Thanks for advices, <transport-guarantee> 'tip' was exactly what I need. I have now following configuration:
server.xml: <Service name="Catalina"> <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <Connector port="443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/keystore" keystorePass="********" clientAuth="false" sslProtocol="TLS"/> <Engine name="Catalina" defaultHost="mydomain.com"> <Host name="mydomain.com" appBase="httpapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false" > </Host> <Host name="admin.mydomain.com" appBase="adminapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> </Service> ...and I added this in admin application web.xml for ssl forwarding: <security-constraint> <web-resource-collection> <web-resource-name>SLL Forwarding</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> The reason why I have two <Host> element is that I have configured my applications to different appBase directories as ROOT. That way I got urls: http://mydomain.com and https://admin.mydomain.com don't want to show my appName in url like http://mydomain.com/myapp and https://admin.mydomain.com/myadminapp Is there better way? I know I could use UrlRewriteFilter module but right now I wouldn't like to add any additional modules to my Tomcat. -- Jaakko -----Alkuperäinen viesti----- Lähettäjä: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Lähetetty: 3. helmikuuta 2009 16:44 Vastaanottaja: Tomcat Users List Aihe: RE: Tomcat configuration with multiple services > From: Jaakko Taipale [mailto:jaakko.taip...@dbmanager.fi] > Subject: VS: Tomcat configuration with multiple services > > <Connector port="80" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" /> > <Connector > port="443" minSpareThreads="5" maxSpareThreads="75" > enableLookups="true" disableUploadTimeout="true" > acceptCount="100" maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > keystoreFile="/path/somekeystore" keystorePass="*********" > clientAuth="false" sslProtocol="TLS"/> Your redirectPort should target the configured HTTPS port, not thin air. > <Engine name="Public" defaultHost="mydomain.com"> > <Host name="mydomain.com" appBase="httpapps" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > </Host> > <Host name="hastobehttps.mydomain.com" appBase="httpsapps" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > </Host> > </Engine> What are you trying to achieve with the two <Host> elements? > How can I force that users use https(or prevent http) when they access > to hastobehttps.mydomain.com? Read the servlet spec; use a <transport-guarantee> of CONFIDENTIAL for all your webapps. If you want HTTPS to be used for everything, put the <security-constraint> element in conf/web.xml so it will be picked up by all webapps. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org