-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 6/17/15 2:08 PM, Jeffrey Janner wrote: > I’ve been deploying letting Tomcat do it all when it came to > connectors and SSL, with the app forcing everything to SSL in the > <security-constraints> section. Now I’m setting up a haproxy > front-end that will both terminate the SSL and take care of the > redirect from HTTP to HTTPS for me and tomcat only running a > standard HTTP port on 8080. > > So my question is, Is it still important for the app to know that > it operating “secure”, and if so, what settings are a must? I would say that Tomcat knowing that it's in "secure" mode is important. If for no other reason than the URLs your webapp generates ought to be sensitive to the protocol being used. > Here is the old setup: > > SERVER.XML: > > <Service name="Catalina"> > > <Connector address="${IP_ADDRESS}" port="80" > maxHttpHeaderSize="8192" > > maxThreads="50" enableLookups="false" redirectPort="443" > acceptCount="100" > > connectionTimeout="20000" disableUploadTimeout="true" > compression="on" > > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv, text/javascript,text/rtf,text/richtext" > > /> > > <Connector address="${IP_ADDRESS}" port="443" > maxHttpHeaderSize="8192" > > maxThreads="150" enableLookups="false" acceptCount="100" > > connectionTimeout="20000" disableUploadTimeout="true" > compression="on" > > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv, text/javascript,text/rtf,text/richtext" > > scheme="https" secure="true" SSLEnabled="true" If you are still going to connect haproxy -> Tomcat using port 443, then this configuration should still work. Tomcat will be in "secure" mode, but you won't have access to the original SSL information, at least not directly in the usual ways. > Here is the new setup: > > SERVER.XML: > > <Service name="Catalina"> > > <Connector port="${tomcatPort}" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="8443" /> You should probably set protocol="https" and secure="true". You don't need redirectPort if this is the connector that handles incoming connections from haproxy. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVgs6iAAoJEBzwKT+lPKRYM2sQAKej40Cx4Wfc54ZJaHH7qRaC c4cgV/fJqh4ylB8LBsmwIUO1N9SSavIiDQLc04816OfKw69Jg3CBh6vK0qyDhN0+ l8guZV51AyHgwRPewZ3n79zwWRFeJ9tjhAKC39DOo2URZcTPpwVcTJL3UN1OuouV FWYbw9kufe0gZsmonrI8ki2Tj1m+PZ1LcBdsSMFSCGFKVVSPuR41UuoJ+GZCG6WZ bLUyMQ3k0pPBdQ0CUXYUHHafddHCiVZzY/r1rC05zyVZ+z9X0LL0Q91okbo8TUvh BrQOM7Qt5qBqJV4P+Bb+CtMEyAj9cIK1OJZpAaWVdlBIddiOXimkEh6JNWBToCdo k3WjmMWQ4CDDIzBoycGOq8Jax8hR8U3Gbiae9/2nuBRTUtaSqw7ijiO9xqMrZ6gT MzW0vKzp1+seo7UEejBucWRDu/s2LNoHTc410BTBI4KQlko3mNbrI0eDAwVR8/I8 i2PiCLRGbo2l/uPvsoJ6/fj33BUM1zxwGimIssYVZqW8b3AFsDTktoO437KRfiOw 9crNPP0FYzsE6lMrrdn7V560hVRqxoqfX3cfIqp09fJXEjOdpI/75UREihiOSv9L CqjbrY2YUtb4Lt/DK7j2En5ZBMTF6iChn8YbulrZYzXwkTM20k2Nj8irM1SfUc/E Q0TgwYeow6Kf3Geb1yyM =xBvF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org