Hello Olaf, We have tried yours as well as Chris's suggestions, but in both the cases the functionality of the application is lost.
We have installed apace and configured mod_jk connector along with a load-balancer for 2 tomcat servers. We were able to successfully start apache and we got the login page of our application hosted on it, but the functionality is lost. For example, when we hit login button on home page, nothing happens. Also, we tried access some specific web page using a direct url, we ended up with an error. Do you have any suggestion for me so that we can achieve the exact same functionality that we had without apache in the front? Regards, Mohammad Nayeem -----Original Message----- From: Olaf Kock [mailto:tom...@olafkock.de] Sent: 31 May 2017 16:38 To: Tomcat Users List <users@tomcat.apache.org> Subject: [External] Re: Security Headers Implementation in Tomcat 6.x version Am 29.05.2017 um 13:34 schrieb Shaik, Mohammad N.: > Hello Olaf, > > Thanks for your response! > > Based on your inputs, we are thinking to put Apache httpd in front of Tomcat 6 server, since our header configuration is going to be static. > > Can you please help us in identifying which version of Apache HTTP Server we can use for Tomcat 6 version? Also, it will be great if you can share some guidelines on how to implement Apache in front of Tomcat. For completeness sake I'd like to answer a few of these questions, rather briefly. It seems that you're deep into implementing Christopher's solution of compiling the newer filters for Tomcat 6. Every current Apache httpd is fine, no version restriction. Especially: Choose one that will get updates for quite a while, not like the outdated Tomcat version you're running. Read on mod_proxy, mod_proxy_ajp, mod_jk and mod_proxy_http, which are all keywords on the connection between Apache and tomcat. Once you've set this up, setting the headers is a matter of adding the "Header" directive to httpd's configuration. I understand though, that setting up the connection can be some task if you've never done that. Especially if you're using https, and also refer to it in your webapp's code (e.g. to validate client certs) - but as you give no clue you're doing that, I'm assuming you don't and the setup would be easy. Anyway, feel free to utilize the newer code - I just wanted this information to be in this thread as well. However, once you're done with it: Utilize even more newer code and prepare to migrate away from your discontinued tomcat version. Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org