I understand what you say, but I need to go through apache to get into my tomcat, and if I just implement a "redirect" to the port :8443, the apache tells me that I need to use a SSLCertificateKeyFile, how can I configure the apache as a proxy to tomcat without specifying a SSLCertificateKeyFile?
#<VirtualHost *:443> # ServerAdmin ad...@gmail.com # ServerName localhost:443 # SSLProxyEngine on # SSLEngine on # SSLCertificateFile "c:/usr/SSL/eduhost.crt" # SSLCertificateKeyFile "c:/usr/SSL/eduhost.key" # ProxyPass / https://localhost:8443/ # ProxyPassReverse / https://localhost:8443/ # SSLVerifyClient none #</VirtualHost> On Fri, Sep 28, 2012 at 2:52 PM, malibo8...@gmail.com <malibo8...@gmail.com>wrote: > actually, there is no news to configure SSL both in Apache and tomcat. just > one side is okay. Apache or tomcat. > 在 2012-9-28 下午2:01,"Martin Gainty" <mgai...@hotmail.com>写道: > > > > > you'll need to configure Apache mod_ssl to implement either Basic or > > SSLRequire authentication > > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients > > > > with regards to external hosts i would suggest you deny all and allow > > secure access to only TC host to the secure folder of apache > > > > Buena Suerte, > > Martin > > ______________________________________________ > > Porfavor..no altere ni interrumptir esta communicacion..Gracias > > > > > > > From: joan....@gmail.com > > > Date: Fri, 28 Sep 2012 13:20:05 +0200 > > > Subject: Security issue regarding JSESSIONID cookie > > > To: users@tomcat.apache.org > > > > > > Hi, > > > > > > I have a security issue (hijack session) with JSESSIONID cookie, > > > > > > here is the problem: > > > > > > I am using an architecture with an Apache2 server in front of Tomcat, > I > > > have configured the SSL in both sides Apache(ssl_module) and > > > Tomcat(Conectors JSSE), > > > > > > 1) I tried using a connectio via AJP protocol to connect between > Apache2 > > > and Tomcat using the following configuration on the server.xml: > > > > > > APACHE(httpd) > > > via HTTP/HTTPS > > > <VirtualHost *:80> > > > ProxyPass / http://localhost:8080/ <http://educaixahost:8080/> > > > ProxyPassReverse / http://localhost:8080/ < > http://educaixahost:8080/> > > > </VirtualHost> > > > > > > via AJP > > > <VirtualHost *:80> > > > ProxyPass / ajp://localhost:8009/ <http://educaixahost:8080/> > > > ProxyPassReverse / ajp://localhost:8009/ <http://educaixahost:8080/ > > > > > </VirtualHost> > > > > > > <VirtualHost *:443> > > > ServerAdmin ad...@mail.com > > > ServerName localhost:443 > > > SSLProxyEngine on > > > SSLEngine on > > > SSLCertificateFile "c:/usr/SSL/name.crt" > > > SSLCertificateKeyFile "c:/usr/SSL/name.key" > > > ProxyPass / https://localhost:8443/ > > > ProxyPassReverse / https://localhost:8443/ > > > </VirtualHost> > > > > > > Tomcat (server.xml) > > > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > > protocol="HTTP/1.1" redirectPort="8443" secure="true"/> > > > <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" > > > redirectPort="8443" scheme="https" secure="true"/> > > > > > > Results for this solution: > > > I still can get the JSESSIONID cookie > > > > > > 2) I tried using the HTTP/S protocol to connect between Apache2 and > > > tomcat using the following configurationl: > > > > > > Apache: > > > Same configuration > > > > > > Tomcat (server.xml): > > > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > > protocol="HTTP/1.1" redirectPort="8443"/> > > > > > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > > > maxThreads="150" scheme="https" secure="true" > > > keystoreFile="path/name.keystore" keystorePass="password" > > > clientAuth="false" sslProtocol="TLS" /> > > > > > > I also added this on the web.xml: > > > > > > <session-config> > > > <session-timeout>30</session-timeout> > > > <tracking-mode>SSL</tracking-mode> > > > </session-config> > > > > > > Results for this solution: > > > > > > The JSESSIONID cookie disappears OK > > > Everything works OK if I access directly to the tomcat and bypass the > > > apache, (localhost:8443), I can login into the web page and keep the > > > seesion in every link inside the app > > > > > > but, when try to access trought the Apache in https in port 443 , ( > > > https://localhost:443 <https://localhost/>), I can login the first > time > > but > > > when I try to access somewhere else in the app I lose the user session > > and > > > the app log me out, I checked over the logs and there are no error > > neither > > > in apache nor tomcat > > > > > > So, Is this solution implementable under this architecture? > > > Am I missing some configurations? > > > > > > Thanks and regards, > > > Joan Morales > > >
