Re: [Resin-interest] ssl port
With the SSL port set up in Resin, relative redirect on a https request should go to the SSL port. Is that not the case? Bill On 6/1/07, Michael Fortin [EMAIL PROTECTED] wrote: Hello, We have our servers setup behind a load balancer and the load balancer does all the encryption for ssl. All traffic inside our network is on port 8080. If I do a relative redirect on a request from a secure url it returns an insecure url. To try and fix this I setup another http port in the resin conf for 8443 and set the load balancer to send secure traffic to that port. Tomcat has a isSecure flag on it's connector to tell the request it's a secure request even though it's already decrypted. Does resin have something like that? Will resin know to make a secure link on that port? Resin version 3.0.18 JDK 1.5.0_10 Linux Thanks Michael ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] ssl port
Hi Bill, Thanks for the response. Honestly, I haven't tested it just yet. I didn't see a 'secure' attribute on the http / config element so I just wanted to confirm that 8443 will implicitly be secure even though I'm not setting an encryption handler. I didn't see anything here (http://caucho.com/resin-3.0/security/ssl.xtp#notneeded) about it. I'll be back if it doesn't work. Thanks again, Michael Bill Au wrote: With the SSL port set up in Resin, relative redirect on a https request should go to the SSL port. Is that not the case? Bill On 6/1/07, *Michael Fortin * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello, We have our servers setup behind a load balancer and the load balancer does all the encryption for ssl. All traffic inside our network is on port 8080. If I do a relative redirect on a request from a secure url it returns an insecure url. To try and fix this I setup another http port in the resin conf for 8443 and set the load balancer to send secure traffic to that port. Tomcat has a isSecure flag on it's connector to tell the request it's a secure request even though it's already decrypted. Does resin have something like that? Will resin know to make a secure link on that port? Resin version 3.0.18 JDK 1.5.0_10 Linux Thanks Michael ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] ssl port
There is a secure-host-name under host http://www.caucho.com/resin-3.0/config/resin.xtp#host You may have to use that to set the port number for SSL. Bill On 6/1/07, Michael Fortin [EMAIL PROTECTED] wrote: Hi Bill, Thanks for the response. Honestly, I haven't tested it just yet. I didn't see a 'secure' attribute on the http / config element so I just wanted to confirm that 8443 will implicitly be secure even though I'm not setting an encryption handler. I didn't see anything here (http://caucho.com/resin-3.0/security/ssl.xtp#notneeded) about it. I'll be back if it doesn't work. Thanks again, Michael Bill Au wrote: With the SSL port set up in Resin, relative redirect on a https request should go to the SSL port. Is that not the case? Bill On 6/1/07, *Michael Fortin * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello, We have our servers setup behind a load balancer and the load balancer does all the encryption for ssl. All traffic inside our network is on port 8080. If I do a relative redirect on a request from a secure url it returns an insecure url. To try and fix this I setup another http port in the resin conf for 8443 and set the load balancer to send secure traffic to that port. Tomcat has a isSecure flag on it's connector to tell the request it's a secure request even though it's already decrypted. Does resin have something like that? Will resin know to make a secure link on that port? Resin version 3.0.18 JDK 1.5.0_10 Linux Thanks Michael ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] ssl port
Hi Bill, I've just tested my theory and it didn't work as I had hoped, the request is not flaged as secure. In my resin.conf : http server-id=web23-s1 host=172.30.1.219 virtual-host=www.ourdomain.com port=8080/ http server-id=web23-s1 host=172.30.1.219 virtual-host=www.ourdomain.com port=8443/ host id=www.ourdomain.com root-directory=/var/www/hosts/www.ourdomain.com web-app id=/ document-directory=ROOT startup-mode=automatic redeploy-mode=manual / /host and I setup a simple jsp that outputs: Secure? %= request.isSecure() % when I call either of the following urls secure is false. http://172.30.1.219:8080/test.jsp http://172.30.1.219:8443/test.jsp How do I configure resin to know the request on 8443 is secure? Thanks, Michael Bill Au wrote: There is a secure-host-name under host http://www.caucho.com/resin-3.0/config/resin.xtp#host You may have to use that to set the port number for SSL. Bill On 6/1/07, *Michael Fortin* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi Bill, Thanks for the response. Honestly, I haven't tested it just yet. I didn't see a 'secure' attribute on the http / config element so I just wanted to confirm that 8443 will implicitly be secure even though I'm not setting an encryption handler. I didn't see anything here (http://caucho.com/resin-3.0/security/ssl.xtp#notneeded) about it. I'll be back if it doesn't work. Thanks again, Michael Bill Au wrote: With the SSL port set up in Resin, relative redirect on a https request should go to the SSL port. Is that not the case? Bill On 6/1/07, *Michael Fortin * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hello, We have our servers setup behind a load balancer and the load balancer does all the encryption for ssl. All traffic inside our network is on port 8080. If I do a relative redirect on a request from a secure url it returns an insecure url. To try and fix this I setup another http port in the resin conf for 8443 and set the load balancer to send secure traffic to that port. Tomcat has a isSecure flag on it's connector to tell the request it's a secure request even though it's already decrypted. Does resin have something like that? Will resin know to make a secure link on that port? Resin version 3.0.18 JDK 1.5.0_10 Linux Thanks Michael ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com mailto:resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com mailto:resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] ssl port
Michael Fortin wrote: How do I configure resin to know the request on 8443 is secure? If your advanced load balancer can inject an HTTP header in the SSL requests you can use a servlet filter to add a request adapter that overrides the isSecure method. -Knut ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] ssl port
We do have a header attribute that tells us if it's secure or not which I could use in a filter. That would be an acceptable solution. I've tried modifying the request in a filter before I tried setting up the 8443 port but isSecure is immutable. What do you mean by 'request adapter'? Michael Knut Forkalsrud wrote: Michael Fortin wrote: How do I configure resin to know the request on 8443 is secure? If your advanced load balancer can inject an HTTP header in the SSL requests you can use a servlet filter to add a request adapter that overrides the isSecure method. -Knut ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] ssl port
Resin 3.1.1 includes some features in rewrite-dispatch that may be able to help: http://www.caucho.com/resin-3.1/doc/rewrite-tags.xtp#set Basically, there is facility to set the isSecure method of the request to return true if there is some condition of the request (such as a header set by the load balancer) that can be used to determine that the request should be secure. web-app xmlns=http://caucho.com/ns/resin; rewrite-dispatch set request-secure=true when header=X-SSL-cipher/ /set /rewrite-dispatch /web-app If the load balancer is configured to proxy regular requests to port 8080 and SSL requests to port 8443 then something like the following should work: web-app xmlns=http://caucho.com/ns/resin; rewrite-dispatch set request-secure=true when local-port=8443/ /set /rewrite-dispatch /web-app -- Sam ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest