Re: SSL, mod_proxy_ajp and AJP connectors query

Thu, 22 Jul 2010 14:35:54 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brett,

On 7/22/2010 1:31 PM, Brett Delle Grazie wrote:
> Tomcat 6.0.28 (binary distribution from apache).
>
> My question is, in the Tomcat server.xml, do I require _two_ AJP
> connectors as follows:
> 
> (executor omitted for simplicity)
> 
>     <!-- AJP connector pair (HTTP and fake HTTPS), proxied -->
>     <Connector executor="tomcatThreadPool"
>                enableLookups="false"
>                port="8009" protocol="org.apache.coyote.ajp.AjpAprProtocol"
>                redirectPort="8010" 
>                proxyPort="80" />
> 
>     <Connector executor="tomcatThreadPool"
>                enableLookups="false"
>                port="8010" protocol="org.apache.coyote.ajp.AjpAprProtocol" 
>                scheme="https" secure="true" 
>                proxyPort="443" />

In addition to Rainer's notes, I have a couple of comments:

It's not necessary to specify
protocol="org.apache.coyote.ajp.AjpAprProtocol" in the <Connector>. If
libapr isn't available, you'll be left with no working connectors. If,
instead, you simply have protocol="AJP/1.3", your <Connector> can
fall-back to the BIO (i.e. blocking pure-Java connector).

Your redirectPort should point to the port that is visible to the
outside world, not to the port that is being used for Tomcat. Probably,
your redirectPort should be set to "443" so that requests will be
redirected (remember, via the user agent) and hit your Apache httpd
instance out in front of Tomcat. If you specify "8010", and that port is
blocked to the outside world, you'll find that your users will receive a
"cannot contact server" message. if port 8010 is /not/ blocked, they'll
get a weird SSL error saying that the server isn't speaking HTTPS....
because it's speaking AJP!

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxIuZcACgkQ9CaO5/Lv0PBAfwCfQN9zGWDLjE8flIPh3xpmUoWx
MrUAn1Epj1dKmzh0/SAD2KI+C44i2bvX
=xF9L
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to