> -----Original Message----- > From: Jean-frederic Clere [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 17, 2006 1:43 PM > To: Tomcat Developers List > Subject: Re: SSL Connectors - config proposal > > Filip Hanik - Dev Lists wrote: > > > Jean-frederic Clere wrote: > > > >> > >> Filip Hanik - Dev Lists wrote: > >> > >>> gents and ladies, > >>> > >>> currently we are doing SSL a little bit differently > between APR and > >>> the Java connectors. > >>> The APR connector requires an attribute sslEngine="On" to kick in. > >>> > >>> I believe this attribute to be useful for two reasons: > >>> > >>> 1. > >>> Config should be as consistent as possible. > >>> > >>> 2. > >>> If I use a SSL network card, or apache doing SSL etc, I > would like > >>> to trick Tomcat into thinking it is running in SSL > >>> for example: > >>> > >>> Apache Port 80 -> mod_proxy(http) -> Tomcat 8080 > >>> <Connector protocol="HTTP/1.1" port="8080"/> > >>> Apache Port 443 -> mod_proxy(http) -> Tomcat 8081 > >>> <Connector protocol="HTTP/1.1" port="8081" secure="true" > >>> scheme="https" sslEngine="off"/> > >>> > >>> This example here is with Apache, but if you use any kind of SSL > >>> accelerator, be it a network card or an appliance, > >>> there is a risk of getting stuck in a redirect loop when using > >>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> > >>> in web.xml > >>> > >>> Currently, you have to work around it using Valves or > filters, but > >>> it can get a little messy. > >>> > >>> Useful? > >> > >> > >> What would you propose if we use HTTP/AJP + SSL between > Apache httpd > >> and TC? > > > > AJP doesn't support SSL, so its not affected. > > Well. That would be protocol="AJP" sslEngine="on" secure="value" > scheme="value". > > BTW: Apache httpd does not yet support SSL proxy. > ProxyPass /servlets-examplex > https://anotherhost:8443/servlets-examples > is not yet supported. > Or do I miss something? >
I haven't tried in in 2.2.x, but I know it used to work. Do you have mod_ssl turned off? > >> BTW: In TC 5.x the secure="true" or secure="false" does > not behave as > >> in the documentation (See PR 40766). > > > > yes, this is what we are trying to avoid, secure="value" > should just > > result in request.getSecure to return value, and so on. > > sslEngine="on" actually kicks in the SSL enc/dec > > +1 > > Cheers > > Jean-Frederic > > > > > > > Filip > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
