Re: [PATCH] Tomcat 5.X connectors SSL Accelerator proxy support
[EMAIL PROTECTED] wrote: Dev Team, Attached is a patch to address the Tomcat 5.X inability to specify a secure proxy without an SSL connection. The goal is to specify secure=true, scheme=https, proxyPort=443, and proxyName=ssl-accelerator.domain.com on a plain HTTP Connector in server.xml. BTW: This proxy does not allow to get client certificates doesn't it? I am not sure if this is the best, (or even acceptable), solution, but it is the simplest I could come up with while not changing the documented Tomcat 5.X Connector attributes. The configuration above used to work with Tomcat 4.1, because the SSL support was never enabled unless the Factory/ tag was specified within the Connector specification. The approach here for Tomcat 5.X is to ignore the secure attribute/property configuration in the underlying Http11Protocol instance if the Connector is configured with either a proxyPort or proxyName and there are no other explicit SSL configuration attributes specified. The logic behind this choice is that use of an SSL Accelerator will imply a proxied port and/or host and will not specify any SSL related options. Furthermore, in the event a proxied SSL Connection was desired afterall, it will almost always require at least some keystore access configuration. One possible variation might be to only ignore the secure configuration if the proxyName is set; this might be preferable if simple port forwarding on the host server is more prevalent than the use of SSL Accelerators, (albeit potentially more confusing). The patch is limited to the jakarta-tomcat-connectors module and should be compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that this patch is acceptable, I can certainly proceed with Tomcat 4.1 and Tomcat 5.5 testing... I just would like a sanity check first if at all possible. Note: I believe that the minor patch to o/a/coyote/Request.java has already been performed against the Tomcat 5.5 main trunk by Remy, but was missing on the Tomcat 5.0 branch. Thanks for your consideration in advance, Randy Watler Finali-Convergys Corporation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[PATCH] Tomcat 5.X connectors SSL Accelerator proxy support
Dev Team, Attached is a patch to address the Tomcat 5.X inability to specify a secure proxy without an SSL connection. The goal is to specify secure=true, scheme=https, proxyPort=443, and proxyName=ssl-accelerator.domain.com on a plain HTTP Connector in server.xml. I am not sure if this is the best, (or even acceptable), solution, but it is the simplest I could come up with while not changing the documented Tomcat 5.X Connector attributes. The configuration above used to work with Tomcat 4.1, because the SSL support was never enabled unless the Factory/ tag was specified within the Connector specification. The approach here for Tomcat 5.X is to ignore the secure attribute/property configuration in the underlying Http11Protocol instance if the Connector is configured with either a proxyPort or proxyName and there are no other explicit SSL configuration attributes specified. The logic behind this choice is that use of an SSL Accelerator will imply a proxied port and/or host and will not specify any SSL related options. Furthermore, in the event a proxied SSL Connection was desired afterall, it will almost always require at least some keystore access configuration. One possible variation might be to only ignore the secure configuration if the proxyName is set; this might be preferable if simple port forwarding on the host server is more prevalent than the use of SSL Accelerators, (albeit potentially more confusing). The patch is limited to the jakarta-tomcat-connectors module and should be compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that this patch is acceptable, I can certainly proceed with Tomcat 4.1 and Tomcat 5.5 testing... I just would like a sanity check first if at all possible. Note: I believe that the minor patch to o/a/coyote/Request.java has already been performed against the Tomcat 5.5 main trunk by Remy, but was missing on the Tomcat 5.0 branch. Thanks for your consideration in advance, Randy Watler Finali-Convergys Corporation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[PATCH] Tomcat 5.X connectors SSL Accelerator proxy support
Dev Team, Attached is a patch to address the Tomcat 5.X inability to specify a secure proxy without an SSL connection. The goal is to specify secure=true, scheme=https, proxyPort=443, and proxyName=ssl-accelerator.domain.com on a plain HTTP Connector in server.xml. I am not sure if this is the best, (or even acceptable), solution, but it is the simplest I could come up with while not changing the documented Tomcat 5.X Connector attributes. The configuration above used to work with Tomcat 4.1, because the SSL support was never enabled unless the Factory/ tag was specified within the Connector specification. The approach here for Tomcat 5.X is to ignore the secure attribute/property configuration in the underlying Http11Protocol instance if the Connector is configured with either a proxyPort or proxyName and there are no other explicit SSL configuration attributes specified. The logic behind this choice is that use of an SSL Accelerator will imply a proxied port and/or host and will not specify any SSL related options. Furthermore, in the event a proxied SSL Connection was desired afterall, it will almost always require at least some keystore access configuration. One possible variation might be to only ignore the secure configuration if the proxyName is set; this might be preferable if simple port forwarding on the host server is more prevalent than the use of SSL Accelerators, (albeit potentially more confusing). The patch is limited to the jakarta-tomcat-connectors module and should be compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that this patch is acceptable, I can certainly proceed with Tomcat 4.1 and Tomcat 5.5 testing... I just would like a sanity check first if at all possible. Note: I believe that the minor patch to o/a/coyote/Request.java has already been performed against the Tomcat 5.5 main trunk by Remy, but was missing on the Tomcat 5.0 branch. Thanks for your consideration in advance, Randy Watler Finali-Convergys Corporation jakarta-tomcat-connectors-check-secure.patch.gz Description: GNU Zip compressed data - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
