Re: Apache 2.2 and TomCat 6.0 using SSL
My mistake, I meant x-forwarded-proto rather than x-forwarded-for. Here is a sample of configuration where Apache adds the header X-Forwarded-Proto and Tomcat RemoteIpValve handles it. APACHE CONFIGURATION = # 'myapplication' cluster Proxy balancer://myapplication BalancerMember http://node-1:8080 route=node-1 ... BalancerMember http://node-n:8080 route=node-n /Proxy VirtualHost default:80 # Declare X-Forwarded-Proto as http for incoming request RequestHeader set X-Forwarded-Proto http ... /VirtualHost VirtualHost default:443 # mod_ssl configuration SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /private/etc/apache2/server.crt SSLCertificateKeyFile /private/etc/apache2/server.key # Overwrite X-Forwarded-Proto declaration for port 443, request are https RequestHeader set X-Forwarded-Proto https ... /VirtualHost .. ProxyPreserveHost On ProxyPass /mypath balancer://myapplicationssl/mypath stickysession=JSESSIONID TOMCAT CONFIGURATION = Server ... ... Service name=Catalina Connector ... / Engine ... !-- Process x-Forwarded-For to get remote address and X-Forwarded-Proto to identify SSL requests -- Valve className=org.apache.catalina.valves.RemoteIpValve protocolHeader=X-Forwarded-For / !-- AccessLogValve must be declared after RemoteIpValve to get the remote address and the scheme https/http -- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=common prefix=access_log. resolveHosts=false suffix=.txt / ... /Host /Engine /Service /Server Hope this helps, Cyrille On Thu, Feb 25, 2010 at 5:44 PM, Cyrille Le Clerc clecl...@apache.org wrote: Hello, We tried to detail precisely on a blog post named Tomcat, SSL, communications sécurisées et X-Forwarded-Proto (1) different solutions to handle SSL with Tomcat including decrypting https on the Apache layer. It is written in french but there are many schemas and it is google translate friendly. My preferred solution is to use the RemoteIpValve in Tomcat in addition with the X-Forwarded-For http header set in Apache httpd. Another solution is to create two connectors in Tomcat, a non secured one and a secured one. Please note that RemoteIpValve has been introduced in version 6.0.24 of Tomcat and is available for previous versions in a separate jar (2). Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (2) http://code.google.com/p/xebia-france/wiki/RemoteIpValve On Thu, Feb 25, 2010 at 4:56 PM, sikorsky rsm...@sikorsky.com wrote: I'm new to Apache 2.2 and TomCat 6.0. I thought I could use SSL on my Apache web server and not need to have SSL on my TomCat applications. Especially since they are both on the same server. I installed an Entrust Cert on my Apache webserver and it works fine with https. When I redirect to the TomCat servlet I get a 404. If I switch to http everything works fine. Shouldn't I be able to use https/443on my web server and http/8080 on the app server without issue? How? -- View this message in context: http://old.nabble.com/Apache-2.2-and-TomCat-6.0-using-SSL-tp27714427p27714427.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache 2.2 and TomCat 6.0 using SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cyrille, On 2/26/2010 4:22 AM, Cyrille Le Clerc wrote: I meant x-forwarded-proto rather than x-forwarded-for. Here is a sample of configuration where Apache adds the header X-Forwarded-Proto and Tomcat RemoteIpValve handles it. I think the OPs question is /much/ more basic than how to track proxy traversals. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuIMYUACgkQ9CaO5/Lv0PA2vQCfeZThnKIZpu696ZV3QrmxeIDq /EEAn0LZudnb0n/HJBFKQVbyAGNhgPBb =3Mzr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Apache 2.2 and TomCat 6.0 using SSL
I'm new to Apache 2.2 and TomCat 6.0. I thought I could use SSL on my Apache web server and not need to have SSL on my TomCat applications. Especially since they are both on the same server. I installed an Entrust Cert on my Apache webserver and it works fine with https. When I redirect to the TomCat servlet I get a 404. If I switch to http everything works fine. Shouldn't I be able to use https/443on my web server and http/8080 on the app server without issue? How? -- View this message in context: http://old.nabble.com/Apache-2.2-and-TomCat-6.0-using-SSL-tp27714427p27714427.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache 2.2 and TomCat 6.0 using SSL
Hello, We tried to detail precisely on a blog post named Tomcat, SSL, communications sécurisées et X-Forwarded-Proto (1) different solutions to handle SSL with Tomcat including decrypting https on the Apache layer. It is written in french but there are many schemas and it is google translate friendly. My preferred solution is to use the RemoteIpValve in Tomcat in addition with the X-Forwarded-For http header set in Apache httpd. Another solution is to create two connectors in Tomcat, a non secured one and a secured one. Please note that RemoteIpValve has been introduced in version 6.0.24 of Tomcat and is available for previous versions in a separate jar (2). Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (2) http://code.google.com/p/xebia-france/wiki/RemoteIpValve On Thu, Feb 25, 2010 at 4:56 PM, sikorsky rsm...@sikorsky.com wrote: I'm new to Apache 2.2 and TomCat 6.0. I thought I could use SSL on my Apache web server and not need to have SSL on my TomCat applications. Especially since they are both on the same server. I installed an Entrust Cert on my Apache webserver and it works fine with https. When I redirect to the TomCat servlet I get a 404. If I switch to http everything works fine. Shouldn't I be able to use https/443on my web server and http/8080 on the app server without issue? How? -- View this message in context: http://old.nabble.com/Apache-2.2-and-TomCat-6.0-using-SSL-tp27714427p27714427.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache 2.2 and TomCat 6.0 using SSL
On 25/02/2010 15:56, sikorsky wrote: I'm new to Apache 2.2 and TomCat 6.0. I thought I could use SSL on my Apache web server and not need to have SSL on my TomCat applications. Especially since they are both on the same server. I installed an Entrust Cert on my Apache webserver and it works fine with https. When I redirect to the TomCat servlet I get a 404. If I switch to http everything works fine. Shouldn't I be able to use https/443on my web server and http/8080 on the app server without issue? How? What are the exact version of HTTPD and Tomcat? How have you connected HTTPD to Tomcat, using mod_jk or mod_proxy? Have you applied the connector configuration in the :80 HTTP host, also to the :443 HTTP host? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache 2.2 and Tomcat 6.0 using SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 2/25/2010 10:56 AM, sikorsky wrote: I'm new to Apache 2.2 and TomCat 6.0. I thought I could use SSL on my Apache web server and not need to have SSL on my Tomcat applications. You can. Especially since they are both on the same server. This is not really relevant, but having them on the same server will significantly improve performance. I installed an Entrust Cert on my Apache webserver and it works fine with https. Great. When I redirect to the Tomcat servlet I get a 404. If I switch to http everything works fine. Your configuration must have something missing. Remember that the SSL configuration of the server is separate from the non-SSL portion. If you have JkMount or ProxyPass directives in the non-secure configuration, you'll have to duplicate those in your SSL section. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuG314ACgkQ9CaO5/Lv0PCR0QCgw8pTiD7zfYYqI/vtklhqM37e +LcAnjTIINde3/t29xCQo5MfoyO7cnS5 =SYl9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
