Chris, Thanks for your explanations and help!
Please confirm that to configure the passthrough with an external HTTPS and an internal HTTP, I would set Apache to listen to SSL on port 8443 and Tomcat on port 8080, with a line inside the Virtual Host directive of ProxyPass /myapp http://DNS_hostname:8080/myapp ProxyPassReverse /myapp http://DNS_hostname:8080/myapp In the Tomcat server.xml file, inside the Host directive, I will place <Valve className="org.apache.catalina.valves.RemoteIpValve" /> In the file /etc/httpd/conf/workers.properties, worker.worker1.host should be set to DNS_hostname and worker.worker1.port is set to 8080. With this setup, the URL for accessing the Tomcat application via the Apache server would be https://DNS_hostname/myapp Best, Mike -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, May 4, 2016 12:50 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Tomcat connector settings -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael, On 5/2/16 10:20 AM, Michael Fox wrote: > I ultimately want to have a Tomcat application protected by our > university's system for authentication, which is SiteMinder. They > have told me that they can't protect Tomcat directly, but if user > communications can be passed through a web server then they can > protect the server with SiteMinder. No problem. > I have a working Tomcat application if I uncomment the non-SSL > HTTP/1.1 protocol in the Tomcat, but I believe I need all > communication to pass through the Apache web server. Let me know if > you need more information and, if so, what that would be. You can use HTTP, HTTPS, or AJP as the communication mechanism between the web server and Tomcat. AJP works great with Apache httpd, but may be more complicated to get set up with other web servers. HTTP is, by definition, always supported. You want them to set up the web server as a "reverse-proxy", and just give them the URL of your base application. The configuration in httpd for using HTTP as the protocol is fairly simple: ProxyPass /myapp http://internal.ip:8080/myapp ProxyPassReverse /myapp http://internal.ip:8080/myapp You'll want to enable the standard HTTP connector (it was enabled by default) and if you aren't using AJP (like you are NOT in this example), then you'll want to enable the RemoteIPValve: https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Val ve That "valve" takes information from the HTTP headers coming from the web server and makes sure that things like the base URL match what the client is seeing from the outside world (e.g. they won't see URLs for http://internal.ip:8080/etc.). On the web server, you can use whatever protocol you want for your clients. HTTPS is a good choice. Using HTTPS on the web server has no impact on whether or not you want to use HTTP or HTTPS internally on your private network. If you want to use HTTPS internally (also not a bad idea, especially if you don't 100% trust everyone who has access to your network), change the httpd configuration to this: ProxyPass /myapp http://internal.ip:8443/myapp ProxyPassReverse /myapp http://internal.ip:8443/myapp You will, of course, have to configure a secure <Connector> on port 8443 for that purpose, including a TLS certificate, etc. If you always expect to use a secure connection, then disable the non-secure <Connector>: anyone coming to your web site using cleartext HTTP can be redirected by the web server to HTTPS so Tomcat itself only has to be providing an HTTPS connection. Hope that helps, - -chris > -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Friday, April 29, 2016 > 9:14 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: > Re: Tomcat connector settings > > Michael, > > On 4/29/16 4:25 PM, Michael Fox wrote: >> I have an Apache web server(2.4.6) which is accessible at http or >> https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an >> application available at DNS_hostname:8080/app_name. > >> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and >> enabled HTTP/2 in the Tomcat server.xml, using the certificate key >> file and certificate where generated using the openssl >> (1.0.2g) commands and used on the Apache web server. > >> The Apache ssl.conf file is set to listen on port 8443 for https, and >> the only virtual host is set for IP_address:8443 and servername set >> to DNS_hostname > >> In the file /etc/httpd/conf/workers.properties, >> worker.worker1.host is set to DNS_hostname and worker.worker1.port is >> set to 8443. > >> Netstat -tamp shows httpd listening on port 8443 and java listening >> on port 8009. > >> Are these settings proper and correct? > > It doesn't look like it. > >> What should the URL look like in order to access the Tomcat >> application via Apache? > > That depends upon what you are actually trying to do. > >> Any help and/or guidance would most appreciated. > > You have an HTTPS server listening on port 443 (httpd). You have > mod_jk (workers.properties) configured to connect to host:8443 (which > is the same host listening for HTTPS requests on port 8443) using > AJP13 (not HTTP). So, if a client makes a call to host:8443, mod_jk > will proxy the request through to host:8443. If the protocol were > correct (it isn't), you'd have an infinite loop of request s. > > Can you explain what you are actually trying to do and maybe we can > help ? > > -chris > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcqKEEACgkQ9CaO5/Lv0PDR0wCfU89GE1W6btEaUtHH2NJhm501 TlgAmQF9MCA6mpjiFr9Mo1EB1Bsn1p+n =6mLT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
