Thanks for advices, <transport-guarantee> 'tip' was exactly what I need. I
have now following configuration:
server.xml:
<Service name="Catalina">
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector
port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/path/keystore" keystorePass="********"
clientAuth="false" sslProtocol="TLS"/>
<Engine name="Catalina" defaultHost="mydomain.com">
<Host name="mydomain.com" appBase="httpapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false" >
</Host>
<Host name="admin.mydomain.com" appBase="adminapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
...and I added this in admin application web.xml for ssl forwarding:
<security-constraint>
<web-resource-collection>
<web-resource-name>SLL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The reason why I have two <Host> element is that I have configured my
applications to different appBase directories as ROOT. That way I got urls:
http://mydomain.com and
https://admin.mydomain.com
don't want to show my appName in url like
http://mydomain.com/myapp and
https://admin.mydomain.com/myadminapp
Is there better way? I know I could use UrlRewriteFilter module but right
now I wouldn't like to add any additional modules to my Tomcat.
--
Jaakko
-----Alkuperäinen viesti-----
Lähettäjä: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Lähetetty: 3. helmikuuta 2009 16:44
Vastaanottaja: Tomcat Users List
Aihe: RE: Tomcat configuration with multiple services
> From: Jaakko Taipale [mailto:jaakko.taip...@dbmanager.fi]
> Subject: VS: Tomcat configuration with multiple services
>
> <Connector port="80" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
> <Connector
> port="443" minSpareThreads="5" maxSpareThreads="75"
> enableLookups="true" disableUploadTimeout="true"
> acceptCount="100" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> keystoreFile="/path/somekeystore" keystorePass="*********"
> clientAuth="false" sslProtocol="TLS"/>
Your redirectPort should target the configured HTTPS port, not thin air.
> <Engine name="Public" defaultHost="mydomain.com">
> <Host name="mydomain.com" appBase="httpapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> </Host>
> <Host name="hastobehttps.mydomain.com" appBase="httpsapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> </Host>
> </Engine>
What are you trying to achieve with the two <Host> elements?
> How can I force that users use https(or prevent http) when they access
> to hastobehttps.mydomain.com?
Read the servlet spec; use a <transport-guarantee> of CONFIDENTIAL for all
your webapps. If you want HTTPS to be used for everything, put the
<security-constraint> element in conf/web.xml so it will be picked up by all
webapps.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
