Adi, You would prefer to have the SSL handshake to occur with Apache, right? So I'm wondering, with Tomcat configured as a standalone SSL server are you sure that apache is doing the handshake, and not Tomcat.
>At this point it "works" but I had to make the non-intuitive leap of adding the SSL connector and thought others might benefit from knowing about it. -You can say that again. This might be the root of my SSL problem too, although hard to tell since we are using different apache modules and I use Tomcat's role based auth. I "kludged a fix in code" and am limited for time so may not attempt the exercise of getting Tomcat's SSL working. Rich -----Original Message----- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 1:07 PM To: [EMAIL PROTECTED] Subject: Re: SSL redirects with mod_jk On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote: > I'm curious about a few things. Why did you choose mod_jk over mod_webapp? - I needed to send everything Apache receives to Tomcat - We auto-add contexts to appbase and I don't need to update the config and restart apache each time that happens > And when you enabled the SSL connector, did you also add jsse and basically > configure tomcat as a standalone SSL enabled server? yes, in order to get Tomcat running with the SSL connector, it had to have jsse etc. -- for testing I'd already configured Tomcat with SSL standalone and a self-signed cert, and so that was straightforward. At this point it "works" but I had to make the non-intutive leap of adding the SSL connector and thought others might benefit from knowing about it. Thanks, Adi > -----Original Message----- > From: Aditya [mailto:[EMAIL PROTECTED]] > Sent: Sunday, April 14, 2002 3:47 PM > To: [EMAIL PROTECTED] > Subject: SSL redirects with mod_jk > > > I have apache 1.3+mod_ssl and mod_jk (ajp13) "fronting" a Tomcat 4.0.3 > server > which has a servlet protected by: > > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > > I assume that for performance reasons that it would be best if I could run > no > connectors other than the AJP13 one. > > Ideally, calls to the above servlet as http should be redirected to the > equivalent https page. To that end, I have, in my server.xml: > > <!-- Define an AJP 1.3 Connector on port 8009 --> > <Connector className="org.apache.ajp.tomcat4.Ajp13Connector" > port="8009" minProcessors="30" maxProcessors="150" > acceptCount="10" debug="0" > enableLookups="false" redirectPort="443" > secure="false" scheme="http" > address="127.0.0.1" > tomcatAuthentication="true"/> > > however the redirect won't work (Status 500 error) unless I put in an HTTPS > connector as well in server.xml (note that it doesn't have to be accessible > at > all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem to > play any part in the whole deal other than to signal to Tomcat that it can > handle redirects to SSL): > > <!-- Define an SSL HTTP/1.1 Connector on port 8443 --> > <Connector className="org.apache.catalina.connector.http.HttpConnector" > address="127.0.0.1" port="8443" minProcessors="5" > maxProcessors="75" > enableLookups="false" > acceptCount="10" debug="0" scheme="https" secure="true"> > <Factory className="org.apache.catalina.net.SSLServerSocketFactory" > clientAuth="false" protocol="TLS" > keystorePass="foo"/> > </Connector> > > (I tried putting in an additional ajp13 connector that mod_jk sent anything > that showed up as SSL to, but that didn't work). > > Is this how it's supposed to work? If so, it should be documented > somewhere... > > Thanks, > Adi > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>