that is NOT what the op asked for if the OP is implementing ssl via her FE Apache then she needs to implement and config mod-ssl on that FE apache server
You need to Understand what the op environment is before criticising the solution Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. > Date: Fri, 28 Sep 2012 20:52:14 +0800 > Subject: RE: Security issue regarding JSESSIONID cookie > From: malibo8...@gmail.com > To: users@tomcat.apache.org > > actually, there is no news to configure SSL both in Apache and tomcat. just > one side is okay. Apache or tomcat. > 在 2012-9-28 下午2:01,"Martin Gainty" <mgai...@hotmail.com>写道: > > > > > you'll need to configure Apache mod_ssl to implement either Basic or > > SSLRequire authentication > > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients > > > > with regards to external hosts i would suggest you deny all and allow > > secure access to only TC host to the secure folder of apache > > > > Buena Suerte, > > Martin > > ______________________________________________ > > Porfavor..no altere ni interrumptir esta communicacion..Gracias > > > > > > > From: joan....@gmail.com > > > Date: Fri, 28 Sep 2012 13:20:05 +0200 > > > Subject: Security issue regarding JSESSIONID cookie > > > To: users@tomcat.apache.org > > > > > > Hi, > > > > > > I have a security issue (hijack session) with JSESSIONID cookie, > > > > > > here is the problem: > > > > > > I am using an architecture with an Apache2 server in front of Tomcat, I > > > have configured the SSL in both sides Apache(ssl_module) and > > > Tomcat(Conectors JSSE), > > > > > > 1) I tried using a connectio via AJP protocol to connect between Apache2 > > > and Tomcat using the following configuration on the server.xml: > > > > > > APACHE(httpd) > > > via HTTP/HTTPS > > > <VirtualHost *:80> > > > ProxyPass / http://localhost:8080/ <http://educaixahost:8080/> > > > ProxyPassReverse / http://localhost:8080/ <http://educaixahost:8080/> > > > </VirtualHost> > > > > > > via AJP > > > <VirtualHost *:80> > > > ProxyPass / ajp://localhost:8009/ <http://educaixahost:8080/> > > > ProxyPassReverse / ajp://localhost:8009/ <http://educaixahost:8080/> > > > </VirtualHost> > > > > > > <VirtualHost *:443> > > > ServerAdmin ad...@mail.com > > > ServerName localhost:443 > > > SSLProxyEngine on > > > SSLEngine on > > > SSLCertificateFile "c:/usr/SSL/name.crt" > > > SSLCertificateKeyFile "c:/usr/SSL/name.key" > > > ProxyPass / https://localhost:8443/ > > > ProxyPassReverse / https://localhost:8443/ > > > </VirtualHost> > > > > > > Tomcat (server.xml) > > > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > > protocol="HTTP/1.1" redirectPort="8443" secure="true"/> > > > <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" > > > redirectPort="8443" scheme="https" secure="true"/> > > > > > > Results for this solution: > > > I still can get the JSESSIONID cookie > > > > > > 2) I tried using the HTTP/S protocol to connect between Apache2 and > > > tomcat using the following configurationl: > > > > > > Apache: > > > Same configuration > > > > > > Tomcat (server.xml): > > > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > > protocol="HTTP/1.1" redirectPort="8443"/> > > > > > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > > > maxThreads="150" scheme="https" secure="true" > > > keystoreFile="path/name.keystore" keystorePass="password" > > > clientAuth="false" sslProtocol="TLS" /> > > > > > > I also added this on the web.xml: > > > > > > <session-config> > > > <session-timeout>30</session-timeout> > > > <tracking-mode>SSL</tracking-mode> > > > </session-config> > > > > > > Results for this solution: > > > > > > The JSESSIONID cookie disappears OK > > > Everything works OK if I access directly to the tomcat and bypass the > > > apache, (localhost:8443), I can login into the web page and keep the > > > seesion in every link inside the app > > > > > > but, when try to access trought the Apache in https in port 443 , ( > > > https://localhost:443 <https://localhost/>), I can login the first time > > but > > > when I try to access somewhere else in the app I lose the user session > > and > > > the app log me out, I checked over the logs and there are no error > > neither > > > in apache nor tomcat > > > > > > So, Is this solution implementable under this architecture? > > > Am I missing some configurations? > > > > > > Thanks and regards, > > > Joan Morales > >
