Re: Apache HTTP + Tomcat + SSL
On Sep 30, 2013, at 8:20 AM, Leonardo Torres leonardotorr...@gmail.com wrote: Hi guys, I have the following structure : Apache HTTP (Proxy) -- Tomcat . So, I have configured SSL on Apache HTTP, how do I configure SSL in my application in Tomcat? Need some more info here... 1.) What version of HTTPD Tomcat are you using? 2.) Do you need SSL between HTTPD Tomcat? or do you just want Tomcat to know that SSL has been terminated by HTTPD? 3.) How is HTTPD communicating with Tomcat? via AJP or HTTP? Dan Thank´s -- *Obrigado Leonardo Torres, MSc.* - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
Daniel Mikusa wrote: On Sep 30, 2013, at 8:20 AM, Leonardo Torres leonardotorr...@gmail.com wrote: Hi guys, I have the following structure : Apache HTTP (Proxy) -- Tomcat . So, I have configured SSL on Apache HTTP, how do I configure SSL in my application in Tomcat? Need some more info here... 1.) What version of HTTPD Tomcat are you using? 2.) Do you need SSL between HTTPD Tomcat? or do you just want Tomcat to know that SSL has been terminated by HTTPD? 3.) How is HTTPD communicating with Tomcat? via AJP or HTTP? Dan and the reasons for the above judicious questions are : browser -- SSL -- httpd + mod_proxy_http -- SSL or not -- Tomcat HTTP/HTTPS Connector or httpd + mod_proxy_AJP -- not SSL-- Tomcat AJP Connector or httpd + mod_jk -- not SSL-- Tomcat AJP Connector 2) SSL is expensive. Apache has to decrypt the browser communication anyway. The if you use SSL between Apache and Tomcat, Apache has to re-encrypt the data, and Tomcat to re-decrypt it. That takes resources, so if you don't need it, don't do it. Even if you use HTTP/AJP, httpd can pass on to Tomcat the received SSL headers, so Tomcat can inspect them. 3) AJP does not support SSL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
Currently, the communication between httpd and tomcat is via HTTP. Tomcat version is 7.0.42 I have a resource within the tomcat that needs to be accessed via SSL, but the SSL is configured on HTTPD. How can I configure that ? Excuse me, but I'm newbie in server configuration. On Mon, Sep 30, 2013 at 10:11 AM, André Warnier a...@ice-sa.com wrote: Daniel Mikusa wrote: On Sep 30, 2013, at 8:20 AM, Leonardo Torres leonardotorr...@gmail.com wrote: Hi guys, I have the following structure : Apache HTTP (Proxy) -- Tomcat . So, I have configured SSL on Apache HTTP, how do I configure SSL in my application in Tomcat? Need some more info here... 1.) What version of HTTPD Tomcat are you using? 2.) Do you need SSL between HTTPD Tomcat? or do you just want Tomcat to know that SSL has been terminated by HTTPD? 3.) How is HTTPD communicating with Tomcat? via AJP or HTTP? Dan and the reasons for the above judicious questions are : browser -- SSL -- httpd + mod_proxy_http -- SSL or not -- Tomcat HTTP/HTTPS Connector or httpd + mod_proxy_AJP -- not SSL-- Tomcat AJP Connector or httpd + mod_jk -- not SSL-- Tomcat AJP Connector 2) SSL is expensive. Apache has to decrypt the browser communication anyway. The if you use SSL between Apache and Tomcat, Apache has to re-encrypt the data, and Tomcat to re-decrypt it. That takes resources, so if you don't need it, don't do it. Even if you use HTTP/AJP, httpd can pass on to Tomcat the received SSL headers, so Tomcat can inspect them. 3) AJP does not support SSL --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *Obrigado Leonardo Torres, MSc.*
Re: Apache HTTP + Tomcat + SSL
On Sep 30, 2013, at 9:24 AM, Leonardo Torres leonardotorr...@gmail.com wrote: First, please don't top post. Reply at the bottom or inline, like I'm doing. Currently, the communication between httpd and tomcat is via HTTP. Is that OK? Does it need to be encrypted? Tomcat version is 7.0.42 I have a resource within the tomcat that needs to be accessed via SSL, but the SSL is configured on HTTPD. How can I configure that ? From what you've said, requests to your HTTPD server have been secured with SSL. Those requests will then get forwarded to Tomcat via HTTP. If it is OK that this traffic (possibly on your internal LAN) is unencrypted then all you need to do is setup a RemoteIPValve in Tomcat. https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve This will take header information provided by HTTPD and reconfigure the incoming request so that it knows about your HTTPD proxy. The upshot of this is that your application will now be able to check the request and see if it was secured with SSL. Dan Excuse me, but I'm newbie in server configuration. On Mon, Sep 30, 2013 at 10:11 AM, André Warnier a...@ice-sa.com wrote: Daniel Mikusa wrote: On Sep 30, 2013, at 8:20 AM, Leonardo Torres leonardotorr...@gmail.com wrote: Hi guys, I have the following structure : Apache HTTP (Proxy) -- Tomcat . So, I have configured SSL on Apache HTTP, how do I configure SSL in my application in Tomcat? Need some more info here... 1.) What version of HTTPD Tomcat are you using? 2.) Do you need SSL between HTTPD Tomcat? or do you just want Tomcat to know that SSL has been terminated by HTTPD? 3.) How is HTTPD communicating with Tomcat? via AJP or HTTP? Dan and the reasons for the above judicious questions are : browser -- SSL -- httpd + mod_proxy_http -- SSL or not -- Tomcat HTTP/HTTPS Connector or httpd + mod_proxy_AJP -- not SSL-- Tomcat AJP Connector or httpd + mod_jk -- not SSL-- Tomcat AJP Connector 2) SSL is expensive. Apache has to decrypt the browser communication anyway. The if you use SSL between Apache and Tomcat, Apache has to re-encrypt the data, and Tomcat to re-decrypt it. That takes resources, so if you don't need it, don't do it. Even if you use HTTP/AJP, httpd can pass on to Tomcat the received SSL headers, so Tomcat can inspect them. 3) AJP does not support SSL --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- *Obrigado Leonardo Torres, MSc.* - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
Hi. Do not top-post on this list. If someone looks at your last message, he has to then scroll dow the message to try to figure out what you are responding to. That is annoying. So I moved your responses where they belong. On Mon, Sep 30, 2013 at 10:11 AM, André Warnier a...@ice-sa.com wrote: Daniel Mikusa wrote: On Sep 30, 2013, at 8:20 AM, Leonardo Torres leonardotorr...@gmail.com wrote: Hi guys, I have the following structure : Apache HTTP (Proxy) -- Tomcat . So, I have configured SSL on Apache HTTP, how do I configure SSL in my application in Tomcat? Need some more info here... 1.) What version of HTTPD Tomcat are you using? Tomcat version is 7.0.42 2.) Do you need SSL between HTTPD Tomcat? or do you just want Tomcat to know that SSL has been terminated by HTTPD? 3.) How is HTTPD communicating with Tomcat? via AJP or HTTP? Currently, the communication between httpd and tomcat is via HTTP. Ok, but you have not answered the question entirely yet. What is the Apache httpd proxy module that is used to communicate between Apache httpd and Tomcat ? Can you copy here the Apache httpd configuration lines that have proxy in them ? Dan and the reasons for the above judicious questions are : browser -- SSL -- httpd + mod_proxy_http -- SSL or not -- Tomcat HTTP/HTTPS Connector or httpd + mod_proxy_AJP -- not SSL-- Tomcat AJP Connector or httpd + mod_jk -- not SSL-- Tomcat AJP Connector 2) SSL is expensive. Apache has to decrypt the browser communication anyway. The if you use SSL between Apache and Tomcat, Apache has to re-encrypt the data, and Tomcat to re-decrypt it. That takes resources, so if you don't need it, don't do it. Even if you use HTTP/AJP, httpd can pass on to Tomcat the received SSL headers, so Tomcat can inspect them. 3) AJP does not support SSL I have a resource within the tomcat that needs to be accessed via SSL, but the SSL is configured on HTTPD. How can I configure that ? Excuse me, but I'm newbie in server configuration. Understood, and that is not a sin. The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
Hi, 2013/9/30 André Warnier a...@ice-sa.com: Hi. [...] The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application do not care about SSL it is our problem will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 9/30/13 9:40 AM, André Warnier wrote: On Mon, Sep 30, 2013 at 10:11 AM, André Warnier a...@ice-sa.com wrote: Daniel Mikusa wrote: On Sep 30, 2013, at 8:20 AM, Leonardo Torres leonardotorr...@gmail.com wrote: Hi guys, I have the following structure : Apache HTTP (Proxy) -- Tomcat . So, I have configured SSL on Apache HTTP, how do I configure SSL in my application in Tomcat? Need some more info here... 1.) What version of HTTPD Tomcat are you using? Tomcat version is 7.0.42 2.) Do you need SSL between HTTPD Tomcat? or do you just want Tomcat to know that SSL has been terminated by HTTPD? 3.) How is HTTPD communicating with Tomcat? via AJP or HTTP? Currently, the communication between httpd and tomcat is via HTTP. Ok, but you have not answered the question entirely yet. What is the Apache httpd proxy module that is used to communicate between Apache httpd and Tomcat ? Can you copy here the Apache httpd configuration lines that have proxy in them ? Dan and the reasons for the above judicious questions are : browser -- SSL -- httpd + mod_proxy_http -- SSL or not -- Tomcat HTTP/HTTPS Connector or httpd + mod_proxy_AJP -- not SSL-- Tomcat AJP Connector or httpd + mod_jk -- not SSL-- Tomcat AJP Connector 2) SSL is expensive. Apache has to decrypt the browser communication anyway. The if you use SSL between Apache and Tomcat, Apache has to re-encrypt the data, and Tomcat to re-decrypt it. That takes resources, so if you don't need it, don't do it. Even if you use HTTP/AJP, httpd can pass on to Tomcat the received SSL headers, so Tomcat can inspect them. 3) AJP does not support SSL I have a resource within the tomcat that needs to be accessed via SSL, but the SSL is configured on HTTPD. How can I configure that ? Excuse me, but I'm newbie in server configuration. Understood, and that is not a sin. The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? +1 If you just need encryption, that can be done in one of several ways. If you need access to the client's SSL certificate, then that requires some finer configuration (in some cases). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSSYWyAAoJEBzwKT+lPKRYQ+4P/j1baz2LAeNGNszncbotdyS9 pcuiHUBQqobxsE7H9/jLof4NLUD/4gBs+LScIFl331/XoEBKDf9/nR19siaD8U3M vZ2xmkJhXydKl8GiYu9nBHNchYj5+PwkApHsInDyjgiXof1BqgJXjAgPcJtY+F94 v4/CjCg5Eo/pmCwUH1bBlFaKWzBpZlBDa5D/tdpwDrZRZtyYUYbB/zF257y1cs/K JKNgcDeBZKVsdHhXHK/1ZZIofUng+A7XPiVeeNrsR72ftHdMCDubhuQAQtwPsKK0 sKDI2fSu5Ych6P+yxdV6DFuW20XzWA4W3Sh+Z6DRnOrU8eDG1vX7IbsbYpy1YVd1 BpIRcSRK4nmQsp+DtoJvJhLWfwPRy83Ty9iAVvLqKB21aDOUUvYrynV/0IihNXPY dX0T9ujXkRsKa2a+eQDYRBxFyG5+j5vk5GAZuLaJ91j0p/kzOszLPieLkFoU5QGR RKB7hFVvHzgYQ82w42tqiD3nXEoC10slCRuNMxFvZPKWdG49wLIPI+P7Z/sAjeMM Lzbpi+FmkHT0up5TejspfI5/Rro4heILIMOzWszHR3PcMhImsPYnubwhX9NaFrVb B7jd9S2Z6eRDEM1L8o5cIBhOJJ+6g7Jj/tgjTlSX16ntvEknXJnVwQAaqFJ3nhy6 ORJem3DIFI9dnL1ptfXY =twkm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 9/30/13 10:06 AM, Cédric Couralet wrote: Hi, 2013/9/30 André Warnier a...@ice-sa.com: Hi. [...] The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application do not care about SSL it is our problem will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. Some solutions require nothing on the Tomcat site (hint: mod_jk does all this auto-magically). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSSYXlAAoJEBzwKT+lPKRYowMP/i17wXjo0sw6NGF3amrDlo5n StIXf6CvdyICDQoagiG6QMfb/LcTCbOLEowR+xrtWHWHO2Zr5QkKMjDIRcWrfyNR FgFfgsfAlxyGN45vfKYfWWad2hoUcwevfwMHObJ3/pLDZUNlPsh2Y7cJUEsr8f2N BI9KhyU5WjbZtHL0rIAHgeD/qpMcGlS31tZTG3JsclbqmTqIRmo+aEfZ6WWmVNxG nKheN9hEB5uz7dnxuK4LwTXbBWN22sNJwPuf6JkeLdmFwSv2WF7UAUhfIkoisgL7 Sz3oFAe6bY81UscJ1fZoFOh9ubZPyw0tefl3/ACeZLw7WAZ3yavPCRxJ67ezAFkv 6KverpPGzUHmQzdgLaJjTL+xYVcQKSTOxbY/IrxsO8XoEIG3h6NFudx6WqAqIMsm wGl/KxLcInJEHjVLErDou0zrtApSpZPHQhAv7/KqgJ3D1Swzs+X8FIrxr3dzhi3J bp9mNMpXZZw56U7bn+Fxy70C5QIjAPtaanqFDN42ZcBVhzDsSt8NGT4I0BUWytk7 +fjLQiqcqBYWMeVi1odWmS4F+OmUnjNN5hMmSJC0CYvOMeTql5r395WSDnklGtKW JKc074hYBBqjGHdPwW4s9Ejvq5f7SgGK2rJ+uO9iCMkGy1nC9Mij2FpAsnaLkClC wBFMAMm1BcLHM7WdxvoO =NJeo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
2013/9/30 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 9/30/13 10:06 AM, Cédric Couralet wrote: Hi, 2013/9/30 André Warnier a...@ice-sa.com: Hi. [...] The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application do not care about SSL it is our problem will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. Some solutions require nothing on the Tomcat site (hint: mod_jk does all this auto-magically). I didn't say otherwise ( configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side ) I just reacted to the saying that an application could not care whether it was accessed with SSL or not, I think the choice of https over http is an application choice and it could be dangerous to say that it is not important for an application to think about it. I agree with all the rest, just that sentence which made me uneasy (in lack of a better term ). Cédric - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
Cédric Couralet wrote: 2013/9/30 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cédric, On 9/30/13 10:06 AM, Cédric Couralet wrote: Hi, 2013/9/30 André Warnier a...@ice-sa.com: Hi. [...] The question is now : why does that application require HTTPS ? An application usually doesn't care how it is accessed, except if some configuration of the application requires it to get some information from the SSL protocol (like a user certificate or so). What does this application need ? I don't agree, the application should know how it is accessed, if only because some pages may require SSL (all page under an auth-constraint) and others not, and it should not be delegated to apache but required at the tomcat level. I really think that saying to an application do not care about SSL it is our problem will lead to all sort of security incomprehension in the future. Espcially when it is as easy as adding a valve in server.xml to do so (as said by Daniel Mikusa), or if it is an option, configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side. Some solutions require nothing on the Tomcat site (hint: mod_jk does all this auto-magically). I didn't say otherwise ( configuring AJP between tomcat and httpd, which then requires nothing on the tomcat side ) I just reacted to the saying that an application could not care whether it was accessed with SSL or not, that is not what I said. I think the choice of https over http is an application choice and it could be dangerous to say that it is not important for an application to think about it. and that also not. I agree with all the rest, just that sentence which made me uneasy (in lack of a better term ). I said An application *usually* doesn't care how it is accessed. Most applications do not. Some do. But I would argue that this would not be such a good design, because it removes flexibility in the application. It would mean that the application then cannot work in a context where there is no need for strong security, and that you always pay the SSL penalty, even when you do not really need it. The configuration around the webapp allows to put whatever level of security you need, without having to change the application code. Except in some cases, and that is why we were asking what *this* application really needs. Tout est dans la nuance.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache HTTP + Tomcat + SSL
I said An application *usually* doesn't care how it is accessed. Most applications do not. Some do. But I would argue that this would not be such a good design, because it removes flexibility in the application. It would mean that the application then cannot work in a context where there is no need for strong security, and that you always pay the SSL penalty, even when you do not really need it. The configuration around the webapp allows to put whatever level of security you need, without having to change the application code. Except in some cases, and that is why we were asking what *this* application really needs. Tout est dans la nuance.. .., I will take some more english lessons :) The confusion was that when I say application, I mean the code and the configuration (web.xml, context.xml). I already got in an argument with someone saying that httpd should be the one to force a request over https and the developper should not have to think about it, so I am a little quick to react on this. Thank you for the clarification, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Apache HTTP + Tomcat + SSL
From: Alexander Diedler [mailto:[EMAIL PROTECTED] What ist he best-practice to use SSL with a Frontend Apache Webserver and a mod_jk connected Tomcat? Define the SSL in Tomcat or in Apache Frontend? In Apache httpd. Has the SSL functions to be enabled on Tomcat? No. In a pure mod_jk system, Tomcat will only have a mod_jk connector - no HTTP or HTTPS connectors at all. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]