If your load balancer handles all of your SSL, you should not worry at all about secureEnabled (disable it) and it should all work like a champ.
On Sep 19, 2011, at 11:08 AM, Michael Molloy wrote: > Unless I'm misunderstanding, I don't think this would apply since all SSL is > being handled at the load balancer, correct? I apologize, I think I > introduced that confusion at the beginning. > > --Michael > > On Sep 19, 2011, at 9:52 AM, Martin Strand wrote: > >> Typically, when SSL is offloaded to an Apache proxy, that proxy should add a >> number of X-Forwarded-* headers to any requests sent to the backend. >> The servlet container then uses those headers to set up request.scheme, >> request.secure, request.remotAddr, etc so that they match the original >> request sent to the proxy. >> >> With Jetty, all you have to do to support this is set forwarded=true on the >> connector in question. >> I haven't used Tomcat for a long time, but this page seems to have the info >> you need: >> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Basic_configuration_to_handle_'x-forwarded-for'_and_'x-forwarded-proto' >> >> >> On the Apache side, mod_proxy automatically adds these headers: >> X-Forwarded-For (original IP) >> X-Forwarded-Host (original Host header) >> X-Forwarded-Server (proxy IP) >> ( see http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers ) >> >> But you need to add X-Forwarded-Proto manually, using mod_headers: >> RequestHeader set X-Forwarded-Proto https env=HTTPS >> RequestHeader set X-Forwarded-Proto http env=!HTTPS >> >> >> Once this is done, and Tomcat is configured to take these headers into >> account, you won't need to fiddle around with any BaseURLSource since the >> webapp will be able to get all the info it needs directly from the Request >> object. >> >> If you happen to be using an old version of Jetty or Tomcat, where there is >> no support for X-Forwarded-* headers, you can use this servlet filter >> instead: >> http://code.google.com/p/xebia-france/wiki/XForwardedFilter >> >> Martin >> >> On Mon, 19 Sep 2011 16:29:17 +0200, Michael Molloy <tapestrya...@gmail.com> >> wrote: >> >>> Unfortunately, the Apache expert is no longer here. Does the following code >>> from my tomcat server.xml file answer your question? I don't think we're >>> using AJP or anything else. It looks to me like the Apache server is just >>> sending it to Tomcat over port 8080. >>> >>> <Connector port="8080" maxHttpHeaderSize="8192" >>> maxThreads="350" minSpareThreads="25" maxSpareThreads="75" >>> enableLookups="false" redirectPort="8443" acceptCount="100" >>> connectionTimeout="20000" disableUploadTimeout="true" > >>> >>> <Valve className="org.apache.catalina.valves.RemoteAddrValve" >>> allow="xxxxxxxxxxxx" deny=""/> >>> >>> </Connector> >>> >>> >>> The corresponding line from the apache httpd.conf file is >>> >>> BalancerMember http://xxx.xxx.xxx.xxx:8080 loadfactor=50 route=APP01 >>> timeout=60 >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
