Re: SSL redirects with mod_jk

[Aditya]

On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote:
> I'm curious about a few things. Why did you choose mod_jk over mod_webapp?

- I needed to send everything Apache receives to Tomcat

- We auto-add contexts to appbase and I don't need to update the config and
restart apache each time that happens

> And when you enabled the SSL connector, did you also add jsse and basically
> configure tomcat as a standalone SSL enabled server?

yes, in order to get Tomcat running with the SSL connector, it had to have
jsse etc. -- for testing I'd already configured Tomcat with SSL standalone and
a self-signed cert, and so that was straightforward.

At this point it "works" but I had to make the non-intutive leap of adding the
SSL connector and thought others might benefit from knowing about it.

Thanks,
Adi

> -Original Message-
> From: Aditya [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 14, 2002 3:47 PM
> To: [EMAIL PROTECTED]
> Subject: SSL redirects with mod_jk
> 
> 
> I have apache 1.3+mod_ssl and mod_jk (ajp13) "fronting" a Tomcat 4.0.3
> server
> which has a servlet protected by:
> 
>   
> CONFIDENTIAL
>   
> 
> I assume that for performance reasons that it would be best if I could run
> no
> connectors other than the AJP13 one.
> 
> Ideally, calls to the above servlet as http should be redirected to the
> equivalent https page. To that end, I have, in my server.xml:
> 
> 
> port="8009" minProcessors="30" maxProcessors="150"
>acceptCount="10" debug="0"
>enableLookups="false" redirectPort="443"
>secure="false" scheme="http"
>address="127.0.0.1"
>tomcatAuthentication="true"/>
> 
> however the redirect won't work (Status 500 error) unless I put in an HTTPS
> connector as well in server.xml (note that it doesn't have to be accessible
> at
> all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem to
> play any part in the whole deal other than to signal to Tomcat that it can
> handle redirects to SSL):
> 
> 
> address="127.0.0.1" port="8443" minProcessors="5"
> maxProcessors="75"
>enableLookups="false"
>acceptCount="10" debug="0" scheme="https" secure="true">
>   clientAuth="false" protocol="TLS"
>keystorePass="foo"/>
> 
> 
> (I tried putting in an additional ajp13 connector that mod_jk sent anything
> that showed up as SSL to, but that didn't work).
> 
> Is this how it's supposed to work? If so, it should be documented
> somewhere...
> 
> Thanks,
> Adi
> 
> --
> To unsubscribe:   
> For additional commands: 
> Troubles with the list: 
> 
> 

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

RE: SSL redirects with mod_jk

[Rich]

Adi,

You would prefer to have the SSL handshake to occur with Apache, right? So
I'm wondering, with Tomcat configured as a standalone SSL server are you
sure that apache is doing the handshake, and not Tomcat.


>At this point it "works" but I had to make the non-intuitive leap of adding
the SSL connector and thought others might benefit from knowing about it.

-You can say that again. This might be the root of my SSL problem too,
although hard to tell since we are using different apache modules and I use
Tomcat's role based auth. I "kludged a fix in code" and am limited for time
so may not attempt the exercise of getting Tomcat's SSL working.

Rich
-Original Message-
From: Aditya [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 15, 2002 1:07 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL redirects with mod_jk


On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote:
> I'm curious about a few things. Why did you choose mod_jk over mod_webapp?

- I needed to send everything Apache receives to Tomcat

- We auto-add contexts to appbase and I don't need to update the config and
restart apache each time that happens

> And when you enabled the SSL connector, did you also add jsse and
basically
> configure tomcat as a standalone SSL enabled server?

yes, in order to get Tomcat running with the SSL connector, it had to have
jsse etc. -- for testing I'd already configured Tomcat with SSL standalone
and
a self-signed cert, and so that was straightforward.

At this point it "works" but I had to make the non-intutive leap of adding
the
SSL connector and thought others might benefit from knowing about it.

Thanks,
Adi

> -Original Message-
> From: Aditya [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 14, 2002 3:47 PM
> To: [EMAIL PROTECTED]
> Subject: SSL redirects with mod_jk
>
>
> I have apache 1.3+mod_ssl and mod_jk (ajp13) "fronting" a Tomcat 4.0.3
> server
> which has a servlet protected by:
>
>   
> CONFIDENTIAL
>   
>
> I assume that for performance reasons that it would be best if I could run
> no
> connectors other than the AJP13 one.
>
> Ideally, calls to the above servlet as http should be redirected to the
> equivalent https page. To that end, I have, in my server.xml:
>
> 
> port="8009" minProcessors="30" maxProcessors="150"
>acceptCount="10" debug="0"
>enableLookups="false" redirectPort="443"
>secure="false" scheme="http"
>address="127.0.0.1"
>tomcatAuthentication="true"/>
>
> however the redirect won't work (Status 500 error) unless I put in an
HTTPS
> connector as well in server.xml (note that it doesn't have to be
accessible
> at
> all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem
to
> play any part in the whole deal other than to signal to Tomcat that it can
> handle redirects to SSL):
>
> 
> address="127.0.0.1" port="8443" minProcessors="5"
> maxProcessors="75"
>enableLookups="false"
>acceptCount="10" debug="0" scheme="https" secure="true">
>   clientAuth="false" protocol="TLS"
>keystorePass="foo"/>
> 
>
> (I tried putting in an additional ajp13 connector that mod_jk sent
anything
> that showed up as SSL to, but that didn't work).
>
> Is this how it's supposed to work? If so, it should be documented
> somewhere...
>
> Thanks,
> Adi
>
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: SSL redirects with mod_jk

[Aditya]

On Mon, Apr 15, 2002 at 01:39:33PM -0400, Rich wrote:
> You would prefer to have the SSL handshake to occur with Apache, right? So
> I'm wondering, with Tomcat configured as a standalone SSL server are you
> sure that apache is doing the handshake, and not Tomcat.

notice the address that I give the SSL connector - 127.0.0.1 -- and I've
verfied that it's only listening on 127.0.0.1:8443 so yes, I'm sure that
Tomcat is not doing the handshake (plus I verified which cert I'm getting).

> -You can say that again. This might be the root of my SSL problem too,
> although hard to tell since we are using different apache modules and I use
> Tomcat's role based auth. I "kludged a fix in code" and am limited for time
> so may not attempt the exercise of getting Tomcat's SSL working.

I'm also using JDBCRealm authentication on Tomcat and I have:

tomcatAuthentication="true"

set in the AJP13 connector config stanza.

What would be ideal would be a programmatic way in a servlet to force
authentication rather than having to hard-code stuff via auth-constraint's in
web.xml.

Adi

> Rich
> -Original Message-
> From: Aditya [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 15, 2002 1:07 PM
> To: [EMAIL PROTECTED]
> Subject: Re: SSL redirects with mod_jk
> 
> 
> On Mon, Apr 15, 2002 at 09:26:40AM -0400, Rich wrote:
> > I'm curious about a few things. Why did you choose mod_jk over mod_webapp?
> 
> - I needed to send everything Apache receives to Tomcat
> 
> - We auto-add contexts to appbase and I don't need to update the config and
> restart apache each time that happens
> 
> > And when you enabled the SSL connector, did you also add jsse and
> basically
> > configure tomcat as a standalone SSL enabled server?
> 
> yes, in order to get Tomcat running with the SSL connector, it had to have
> jsse etc. -- for testing I'd already configured Tomcat with SSL standalone
> and
> a self-signed cert, and so that was straightforward.
> 
> At this point it "works" but I had to make the non-intutive leap of adding
> the
> SSL connector and thought others might benefit from knowing about it.
> 
> Thanks,
> Adi
> 
> > -Original Message-
> > From: Aditya [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, April 14, 2002 3:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: SSL redirects with mod_jk
> >
> >
> > I have apache 1.3+mod_ssl and mod_jk (ajp13) "fronting" a Tomcat 4.0.3
> > server
> > which has a servlet protected by:
> >
> >   
> > CONFIDENTIAL
> >   
> >
> > I assume that for performance reasons that it would be best if I could run
> > no
> > connectors other than the AJP13 one.
> >
> > Ideally, calls to the above servlet as http should be redirected to the
> > equivalent https page. To that end, I have, in my server.xml:
> >
> > 
> >  >port="8009" minProcessors="30" maxProcessors="150"
> >acceptCount="10" debug="0"
> >enableLookups="false" redirectPort="443"
> >secure="false" scheme="http"
> >address="127.0.0.1"
> >tomcatAuthentication="true"/>
> >
> > however the redirect won't work (Status 500 error) unless I put in an
> HTTPS
> > connector as well in server.xml (note that it doesn't have to be
> accessible
> > at
> > all, hence the 127.0.0.1 and port 8443 is blocked off so it doesn't seem
> to
> > play any part in the whole deal other than to signal to Tomcat that it can
> > handle redirects to SSL):
> >
> > 
> >  className="org.apache.catalina.connector.http.HttpConnector"
> >address="127.0.0.1" port="8443" minProcessors="5"
> > maxProcessors="75"
> >enableLookups="false"
> >acceptCount="10" debug="0" scheme="https" secure="true">
> >>clientAuth="false" protocol="TLS"
> >keystorePass="foo"/>
> > 
> >
> > (I tried putting in an additional ajp13 connector that mod_jk sent
> anything
> > that showed up as SSL to, but that didn't work).
> >
> > Is this how it's supposed to work? If so, it should be documented
> > somewhere...
> >
> > Thanks,
> > Adi
> >
> > --
> > To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> > For additional commands: <mailto:[EMAIL PROTECTED]>
> > Troubles with the list: <mailto:[EMAIL PROTECTED]>
> >
> >
> 
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
> 
> 
> 
> --
> To unsubscribe:   <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
> 

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>