Yes, just use all the static configuration on Apache servers, including requests via 80,443. and afterward, redirect them to the backend(your tomcat server). i think it should be okay what your mentioned of SSL configuration. 在 2012-9-28 下午3:18,"Joan Morales" <joan....@gmail.com>写道:
> I understand what you say, but I need to go through apache to get into my > tomcat, and if I just implement a "redirect" to the port :8443, the apache > tells me that I need to use a SSLCertificateKeyFile, how can I configure > the apache as a proxy to tomcat without specifying a SSLCertificateKeyFile? > > #<VirtualHost *:443> > # ServerAdmin ad...@gmail.com > # ServerName localhost:443 > # SSLProxyEngine on > # SSLEngine on > # SSLCertificateFile "c:/usr/SSL/eduhost.crt" > # SSLCertificateKeyFile "c:/usr/SSL/eduhost.key" > # ProxyPass / https://localhost:8443/ > # ProxyPassReverse / https://localhost:8443/ > # SSLVerifyClient none > #</VirtualHost> > > On Fri, Sep 28, 2012 at 2:52 PM, malibo8...@gmail.com > <malibo8...@gmail.com>wrote: > > > actually, there is no news to configure SSL both in Apache and tomcat. > just > > one side is okay. Apache or tomcat. > > 在 2012-9-28 下午2:01,"Martin Gainty" <mgai...@hotmail.com>写道: > > > > > > > > you'll need to configure Apache mod_ssl to implement either Basic or > > > SSLRequire authentication > > > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients > > > > > > with regards to external hosts i would suggest you deny all and allow > > > secure access to only TC host to the secure folder of apache > > > > > > Buena Suerte, > > > Martin > > > ______________________________________________ > > > Porfavor..no altere ni interrumptir esta communicacion..Gracias > > > > > > > > > > From: joan....@gmail.com > > > > Date: Fri, 28 Sep 2012 13:20:05 +0200 > > > > Subject: Security issue regarding JSESSIONID cookie > > > > To: users@tomcat.apache.org > > > > > > > > Hi, > > > > > > > > I have a security issue (hijack session) with JSESSIONID cookie, > > > > > > > > here is the problem: > > > > > > > > I am using an architecture with an Apache2 server in front of Tomcat, > > I > > > > have configured the SSL in both sides Apache(ssl_module) and > > > > Tomcat(Conectors JSSE), > > > > > > > > 1) I tried using a connectio via AJP protocol to connect between > > Apache2 > > > > and Tomcat using the following configuration on the server.xml: > > > > > > > > APACHE(httpd) > > > > via HTTP/HTTPS > > > > <VirtualHost *:80> > > > > ProxyPass / http://localhost:8080/ <http://educaixahost:8080/> > > > > ProxyPassReverse / http://localhost:8080/ < > > http://educaixahost:8080/> > > > > </VirtualHost> > > > > > > > > via AJP > > > > <VirtualHost *:80> > > > > ProxyPass / ajp://localhost:8009/ <http://educaixahost:8080/> > > > > ProxyPassReverse / ajp://localhost:8009/ < > http://educaixahost:8080/ > > > > > > > </VirtualHost> > > > > > > > > <VirtualHost *:443> > > > > ServerAdmin ad...@mail.com > > > > ServerName localhost:443 > > > > SSLProxyEngine on > > > > SSLEngine on > > > > SSLCertificateFile "c:/usr/SSL/name.crt" > > > > SSLCertificateKeyFile "c:/usr/SSL/name.key" > > > > ProxyPass / https://localhost:8443/ > > > > ProxyPassReverse / https://localhost:8443/ > > > > </VirtualHost> > > > > > > > > Tomcat (server.xml) > > > > > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > > > protocol="HTTP/1.1" redirectPort="8443" secure="true"/> > > > > <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" > > > > redirectPort="8443" scheme="https" secure="true"/> > > > > > > > > Results for this solution: > > > > I still can get the JSESSIONID cookie > > > > > > > > 2) I tried using the HTTP/S protocol to connect between Apache2 and > > > > tomcat using the following configurationl: > > > > > > > > Apache: > > > > Same configuration > > > > > > > > Tomcat (server.xml): > > > > > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > > > protocol="HTTP/1.1" redirectPort="8443"/> > > > > > > > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > > > > maxThreads="150" scheme="https" secure="true" > > > > keystoreFile="path/name.keystore" keystorePass="password" > > > > clientAuth="false" sslProtocol="TLS" /> > > > > > > > > I also added this on the web.xml: > > > > > > > > <session-config> > > > > <session-timeout>30</session-timeout> > > > > <tracking-mode>SSL</tracking-mode> > > > > </session-config> > > > > > > > > Results for this solution: > > > > > > > > The JSESSIONID cookie disappears OK > > > > Everything works OK if I access directly to the tomcat and bypass the > > > > apache, (localhost:8443), I can login into the web page and keep the > > > > seesion in every link inside the app > > > > > > > > but, when try to access trought the Apache in https in port 443 , ( > > > > https://localhost:443 <https://localhost/>), I can login the first > > time > > > but > > > > when I try to access somewhere else in the app I lose the user > session > > > and > > > > the app log me out, I checked over the logs and there are no error > > > neither > > > > in apache nor tomcat > > > > > > > > So, Is this solution implementable under this architecture? > > > > Am I missing some configurations? > > > > > > > > Thanks and regards, > > > > Joan Morales > > > > > >
