subject:"Tomcat connector settings"

RE: Tomcat connector settings

2016-05-10 Thread Michael Fox

Chris,

Thanks for all your patience and help!  It's working.

Regards,
Mike

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Thursday, May 5, 2016 4:50 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat connector settings

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael,

On 5/5/16 3:28 PM, Michael Fox wrote:
> Please confirm that to configure the passthrough with an external 
> HTTPS and an internal HTTP, I would set Apache to listen to SSL on 
> port 8443 and Tomcat on port 8080, with a line inside the Virtual Host 
> directive of
> 
> ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse 
> /myapp http://DNS_hostname:8080/myapp

If DNS_hostname is the hostname of your Tomcat server, then yes, this is 
correct. If the web server and Tomcat are on the same host, then you can use 
"localhost" which should speed things up.

I'm guessing that the powers-that-be are using the web server elsewhere, so 
they'll have to use the IP address (or hostname) of wherever Tomcat is running 
in the URLs above.

Note that there is no requirement to use port 8080 -- you can use anything 
you'd like -- but 8080 is somewhat traditional and also happens to be the 
default configuration shipped with Tomcat.

> In the Tomcat server.xml file, inside the Host directive, I will place 
>  />

Good.

> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host should be set to DNS_hostname and 
> worker.worker1.port is set to 8080.

Nope. You don't need a workers.properties file at all. That's for us you want 
to use mod_jk and the AJP13 protocol as a proxying protocol.
Since you are using HTTP, you don't need any of that stuff.

(At worst, it will be confusing, since Tomcat will be listening on
:8080 for HTTP connections, not AJP13 connections.)

> With this setup, the URL for accessing the Tomcat application via the 
> Apache server would be https://DNS_hostname/myapp

If Tomcat is on DNS_hostname, then this is probably wrong. If DNS_hostname 
points to the host where the reverse-proxy (web server) is, then you are 
correct.

Here's the ASCII-art picture:

Client --- HTTPS:443 ---> web server --- HTTP:8080 --> Tomcat

If you wanted to use AJP13 with mod_jk (or mod_proxy_ajp), it would look like 
this:

Client --- HTTPS:443 ---> web server --- AJP13:8009 --> Tomcat

(8009 is the default port setting for AJP13 in a Tomcat configuration.)

- From the client perspective, the URL should be https://publichostname/myapp. 
From the web server's perspective, the URL should be 
http://tomcat.internal.hostname:8080/myapp

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcrsg8ACgkQ9CaO5/Lv0PBXzQCfaL/Dy/GqKA/7t0WSex8ZzPb8
iaAAn2TwoF3N89NHiEQEimZ+VjDA4Y4+
=DMoV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat connector settings

2016-05-05 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael,

On 5/5/16 3:28 PM, Michael Fox wrote:
> Please confirm that to configure the passthrough with an external 
> HTTPS and an internal HTTP, I would set Apache to listen to SSL on 
> port 8443 and Tomcat on port 8080, with a line inside the Virtual 
> Host directive of
> 
> ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse
> /myapp http://DNS_hostname:8080/myapp

If DNS_hostname is the hostname of your Tomcat server, then yes, this
is correct. If the web server and Tomcat are on the same host, then
you can use "localhost" which should speed things up.

I'm guessing that the powers-that-be are using the web server
elsewhere, so they'll have to use the IP address (or hostname) of
wherever Tomcat is running in the URLs above.

Note that there is no requirement to use port 8080 -- you can use
anything you'd like -- but 8080 is somewhat traditional and also
happens to be the default configuration shipped with Tomcat.

> In the Tomcat server.xml file, inside the Host directive, I will 
> place  />

Good.

> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host should be set to DNS_hostname and
> worker.worker1.port is set to 8080.

Nope. You don't need a workers.properties file at all. That's for us
you want to use mod_jk and the AJP13 protocol as a proxying protocol.
Since you are using HTTP, you don't need any of that stuff.

(At worst, it will be confusing, since Tomcat will be listening on
:8080 for HTTP connections, not AJP13 connections.)

> With this setup, the URL for accessing the Tomcat application via
> the Apache server would be https://DNS_hostname/myapp

If Tomcat is on DNS_hostname, then this is probably wrong. If
DNS_hostname points to the host where the reverse-proxy (web server)
is, then you are correct.

Here's the ASCII-art picture:

Client --- HTTPS:443 ---> web server --- HTTP:8080 --> Tomcat

If you wanted to use AJP13 with mod_jk (or mod_proxy_ajp), it would
look like this:

Client --- HTTPS:443 ---> web server --- AJP13:8009 --> Tomcat

(8009 is the default port setting for AJP13 in a Tomcat configuration.)

- From the client perspective, the URL should be
https://publichostname/myapp. From the web server's perspective, the
URL should be http://tomcat.internal.hostname:8080/myapp

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcrsg8ACgkQ9CaO5/Lv0PBXzQCfaL/Dy/GqKA/7t0WSex8ZzPb8
iaAAn2TwoF3N89NHiEQEimZ+VjDA4Y4+
=DMoV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat connector settings

2016-05-05 Thread Michael Fox

Chris,

Thanks for your explanations and help!

Please confirm that to configure the passthrough with an external HTTPS and an 
internal HTTP, I would set Apache to listen to SSL on port 8443 and Tomcat on 
port 8080, with a line inside the Virtual Host directive of

ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse /myapp 
http://DNS_hostname:8080/myapp

In the Tomcat server.xml file, inside the Host directive, I will place

In the file /etc/httpd/conf/workers.properties, worker.worker1.host should be 
set to DNS_hostname and worker.worker1.port is set to 8080.

With this setup, the URL for accessing the Tomcat application via the Apache 
server would be
https://DNS_hostname/myapp

Best,
Mike

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Wednesday, May 4, 2016 12:50 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat connector settings

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael,

On 5/2/16 10:20 AM, Michael Fox wrote:
> I ultimately want to have a Tomcat application protected  by our 
> university's system for authentication, which is SiteMinder.  They 
> have told me that they can't protect Tomcat directly, but if user 
> communications can be passed through a web server then they can 
> protect the server with SiteMinder.

No problem.

> I have a working Tomcat application if I uncomment the non-SSL
> HTTP/1.1 protocol in the Tomcat, but I believe I need all 
> communication to pass through the Apache web server.  Let me know if 
> you need more information and, if so, what that would be.

You can use HTTP, HTTPS, or AJP as the communication mechanism between the web 
server and Tomcat.

AJP works great with Apache httpd, but may be more complicated to get set up 
with other web servers. HTTP is, by definition, always supported. You want them 
to set up the web server as a "reverse-proxy", and just give them the URL of 
your base application.
The configuration in httpd for using HTTP as the protocol is fairly
simple:

ProxyPass /myapp http://internal.ip:8080/myapp ProxyPassReverse /myapp 
http://internal.ip:8080/myapp

You'll want to enable the standard HTTP connector (it was enabled by
default) and if you aren't using AJP (like you are NOT in this example), then 
you'll want to enable the RemoteIPValve:
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Val
ve

That "valve" takes information from the HTTP headers coming from the web server 
and makes sure that things like the base URL match what the client is seeing 
from the outside world (e.g. they won't see URLs for 
http://internal.ip:8080/etc.).

On the web server, you can use whatever protocol you want for your clients. 
HTTPS is a good choice. Using HTTPS on the web server has no impact on whether 
or not you want to use HTTP or HTTPS internally on your private network. If you 
want to use HTTPS internally (also not a bad idea, especially if you don't 100% 
trust everyone who has access to your network), change the httpd configuration 
to this:

ProxyPass /myapp http://internal.ip:8443/myapp ProxyPassReverse /myapp 
http://internal.ip:8443/myapp

You will, of course, have to configure a secure  on port
8443 for that purpose, including a TLS certificate, etc. If you always expect 
to use a secure connection, then disable the non-secure
: anyone coming to your web site using cleartext HTTP can be 
redirected by the web server to HTTPS so Tomcat itself only has to be providing 
an HTTPS connection.

Hope that helps,
- -chris

> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: Friday, April 29, 2016
> 9:14 PM To: Tomcat Users List <users@tomcat.apache.org> Subject:
> Re: Tomcat connector settings
> 
> Michael,
> 
> On 4/29/16 4:25 PM, Michael Fox wrote:
>> I have an Apache web server(2.4.6) which is accessible at http or  
>> https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
>> application available at DNS_hostname:8080/app_name.
> 
>> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
>> enabled HTTP/2 in the Tomcat server.xml, using the certificate key 
>> file and certificate where generated using the openssl
>> (1.0.2g) commands and used on the Apache web server.
> 
>> The Apache ssl.conf file is set to listen on port 8443 for https, and 
>> the only virtual host is set for IP_address:8443 and servername set 
>> to DNS_hostname
> 
>> In the file /etc/httpd/conf/workers.properties,
>> worker.worker1.host is set to DNS_hostname and worker.worker1.port is 
>> set to 8443.
> 
>> Netstat -tamp shows httpd listening on port 8443 and java listening 
>> on port 8009.
> 
>> Are these settings proper and correct?
> 
> It doesn't look like it.
> 
>> What s

Re: Tomcat connector settings

2016-05-04 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael,

On 5/2/16 10:20 AM, Michael Fox wrote:
> I ultimately want to have a Tomcat application protected  by our 
> university's system for authentication, which is SiteMinder.  They 
> have told me that they can't protect Tomcat directly, but if user 
> communications can be passed through a web server then they can 
> protect the server with SiteMinder.

No problem.

> I have a working Tomcat application if I uncomment the non-SSL 
> HTTP/1.1 protocol in the Tomcat, but I believe I need all 
> communication to pass through the Apache web server.  Let me know
> if you need more information and, if so, what that would be.

You can use HTTP, HTTPS, or AJP as the communication mechanism between
the web server and Tomcat.

AJP works great with Apache httpd, but may be more complicated to get
set up with other web servers. HTTP is, by definition, always
supported. You want them to set up the web server as a
"reverse-proxy", and just give them the URL of your base application.
The configuration in httpd for using HTTP as the protocol is fairly
simple:

ProxyPass /myapp http://internal.ip:8080/myapp
ProxyPassReverse /myapp http://internal.ip:8080/myapp

You'll want to enable the standard HTTP connector (it was enabled by
default) and if you aren't using AJP (like you are NOT in this
example), then you'll want to enable the RemoteIPValve:
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Val
ve

That "valve" takes information from the HTTP headers coming from the
web server and makes sure that things like the base URL match what the
client is seeing from the outside world (e.g. they won't see URLs for
http://internal.ip:8080/etc.).

On the web server, you can use whatever protocol you want for your
clients. HTTPS is a good choice. Using HTTPS on the web server has no
impact on whether or not you want to use HTTP or HTTPS internally on
your private network. If you want to use HTTPS internally (also not a
bad idea, especially if you don't 100% trust everyone who has access
to your network), change the httpd configuration to this:

ProxyPass /myapp http://internal.ip:8443/myapp
ProxyPassReverse /myapp http://internal.ip:8443/myapp

You will, of course, have to configure a secure  on port
8443 for that purpose, including a TLS certificate, etc. If you always
expect to use a secure connection, then disable the non-secure
: anyone coming to your web site using cleartext HTTP can
be redirected by the web server to HTTPS so Tomcat itself only has to
be providing an HTTPS connection.

Hope that helps,
- -chris

> -Original Message- From: Christopher Schultz 
> [mailto:ch...@christopherschultz.net] Sent: Friday, April 29, 2016 
> 9:14 PM To: Tomcat Users List <users@tomcat.apache.org> Subject:
> Re: Tomcat connector settings
> 
> Michael,
> 
> On 4/29/16 4:25 PM, Michael Fox wrote:
>> I have an Apache web server(2.4.6) which is accessible at http or
>>  https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
>> application available at DNS_hostname:8080/app_name.
> 
>> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
>> enabled HTTP/2 in the Tomcat server.xml, using the certificate
>> key file and certificate where generated using the openssl
>> (1.0.2g) commands and used on the Apache web server.
> 
>> The Apache ssl.conf file is set to listen on port 8443 for
>> https, and the only virtual host is set for IP_address:8443 and
>> servername set to DNS_hostname
> 
>> In the file /etc/httpd/conf/workers.properties,
>> worker.worker1.host is set to DNS_hostname and
>> worker.worker1.port is set to 8443.
> 
>> Netstat -tamp shows httpd listening on port 8443 and java
>> listening on port 8009.
> 
>> Are these settings proper and correct?
> 
> It doesn't look like it.
> 
>> What should the URL look like in order to access the Tomcat 
>> application via Apache?
> 
> That depends upon what you are actually trying to do.
> 
>> Any help and/or guidance would most appreciated.
> 
> You have an HTTPS server listening on port 443 (httpd). You have 
> mod_jk (workers.properties) configured to connect to host:8443
> (which is the same host listening for HTTPS requests on port 8443)
> using AJP13 (not HTTP). So, if a client makes a call to host:8443,
> mod_jk will proxy the request through to host:8443. If the protocol
> were correct (it isn't), you'd have an infinite loop of request s.
> 
> Can you explain what you are actually trying to do and maybe we
> can help ?
> 
> -chris
> 
> -
>
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...

RE: Tomcat connector settings

2016-05-02 Thread Michael Fox

Chris,

I ultimately want to have a Tomcat application protected  by our university's 
system for authentication, which is SiteMinder.  They have told me that they 
can't protect Tomcat directly, but if user communications can be passed through 
a web server then they can protect the server with SiteMinder.  I have a 
working Tomcat application if I uncomment the non-SSL HTTP/1.1 protocol in the 
Tomcat, but I believe I need all communication to pass through the Apache web 
server.  Let me know if you need more information and, if so, what that would 
be.

Thanks,
Mike

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Friday, April 29, 2016 9:14 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat connector settings

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael,

On 4/29/16 4:25 PM, Michael Fox wrote:
> I have an Apache web server(2.4.6) which is accessible at http or 
> https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
> application available at DNS_hostname:8080/app_name.
> 
> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
> enabled HTTP/2 in the Tomcat server.xml, using the certificate key 
> file and certificate where generated using the openssl (1.0.2g) 
> commands and used on the Apache web server.
> 
> The Apache ssl.conf file is set to listen on port 8443 for https, and 
> the only virtual host is set for IP_address:8443 and servername set to 
> DNS_hostname
> 
> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host is set to DNS_hostname and worker.worker1.port is 
> set to 8443.
> 
> Netstat -tamp shows httpd listening on port 8443 and java listening on 
> port 8009.
> 
> Are these settings proper and correct?

It doesn't look like it.

> What should the URL look like in order to access the Tomcat 
> application via Apache?

That depends upon what you are actually trying to do.

> Any help and/or guidance would most appreciated.

You have an HTTPS server listening on port 443 (httpd).
You have mod_jk (workers.properties) configured to connect to
host:8443 (which is the same host listening for HTTPS requests on port
8443) using AJP13 (not HTTP). So, if a client makes a call to host:8443, mod_jk 
will proxy the request through to host:8443. If the protocol were correct (it 
isn't), you'd have an infinite loop of request s.

Can you explain what you are actually trying to do and maybe we can help ?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlckBuQACgkQ9CaO5/Lv0PCD7ACeK1EIVKHIImbX0XFqGgZrrnbe
Ng8Ani4YEpoSQO5ySueAGuTg+UrdAAYP
=3AaB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat connector settings

2016-04-29 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Michael,

On 4/29/16 4:25 PM, Michael Fox wrote:
> I have an Apache web server(2.4.6) which is accessible at http or 
> https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
> application available at DNS_hostname:8080/app_name.
> 
> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
> enabled HTTP/2 in the Tomcat server.xml, using the certificate key 
> file and certificate where generated using the openssl (1.0.2g) 
> commands and used on the Apache web server.
> 
> The Apache ssl.conf file is set to listen on port 8443 for https,
> and the only virtual host is set for IP_address:8443 and servername
> set to DNS_hostname
> 
> In the file /etc/httpd/conf/workers.properties,
> worker.worker1.host is set to DNS_hostname and worker.worker1.port
> is set to 8443.
> 
> Netstat -tamp shows httpd listening on port 8443 and java
> listening on port 8009.
> 
> Are these settings proper and correct?

It doesn't look like it.

> What should the URL look like in order to access the Tomcat 
> application via Apache?

That depends upon what you are actually trying to do.

> Any help and/or guidance would most appreciated.

You have an HTTPS server listening on port 443 (httpd).
You have mod_jk (workers.properties) configured to connect to
host:8443 (which is the same host listening for HTTPS requests on port
8443) using AJP13 (not HTTP). So, if a client makes a call to
host:8443, mod_jk will proxy the request through to host:8443. If the
protocol were correct (it isn't), you'd have an infinite loop of request
s.

Can you explain what you are actually trying to do and maybe we can help
?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlckBuQACgkQ9CaO5/Lv0PCD7ACeK1EIVKHIImbX0XFqGgZrrnbe
Ng8Ani4YEpoSQO5ySueAGuTg+UrdAAYP
=3AaB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat connector settings

2016-04-29 Thread Michael Fox

I have an Apache web server(2.4.6) which is accessible at http or https at 
DNS_hostname, and a Tomcat server (9.0.0.M1)with an application available at 
DNS_hostname:8080/app_name.
I then disabled the non-SSL HTTP/1.1 connector on port 8080 and enabled HTTP/2 
in the Tomcat server.xml, using the certificate key file and certificate where 
generated using the openssl (1.0.2g) commands and used on the Apache web server.
The Apache ssl.conf file is set to listen on port 8443 for https, and the only 
virtual host is set for IP_address:8443 and servername set to DNS_hostname
In the file /etc/httpd/conf/workers.properties, worker.worker1.host is set to 
DNS_hostname and worker.worker1.port is set to 8443.
Netstat -tamp shows httpd listening on port 8443 and java listening on port 
8009.
Are these settings proper and correct?
What should the URL look like in order to access the Tomcat application via 
Apache?
Any help and/or guidance would most appreciated.

Mike

RE: Tomcat connector settings

Re: Tomcat connector settings

RE: Tomcat connector settings

Re: Tomcat connector settings

RE: Tomcat connector settings

Re: Tomcat connector settings

Tomcat connector settings

7 matches

Site Navigation

Mail list logo

Footer information