Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tezza, On 10/19/2009 12:16 PM, Tezza wrote: > Is this correct, what I have? that SSL need to be on Apache AND each > Tomcat??? If you are always using HTTPS through Apache httpd, then you don't need to configure it at all in Tomcat. > Tomcat's server.xml > --- > protocol="HTTP/1.1" If you always use HTTPS, and you always use Apache httpd, you can remove this entirely from server.xml. >SSLEnabled="true" > protocol="HTTP/1.1" Same here: remove it if you are doing all your SSL through httpd. > SSLPassword="xxx" > SSLCertificateFile="X:/key/star_my_cert.crt" > SSLCertificateKeyFile="X:/key/my_key.key" > SSLCertificateChainFile="X:/key/digi.crt" Once you remove your HTTPS configuration from Tomcat, you won't have to provide any certificate information to Tomcat (unless you want to use client certificates and validate them on the Tomcat side). > protocol="AJP/1.3" This is the only you need: AJP. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrcvGIACgkQ9CaO5/Lv0PDMlgCeMIjMknilkKra2E8bfhmGI8aQ z2UAoKvfRAZrlI/lDwSPCA1G709FhDpS =+zN4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Hi, I installed SSL on Apache and now HTTPS works fine over mod_jk. But now I got SSL installed on all servers, apache and each Tomcat (JBoss) as well, see excerpt from my server.xml files from Tomcat. If I remove reference to SSL certificate from server.xml, HTTPS via apache (mod_jk) doesn't. My apache and Tomcats are all on seperate machines. Is this correct, what I have? that SSL need to be on Apache AND each Tomcat??? I am concerned with this set up, thinking it may be doing SSL twice for each request. Tomcat's server.xml --- Apache Configs --- httpd-ssl.conf - ServerAdmin onlinead...@tisc.edu.au DocumentRoot "/docs/admin.tisc.edu.au" ServerName admin.tisc.edu.au ServerAlias admin.tisc.edu.au JkMountFile conf/uriworkermap.properties SSLEngine on SSLCertificateFile "C:/apache/key/star_cert.crt" SSLCertificateKeyFile "C:/apache/key/cert_key.key" SSLCertificateChainFile "C:/apache/key/chain_cert.crt" -- View this message in context: http://www.nabble.com/SSL-HTTPS-forwarding-under-Apache-%2B-mod_jk-%2B-tomcat-tp17817647p25961156.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Thanks heaps. I will attempt it and report back in a couple of days. I had a hard time, for over a week now, trying to get these answers from our open source support ppl. -- View this message in context: http://www.nabble.com/SSL-HTTPS-forwarding-under-Apache-%2B-mod_jk-%2B-tomcat-tp17817647p25870792.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
2009/10/13 Tezza : > So in server.xml, I can leave the port="8443"...other other SSL related attributes.../> ??? If you want to, you can leave it. It's an extra way into your server, and might be considered an extra attack vector for a cracker, so you might also want to remove it :-). > Also, my current AJP connection is like this: > > protocol="AJP/1.3" > emptySessionPath="true" enableLookups="false" redirectPort="8443" > /> > > Do I need another connector in server.xml for mod_jk worker to forward HTTPS > traffic??? I'll leave that to one of the experts - I know the theory, but have never had to maintain an AJP system in reality. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Peter Crowther wrote: > 2009/10/13 Tezza : >> So in server.xml, I can leave the > port="8443"...other other SSL related attributes.../> ??? > > If you want to, you can leave it. It's an extra way into your server, > and might be considered an extra attack vector for a cracker, so you > might also want to remove it :-). > >> Also, my current AJP connection is like this: >> >>> protocol="AJP/1.3" >> emptySessionPath="true" enableLookups="false" redirectPort="8443" >> /> >> >> Do I need another connector in server.xml for mod_jk worker to forward HTTPS >> traffic??? > > I'll leave that to one of the experts - I know the theory, but have > never had to maintain an AJP system in reality. No, you don't need a separate connector to proxy SSL over AJP. The AJP protocol is smart enough to pass along the SSL info Tomcat needs. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Peter thank you; this part is clear to me now. Few more clarification: > and remove [certs] from tomcat servers??? No need - they're not doing any harm, they just won't be used in your environment. So in server.xml, I can leave the ??? Also, my current AJP connection is like this: Do I need another connector in server.xml for mod_jk worker to forward HTTPS traffic??? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/SSL-HTTPS-forwarding-under-Apache-%2B-mod_jk-%2B-tomcat-tp17817647p25868827.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
[This should really be a new thread, but...] 2009/10/13 Tezza : > I got 1 apache and 2 tomcat servers (all on different machines). > I already got SSL set up on individual Tomcat machines to work on port 8443. > There is no SSL installed on Apache. > I got mod_jk installed on apache to forward "all" HTTP requests to tomcat > servers for load balancing. It works fine. > > I like to also forward all HTTPS requests to tomcat servers. > > Question: > Do I must install certificate (SSL) on apache server? Yes. > and remove from tomcat servers??? No need - they're not doing any harm, they just won't be used in your environment. > If possible: I prefer to leave SSL on tomcat servers, and just tell apache > to forward all HTTPS to tomcats just like HTTP. My tomcat servers will > handle the workload fine with https. Can it be done? No. If your clients use SSL to httpd, httpd must be able to handle the SSL connection - mod_jk has no way of forwarding raw encrypted data to Tomcat. Therefore httpd must have SSL set up locally - including the certificate. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Very userful information. Wondering if someone can help me out with similar query: My current set up: I got 1 apache and 2 tomcat servers (all on different machines). I already got SSL set up on individual Tomcat machines to work on port 8443. There is no SSL installed on Apache. I got mod_jk installed on apache to forward "all" HTTP requests to tomcat servers for load balancing. It works fine. I like to also forward all HTTPS requests to tomcat servers. Question: Do I must install certificate (SSL) on apache server? and remove from tomcat servers??? If possible: I prefer to leave SSL on tomcat servers, and just tell apache to forward all HTTPS to tomcats just like HTTP. My tomcat servers will handle the workload fine with https. Can it be done? and how? Thanks heaps, Tezza -- View this message in context: http://www.nabble.com/SSL-HTTPS-forwarding-under-Apache-%2B-mod_jk-%2B-tomcat-tp17817647p25866870.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Bill Davidson wrote: André Warnier wrote: By the way, the reason why I can't try it right now is that I just don't have the application to try it with. So whatever I mentioned before (but which apprently so far seems ok) was purely by attempting to understand the documentation. Beware. I tried it today. I disabled my cookie hack and set JkExtractSSL to off. It seems to work fine. Obviously, I want to do a lot more testing but initially, it seems to look good. There's a problem. Unfortunately, we have a servlet in our app that calls request.isSecure() to make sure that it's on a secure connection and because of "JkExtractSSL off" it doesn't know whether it's on a secure connection or not. request.isSecure() will always return false because mod_jk no longer tells it anything about SSL. So I'm back to hacking the cookie. I really want to just get rid of httpd and run Tomcat standalone. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Bill Davidson wrote: André Warnier wrote: By the way, the reason why I can't try it right now is that I just don't have the application to try it with. So whatever I mentioned before (but which apprently so far seems ok) was purely by attempting to understand the documentation. Beware. I tried it today. I disabled my cookie hack and set JkExtractSSL to off. It seems to work fine. Obviously, I want to do a lot more testing but initially, it seems to look good. Thanks for the confirmation. I should get going on the WiKi article I promised to write about all this stuff. Maybe if I repeat the promise here it will shame me into doing it before we all forget what this was all about. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
André Warnier wrote: By the way, the reason why I can't try it right now is that I just don't have the application to try it with. So whatever I mentioned before (but which apprently so far seems ok) was purely by attempting to understand the documentation. Beware. I tried it today. I disabled my cookie hack and set JkExtractSSL to off. It seems to work fine. Obviously, I want to do a lot more testing but initially, it seems to look good. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Bill Davidson wrote: Rainer Jung wrote: André Warnier wrote: And, again in other words, if this parameter was set to Off, and Tomcat generated a new session and a JSESSIONID session cookie for this session, that the cookie would thus not be marked secure ? Didn't try this. What does your tests say? Oooh! I may want to try this. I may not have needed to change my app at all. Yep, I thought you might be interested. But had this come up sooner, it would have deprived us of a lot of interesting information. By the way, the reason why I can't try it right now is that I just don't have the application to try it with. So whatever I mentioned before (but which apprently so far seems ok) was purely by attempting to understand the documentation. Beware. And by the way, I do not know who's in charge of that, but should this all turn out to be true, I think that a small addendum in the "JkExtractSSL" item of the page "http://tomcat.apache.org/connectors-doc/reference/apache.html"; might avoid a lot of soul-searching in the future. Like the phrase : If you set this parameter to "Off", then Tomcat will not know that the browser-Apache connection took place under HTTPS, and will treat it as a simple HTTP connection. See ... for more details. André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill, Bill Davidson wrote: | Rainer Jung wrote: |> André Warnier wrote: |>> And, again in other words, if this parameter was set to Off, and |>> Tomcat generated a new session and a JSESSIONID session cookie for |>> this session, that the cookie would thus not be marked secure ? |> |> Didn't try this. What does your tests say? | | Oooh! I may want to try this. I may not have needed to change my app | at all. Just remember that any that requires SSL will break if you do this. | Interesting. I'm wondering if my old Apache 1.3.34+ssl & Tomcat 3.2.4 | combination involved any knowledge by Tomcat of Apache doing SSL? I'm sure it did. I think the difference, as Bill Barker (IIRC) pointed out, is that TC 4.0 and later now actually set the "secure" flag on Cookie objects while earlier versions did not. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkhSpe0ACgkQ9CaO5/Lv0PDargCXU2TvcCzod3EFnPmzI8oMJ00m oQCeOoRWS9HHF2vS8BIi4VN0DRoZ3oc= =4mhQ -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Rainer Jung wrote: André Warnier wrote: And, again in other words, if this parameter was set to Off, and Tomcat generated a new session and a JSESSIONID session cookie for this session, that the cookie would thus not be marked secure ? Didn't try this. What does your tests say? Oooh! I may want to try this. I may not have needed to change my app at all. If your own knowledge about secure / non secure differs from the one of httpd (e.g. you use an ssl accelerator in front of httpd) and you want to present your own idea of secure / non secure via mod_jk to Tomcat, you can set JkHTTPSIndicator to the name of some httpd environment variable, and then set the environment variable depending on details of the request via mod_setenvif or mod_rewrite. But if you simply want to drop all ssl info, setting JkExtractSSL to off is right. Interesting. I'm wondering if my old Apache 1.3.34+ssl & Tomcat 3.2.4 combination involved any knowledge by Tomcat of Apache doing SSL? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
André Warnier wrote: Hi List. (Indirect ref : previous thread "Moving from a very old Tomcat to a new Tomcat.") Ref : http://tomcat.apache.org/connectors-doc/reference/apache.html Item : JkExtractSSL Do I understand this right that this parameter JkExtractSSL (default On) controls whether Tomcat receives of not the information, through mod_jk, that the original request to Apache was made via HTTPS ? Yes. It controls this plus if info about certificate, ssl session id, key length etc. gets forwarded. Or, in other words, that if one wanted Tomcat "not to know" and handle the current session as a normal non-secure HTTP connection, one could just set this parameter to "Off" ? Yes. And, again in other words, if this parameter was set to Off, and Tomcat generated a new session and a JSESSIONID session cookie for this session, that the cookie would thus not be marked secure ? Didn't try this. What does your tests say? Additional info: If your own knowledge about secure / non secure differs from the one of httpd (e.g. you use an ssl accelerator in front of httpd) and you want to present your own idea of secure / non secure via mod_jk to Tomcat, you can set JkHTTPSIndicator to the name of some httpd environment variable, and then set the environment variable depending on details of the request via mod_setenvif or mod_rewrite. But if you simply want to drop all ssl info, setting JkExtractSSL to off is right. maybe separately It is possible, but not mandatory, to let Tomcat know about the HTTPS nature of the original HTTPS nature of the browser/Apache connection. This might be necessary/helpful in some scenarios (such as ?) To be able to enforce security constraints. If "JkExtractSSL On" is used, then one may/must also pass additional HTTPS-related information from Apache to Tomcat via the "JkHTTPSIndicator", "JkCERTSIndicator", et al. directives. This is useful/required for (?) First of all I think it's required by the servlet spec, so if we want to present the developer a consistent environment either if using with standalone Tomcat or mod_jk/Tomcat we need to forward the info to Tomcat. The general gist is that if for some reason, it is necessary to have Apache handle HTTPS connections anayway, and the connection between Apache and Tomcat is inherently secure, then there might be no reasons to "propagate" the HTTPS overhead to Tomcat, and one might as well handle it all at the Apache level. Or am I missing something ? Be aware, that there might be other ways into your app, like the default Tomcat http connector. If you are sure, you don't need the info and you don't need to double check the security of the connection, you can really disable using JkExtractSSL. Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Hi List.
(Indirect ref : previous thread "Moving from a very old Tomcat to a new
Tomcat.")
Ref : http://tomcat.apache.org/connectors-doc/reference/apache.html
Item : JkExtractSSL
Do I understand this right that this parameter JkExtractSSL (default On)
controls whether Tomcat receives of not the information, through mod_jk,
that the original request to Apache was made via HTTPS ?
Or, in other words, that if one wanted Tomcat "not to know" and handle
the current session as a normal non-secure HTTP connection, one could
just set this parameter to "Off" ?
And, again in other words, if this parameter was set to Off, and Tomcat
generated a new session and a JSESSIONID session cookie for this
session, that the cookie would thus not be marked secure ?
maybe separately
The above refers generally to the following kind of scenario. It is
also generally speaking a question to the specialists here. My purpose
is to make sure I understand this whole thing correctly.
Scenario :
For whatever good reason, Apache is used as the front-end HTTP/HTTPS
server and (possibly) serving some portion of the content itself, while
some (or all) requests are being forwarded, through mod_jk, to a
background Tomcat for content generation.
For whatever good reason also, the connection between the client
(browser) and Apache is a HTTPS (encrypted) connection.
The connection between the front-end Apache and the back-end Tomcat
through mod_jk is never secure (the AJP protocol does not support
encryption).
In this scenario, it does not matter because this connection is deemed
secure for other reasons (e.g. both are running on the same host, and
Tomcat is set up so that it accepts only connections through Apache).
The unencrypted content, as generated and delivered by Tomcat back to
Apache via mod_jk, will be forwarded back to the browser by Apache over
the HTTPS connection, thus encrypted by Apache (generally speaking; in
reality probably this happens in an underlying SSL connection layer).
It is possible, but not mandatory, to let Tomcat know about the HTTPS
nature of the original HTTPS nature of the browser/Apache connection.
This might be necessary/helpful in some scenarios (such as ?)
To let Tomcat know that the original connection is HTTPS, one uses the
"JkExtractSSL On" mod_jk directive. ("On" is the default value.)
To prevent Tomcat from knowing, one uses "JkExtractSSL Off".
If "JkExtractSSL On" is used, then one may/must also pass additional
HTTPS-related information from Apache to Tomcat via the
"JkHTTPSIndicator", "JkCERTSIndicator", et al. directives.
This is useful/required for (?)
The general gist is that if for some reason, it is necessary to have
Apache handle HTTPS connections anayway, and the connection between
Apache and Tomcat is inherently secure, then there might be no reasons
to "propagate" the HTTPS overhead to Tomcat, and one might as well
handle it all at the Apache level.
Or am I missing something ?
Thanks,
André
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
