Re: SSL redirects with mod_jk
On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote: I'm curious about a few things. Why did you choose mod_jk over mod_webapp? - I needed to send everything Apache receives to Tomcat - We auto-add contexts to appbase and I don't need to update the config and restart apache each time that happens And when you enabled the SSL connector, did you also add jsse and basically configure tomcat as a standalone SSL enabled server? yes, in order to get Tomcat running with the SSL connector, it had to have jsse etc. -- for testing I'd already configured Tomcat with SSL standalone and a self-signed cert, and so that was straightforward. At this point it works but I had to make the non-intutive leap of adding the SSL connector and thought others might benefit from knowing about it. Thanks, Adi -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 3:47 PM To: [EMAIL PROTECTED] Subject: SSL redirects with mod_jk I have apache 1.3+mod_ssl and mod_jk (ajp13) fronting a Tomcat 4.0.3 server which has a servlet protected by: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint I assume that for performance reasons that it would be best if I could run no connectors other than the AJP13 one. Ideally, calls to the above servlet as http should be redirected to the equivalent https page. To that end, I have, in my server.xml: !-- Define an AJP 1.3 Connector on port 8009 -- Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=30 maxProcessors=150 acceptCount=10 debug=0 enableLookups=false redirectPort=443 secure=false scheme=http address=127.0.0.1 tomcatAuthentication=true/ however the redirect won't work (Status 500 error) unless I put in an HTTPS connector as well in server.xml (note that it doesn't have to be accessible at all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem to play any part in the whole deal other than to signal to Tomcat that it can handle redirects to SSL): !-- Define an SSL HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.catalina.connector.http.HttpConnector address=127.0.0.1 port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystorePass=foo/ /Connector (I tried putting in an additional ajp13 connector that mod_jk sent anything that showed up as SSL to, but that didn't work). Is this how it's supposed to work? If so, it should be documented somewhere... Thanks, Adi -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL redirects with mod_jk
Adi, You would prefer to have the SSL handshake to occur with Apache, right? So I'm wondering, with Tomcat configured as a standalone SSL server are you sure that apache is doing the handshake, and not Tomcat. At this point it works but I had to make the non-intuitive leap of adding the SSL connector and thought others might benefit from knowing about it. -You can say that again. This might be the root of my SSL problem too, although hard to tell since we are using different apache modules and I use Tomcat's role based auth. I kludged a fix in code and am limited for time so may not attempt the exercise of getting Tomcat's SSL working. Rich -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 1:07 PM To: [EMAIL PROTECTED] Subject: Re: SSL redirects with mod_jk On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote: I'm curious about a few things. Why did you choose mod_jk over mod_webapp? - I needed to send everything Apache receives to Tomcat - We auto-add contexts to appbase and I don't need to update the config and restart apache each time that happens And when you enabled the SSL connector, did you also add jsse and basically configure tomcat as a standalone SSL enabled server? yes, in order to get Tomcat running with the SSL connector, it had to have jsse etc. -- for testing I'd already configured Tomcat with SSL standalone and a self-signed cert, and so that was straightforward. At this point it works but I had to make the non-intutive leap of adding the SSL connector and thought others might benefit from knowing about it. Thanks, Adi -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 3:47 PM To: [EMAIL PROTECTED] Subject: SSL redirects with mod_jk I have apache 1.3+mod_ssl and mod_jk (ajp13) fronting a Tomcat 4.0.3 server which has a servlet protected by: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint I assume that for performance reasons that it would be best if I could run no connectors other than the AJP13 one. Ideally, calls to the above servlet as http should be redirected to the equivalent https page. To that end, I have, in my server.xml: !-- Define an AJP 1.3 Connector on port 8009 -- Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=30 maxProcessors=150 acceptCount=10 debug=0 enableLookups=false redirectPort=443 secure=false scheme=http address=127.0.0.1 tomcatAuthentication=true/ however the redirect won't work (Status 500 error) unless I put in an HTTPS connector as well in server.xml (note that it doesn't have to be accessible at all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem to play any part in the whole deal other than to signal to Tomcat that it can handle redirects to SSL): !-- Define an SSL HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.catalina.connector.http.HttpConnector address=127.0.0.1 port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystorePass=foo/ /Connector (I tried putting in an additional ajp13 connector that mod_jk sent anything that showed up as SSL to, but that didn't work). Is this how it's supposed to work? If so, it should be documented somewhere... Thanks, Adi -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL redirects with mod_jk
On Mon, Apr 15, 2002 at 01:39:33PM -0400, Rich wrote: You would prefer to have the SSL handshake to occur with Apache, right? So I'm wondering, with Tomcat configured as a standalone SSL server are you sure that apache is doing the handshake, and not Tomcat. notice the address that I give the SSL connector - 127.0.0.1 -- and I've verfied that it's only listening on 127.0.0.1:8443 so yes, I'm sure that Tomcat is not doing the handshake (plus I verified which cert I'm getting). -You can say that again. This might be the root of my SSL problem too, although hard to tell since we are using different apache modules and I use Tomcat's role based auth. I kludged a fix in code and am limited for time so may not attempt the exercise of getting Tomcat's SSL working. I'm also using JDBCRealm authentication on Tomcat and I have: tomcatAuthentication=true set in the AJP13 connector config stanza. What would be ideal would be a programmatic way in a servlet to force authentication rather than having to hard-code stuff via auth-constraint's in web.xml. Adi Rich -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Monday, April 15, 2002 1:07 PM To: [EMAIL PROTECTED] Subject: Re: SSL redirects with mod_jk On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote: I'm curious about a few things. Why did you choose mod_jk over mod_webapp? - I needed to send everything Apache receives to Tomcat - We auto-add contexts to appbase and I don't need to update the config and restart apache each time that happens And when you enabled the SSL connector, did you also add jsse and basically configure tomcat as a standalone SSL enabled server? yes, in order to get Tomcat running with the SSL connector, it had to have jsse etc. -- for testing I'd already configured Tomcat with SSL standalone and a self-signed cert, and so that was straightforward. At this point it works but I had to make the non-intutive leap of adding the SSL connector and thought others might benefit from knowing about it. Thanks, Adi -Original Message- From: Aditya [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 3:47 PM To: [EMAIL PROTECTED] Subject: SSL redirects with mod_jk I have apache 1.3+mod_ssl and mod_jk (ajp13) fronting a Tomcat 4.0.3 server which has a servlet protected by: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint I assume that for performance reasons that it would be best if I could run no connectors other than the AJP13 one. Ideally, calls to the above servlet as http should be redirected to the equivalent https page. To that end, I have, in my server.xml: !-- Define an AJP 1.3 Connector on port 8009 -- Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=30 maxProcessors=150 acceptCount=10 debug=0 enableLookups=false redirectPort=443 secure=false scheme=http address=127.0.0.1 tomcatAuthentication=true/ however the redirect won't work (Status 500 error) unless I put in an HTTPS connector as well in server.xml (note that it doesn't have to be accessible at all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem to play any part in the whole deal other than to signal to Tomcat that it can handle redirects to SSL): !-- Define an SSL HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.catalina.connector.http.HttpConnector address=127.0.0.1 port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystorePass=foo/ /Connector (I tried putting in an additional ajp13 connector that mod_jk sent anything that showed up as SSL to, but that didn't work). Is this how it's supposed to work? If so, it should be documented somewhere... Thanks, Adi -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
SSL redirects with mod_jk
I have apache 1.3+mod_ssl and mod_jk (ajp13) fronting a Tomcat 4.0.3 server which has a servlet protected by: user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint I assume that for performance reasons that it would be best if I could run no connectors other than the AJP13 one. Ideally, calls to the above servlet as http should be redirected to the equivalent https page. To that end, I have, in my server.xml: !-- Define an AJP 1.3 Connector on port 8009 -- Connector className=org.apache.ajp.tomcat4.Ajp13Connector port=8009 minProcessors=30 maxProcessors=150 acceptCount=10 debug=0 enableLookups=false redirectPort=443 secure=false scheme=http address=127.0.0.1 tomcatAuthentication=true/ however the redirect won't work (Status 500 error) unless I put in an HTTPS connector as well in server.xml (note that it doesn't have to be accessible at all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem to play any part in the whole deal other than to signal to Tomcat that it can handle redirects to SSL): !-- Define an SSL HTTP/1.1 Connector on port 8443 -- Connector className=org.apache.catalina.connector.http.HttpConnector address=127.0.0.1 port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystorePass=foo/ /Connector (I tried putting in an additional ajp13 connector that mod_jk sent anything that showed up as SSL to, but that didn't work). Is this how it's supposed to work? If so, it should be documented somewhere... Thanks, Adi -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]