Cool! I didn't have time this morning to do a test, so I was winging it. Thanks for the verification.
John > -----Original Message----- > From: Milt Epstein [mailto:mepstein@;uiuc.edu] > Sent: Thursday, October 31, 2002 12:22 PM > To: Tomcat Users List > Subject: RE: Tomcat SSL w/ Apache > > > On Thu, 31 Oct 2002, Turner, John wrote: > > > If you are using Tomcat + Apache, the activity between Tomcat and > > Apache on the connector is not secure. It is not encrypted. > > > > SSL Request -> Apache -> Decrypted by Apache -> Sent to Connector -> > > Sent to Tomcat on Connector port -> reply back to Apache -> Response > > encrypted by Apache -> SSL Response to Client > > > > As far as Tomcat is concerned, the request isn't secure...all Tomcat > > sees is a typical request on a connector port. Perhaps there is > > some code in isSecure() that can differentiate, but I would be > > surprised if there was. > > Surprise! > > The isSecure() check (as well as getScheme()) refers to the original > request. So, all of what you say otherwise is correct, but isSecure() > (and getScheme()) should reflect what was true of the original > request, whether it came to Apache or Tomcat. > > I verified this using SnoopServlet in the Tomcat distrib examples > context. On a machine I have, I have that available to both my http > and https web server hosts/instances. Then I tried the URLs: > > http://www.machinename.com//examples/snoop > https://www.machinename.com//examples/snoop > > (snoop is mapped to SnoopServlet in the examples context > web.xml file.) > > For the first URL, "Scheme" (which shows the value of getScheme()) was > "http", and "Request Is Secure" (which shows the value of isSecure()) > was "false". For the second, the values were "https" and "true", > respectively. > > Now, one caveat I'll add is that this is with 4.0.4. I imagine it's > possible that this behavior changed between versions. But it would > seem an odd change, because it's a major change to a basic behavior > (and one that I think goes against the spec). Further, some > tomcat-dev people post to this list, so I would've thought they'd have > commented if this were the case. > > I didn't respond directly to Randy's note because I didn't have any > idea what might be causing the problem. It's possible that there is > some configuration that needs to be set to get this behavior. But > from a quick glance at my configuration, I didn't see what that might > be. > > Oh, I just did a search of the archives (at marc.theaimsgroup.com), > and looks like someone brought up this same issue quite recently (and > I think I was combining/confusing the two threads). There was only > one followup to the initial response there (the subject was "Possible > bug with isSecure()/getScheme() methods in tomcat 4."), which said: > > IIRC there is a bug in the coyote connector in TC 4.1.10. > > You have to use the org.apache.ajp.tomcat4.Ajp13Connector connector > and set an attribute tomcatAuthentication="false" to achieve the > result you desire. > > In fact, I am using the Ajp13Connector, and I do have > tomcatAuthentication set to false (that's to allow the authentication > to be done by Apache, but maybe there's some interaction there). So > there are a couple of things to try to see if it has any effect. > > > > > -----Original Message----- > > > From: Randy Secrist [mailto:tomcat@;secristfamily.com] > > > Sent: Wednesday, October 30, 2002 5:24 PM > > > To: Tomcat Users List > > > Subject: Re: Tomcat SSL w/ Apache > > > > > > > > > I played around with the config for a few hours today - > didn't get any > > > results. Having read that about name based hosting before, I > > > switched to IP > > > based vhosting... - after poping in a few network cards... > > > > > > What happens now is the same as before... > > > > > > 1) > > > I switch to HTTPS - and I get the standard warning about > > > self signed > > > certificates... > > > 2) > > > I accept it... > > > 3) > > > Tomcat get's and compiles the request...showing isSecure > > > is false...when > > > it should be true > > > 4) > > > And apache feeds me the page via https, and the browser, > > > and the browser > > > reports secure transmission. > > > 5) > > > I check Apache's logs... (No errors in SSL via apache side..) > > > Tomcat's logs were garbled until I cleaned up my virtual > > > host files - > > > but now they appear to be fine... - no errors. > > > > > > Somewhere in there, Tomcat is getting the request - because > > > it compiles the > > > JSP directives, and returns false when calling > <%=request.isSecure()%> > > > However as noted above - this happens when using https! If I > > > do the same > > > thing on my linux box - it works just fine - (albeit I didn't > > > compile apache > > > myself on that thing... - but that shouldn't matter - > because SSL does > > > work - just NOT with Tomcat...) > > > > > > Here is the relevant part of my httpd.conf... > > > - note - NameVirtualHost * is commented out prior to > this... - does > > > _default_:443 - mean it is still trying to use a default > > > named Vhost, or a > > > default IP? > > > > > > <IfModule mod_ssl.c> > > > <VirtualHost _default_:443> > > > DocumentRoot c:/web/Tomcat-4-1/webapps/ROOT > > > ErrorLog logs/ssl-error_log > > > TransferLog logs/ssl-access_log > > > SSLEngine on > > > SSLCipherSuite > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > SSLCertificateFile conf/ssl/myDomain.cert > > > SSLCertificateKeyFile conf/ssl/myDomain.key > > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > > CustomLog logs/ssl_request_log \ > > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > RewriteEngine On > > > RewriteOptions inherit > > > </VirtualHost> > > > </IfModule> > > > > > > > > > ----- Original Message ----- > > > From: "Robert L Sowders" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > > Sent: Wednesday, October 30, 2002 12:51 AM > > > Subject: Re: Tomcat SSL w/ Apache > > > > > > > > > > The configuration you describe for virtual hosts is correct > > > except that > > > > for SSL to work correctly in Apache you have to use IP > based virtual > > > > hosting. Name based virtual hosting will give you errors. See > > > > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > > > > > > > > rls > > > > > > > > > > > > > > > > > > > > > > > > "Randy Secrist" <[EMAIL PROTECTED]> > > > > 10/29/2002 07:58 PM > > > > Please respond to "Tomcat Users List" > > > > > > > > > > > > To: "Tomcat Users List" > <[EMAIL PROTECTED]> > > > > cc: > > > > Subject: Tomcat SSL w/ Apache > > > > > > > > > > > > I have an interesting problem that I don't know much > about. I am > > > > integrating Apache with Tomcat using mod_jk - and I > have it mostly > > > > working. The only real problem I have left - is > getting SSL - which > > > > appears to be working with Apache - to work with Tomcat. > > > > > > > > I have both HTTP connector's disabled in Tomcat. The only > > > connector I > > > > have up is Coyote's AJP on 8009. (Via tomcat 4.1.12). > > > > > > > > When I switch to https and accept my self generated > certificate, the > > > > browser returns the compiled jsp page, without any non > > > secure warnings... > > > > - but if I call <%=request.isSecure()%> - it returns FALSE > > > - even though I > > > > am using HTTPS. I'm not sure why this could be happening. > > > > > > > > In Apache - I have 2 virtual hosts mapped to the same > > > domain name - on > > > > different ports - because I couldn't get it to work right > > > with just one. > > > > > > > > mydomain.com:80 > > > > and > > > > mydomain.com:443 (with all my SSL directives...) > > > > > > > > Could anyone offer advise? > > > > > > > > Randy > > > > > > > > > > > > > > > > -- > > > > To unsubscribe, e-mail: > > > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > > > For additional commands, e-mail: > > > <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > > > > > > > > -- > > > To unsubscribe, e-mail: > > <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > For additional commands, e-mail: > > <mailto:tomcat-user-help@;jakarta.apache.org> > > > > -- > > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > Milt Epstein Research Programmer Integration and Software Engineering (ISE) Campus Information Technologies and Educational Services (CITES) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
