcat is secure? Specifically when apache detects that it is sending a page that has come from a non-ssl source, it sends the browser a "insecure page" flag some how, which causes the brower (this happens in every browser) to try and access the page via http instead of https For example if I have a page https://www.test.com/webapp when webapp is a tomcat page the browser automatically attempts to access http://www.test.com/webapp which generates an apache generated error page "this page can only be viewed over https" if I then manually type in the "s" into the address now in the browsers address bar, then it will load the correct page. Is it possible (or even correct) to tell Apache that the Tomcat installation is safe, and to not send the insecure command to the browser? I need to use apache for SSL rather than the SSL in tomcat cause I need suppport for user certificates, which I believe tomcat does not offer Laurie -- ================================================== Laurie Robert Young [EMAIL PROTECTED] | [EMAIL PROTECTED] www.wildfalcon.com | www.doc.ic.ac.uk/~laurie ICQ UIN #20194782 ================================================== ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
