-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,
On 6/17/15 2:08 PM, Jeffrey Janner wrote:
> I’ve been deploying letting Tomcat do it all when it came to
> connectors and SSL, with the app forcing everything to SSL in the
> <security-constraints> section. Now I’m setting up a haproxy
> front-end that will both terminate the SSL and take care of the
> redirect from HTTP to HTTPS for me and tomcat only running a
> standard HTTP port on 8080.
>
> So my question is, Is it still important for the app to know that
> it operating “secure”, and if so, what settings are a must?
I would say that Tomcat knowing that it's in "secure" mode is
important. If for no other reason than the URLs your webapp generates
ought to be sensitive to the protocol being used.
> Here is the old setup:
>
> SERVER.XML:
>
> <Service name="Catalina">
>
> <Connector address="${IP_ADDRESS}" port="80"
> maxHttpHeaderSize="8192"
>
> maxThreads="50" enableLookups="false" redirectPort="443"
> acceptCount="100"
>
> connectionTimeout="20000" disableUploadTimeout="true"
> compression="on"
>
>
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,
text/javascript,text/rtf,text/richtext"
>
> />
>
> <Connector address="${IP_ADDRESS}" port="443"
> maxHttpHeaderSize="8192"
>
> maxThreads="150" enableLookups="false" acceptCount="100"
>
> connectionTimeout="20000" disableUploadTimeout="true"
> compression="on"
>
>
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,
text/javascript,text/rtf,text/richtext"
>
> scheme="https" secure="true" SSLEnabled="true"
If you are still going to connect haproxy -> Tomcat using port 443,
then this configuration should still work. Tomcat will be in "secure"
mode, but you won't have access to the original SSL information, at
least not directly in the usual ways.
> Here is the new setup:
>
> SERVER.XML:
>
> <Service name="Catalina">
>
> <Connector port="${tomcatPort}" protocol="HTTP/1.1"
>
> connectionTimeout="20000"
>
> redirectPort="8443" />
You should probably set protocol="https" and secure="true". You don't
need redirectPort if this is the connector that handles incoming
connections from haproxy.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVgs6iAAoJEBzwKT+lPKRYM2sQAKej40Cx4Wfc54ZJaHH7qRaC
c4cgV/fJqh4ylB8LBsmwIUO1N9SSavIiDQLc04816OfKw69Jg3CBh6vK0qyDhN0+
l8guZV51AyHgwRPewZ3n79zwWRFeJ9tjhAKC39DOo2URZcTPpwVcTJL3UN1OuouV
FWYbw9kufe0gZsmonrI8ki2Tj1m+PZ1LcBdsSMFSCGFKVVSPuR41UuoJ+GZCG6WZ
bLUyMQ3k0pPBdQ0CUXYUHHafddHCiVZzY/r1rC05zyVZ+z9X0LL0Q91okbo8TUvh
BrQOM7Qt5qBqJV4P+Bb+CtMEyAj9cIK1OJZpAaWVdlBIddiOXimkEh6JNWBToCdo
k3WjmMWQ4CDDIzBoycGOq8Jax8hR8U3Gbiae9/2nuBRTUtaSqw7ijiO9xqMrZ6gT
MzW0vKzp1+seo7UEejBucWRDu/s2LNoHTc410BTBI4KQlko3mNbrI0eDAwVR8/I8
i2PiCLRGbo2l/uPvsoJ6/fj33BUM1zxwGimIssYVZqW8b3AFsDTktoO437KRfiOw
9crNPP0FYzsE6lMrrdn7V560hVRqxoqfX3cfIqp09fJXEjOdpI/75UREihiOSv9L
CqjbrY2YUtb4Lt/DK7j2En5ZBMTF6iChn8YbulrZYzXwkTM20k2Nj8irM1SfUc/E
Q0TgwYeow6Kf3Geb1yyM
=xBvF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
