-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeff,
On 6/23/15 3:24 PM, Jeffrey Janner wrote: >> -----Original Message----- From: Christopher Schultz >> [mailto:ch...@christopherschultz.net] Sent: Thursday, June 18, >> 2015 8:59 AM To: Tomcat Users List Subject: Re: Settings when SSL >> terminates on the front-end >> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Jeffrey, >> >> On 6/17/15 2:08 PM, Jeffrey Janner wrote: >>> I’ve been deploying letting Tomcat do it all when it came to >>> connectors and SSL, with the app forcing everything to SSL in >>> the <security-constraints> section. Now I’m setting up a >>> haproxy front-end that will both terminate the SSL and take >>> care of the redirect from HTTP to HTTPS for me and tomcat only >>> running a standard HTTP port on 8080. >>> >>> So my question is, Is it still important for the app to know >>> that it operating “secure”, and if so, what settings are a >>> must? >> >> I would say that Tomcat knowing that it's in "secure" mode is >> important. If for no other reason than the URLs your webapp >> generates ought to be sensitive to the protocol being used. >> >>> Here is the old setup: >>> >>> SERVER.XML: >>> >>> <Service name="Catalina"> >>> >>> <Connector address="${IP_ADDRESS}" port="80" >>> maxHttpHeaderSize="8192" >>> >>> maxThreads="50" enableLookups="false" redirectPort="443" >>> acceptCount="100" >>> >>> connectionTimeout="20000" disableUploadTimeout="true" >>> compression="on" >>> >>> >>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/cs v, >> >>> text/javascript,text/rtf,text/richtext" >>> >>> /> >>> >>> <Connector address="${IP_ADDRESS}" port="443" >>> maxHttpHeaderSize="8192" >>> >>> maxThreads="150" enableLookups="false" acceptCount="100" >>> >>> connectionTimeout="20000" disableUploadTimeout="true" >>> compression="on" >>> >>> >>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/cs v, >> >>> text/javascript,text/rtf,text/richtext" >>> >>> scheme="https" secure="true" SSLEnabled="true" >> >> If you are still going to connect haproxy -> Tomcat using port >> 443, then this configuration should still work. Tomcat will be in >> "secure" mode, but you won't have access to the original SSL >> information, at least not directly in the usual ways. >> >>> Here is the new setup: >>> >>> SERVER.XML: >>> >>> <Service name="Catalina"> >>> >>> <Connector port="${tomcatPort}" protocol="HTTP/1.1" >>> >>> connectionTimeout="20000" >>> >>> redirectPort="8443" /> >> >> You should probably set protocol="https" and secure="true". You >> don't need redirectPort if this is the connector that handles >> incoming connections from haproxy. >> > > Thanks for the commentary Chris. Just one thing, the proxy <--> > tomcat connection is expected to be http (8080), not https. From > paying attention over the years, I think I'm supposed to set > secure="true" on the one and only http connector in the current > setup. That is what I am looking for verification. Yup: create one connector for non-secure and another for secure. Something like this: client -> :80 httpd -> :1234 tomcat <Connector secure="false" client -> :443 httpd -> :4321 tomcat <Connector secure="true" For the secure="false" connector, you'll want to have a redirectPort configured (likely set to "443"), which I believe is the default. It's not a bad idea to have this port set to indicate that you expect redirects-to-secure to occur, here. For the secure="true" <Connector>, you'll also want to set scheme="https ". - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVibTaAAoJEBzwKT+lPKRYjJUQAIkaqSoti6cDezz02mpis+fL +F5P/ykopZNCSNxM3yc4TmP4gkZYmJylWItHkvKkafgSwjKPcoaaDoSCUD75D9qy tW8YrsB/JUNDg/ySqPYGE9+jmVTIeJxWrFgSUZqOMu6f3YDj0R6y0VxWBdhIHVxf lsPANqgYGJBs3dN7kPw7P3QH5wSpcJihiZ9HSHeJzLAP2lnQMV9+0zY9A+I4a0/7 lXW/9v+Le1/Fl7fSWbPn1ESP/fz9Cyv4V2j1TpwMU0H/oKd175QaLSIYbdlZMeKc gE22Fb43QgmbGondjW3Xra7DqlqbzR0m1Lt0rslFdX7vx5csPUVxzsyoIiFd2WYU ymYOU4a4L4ivcZ3Qwqus0Fk8xvscJYUkBt8OZqKpQDwYNvUB9tZATywxindc5p3I B6ZEV9dA8ht3ZoxwfpS/PLZiBuXx7QMA40kcBgMdD+SlIKE7u45e3bwZchDhPZZj vR2f4adGKiRDGRqTUhZ7uJp8KMNJ6uHLlTRpCRJvfRwpgFxURZScJfx4jKa1BZ3y 73AW7LTGlu5BmxfC2sM9nj8F9s1vjiGcr38i9qKF8rQQ2NWC691fbCI51Sm5O2Ew wvjt9+h2H98nL7innCbhnIwZ00448RdzPDD7NFF+8SL4/cmGwSp29u2ajlyMvfZP +STvwS+N8FoM9nyiWECX =yQ26 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
