-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dino,
On 11/19/18 08:16, Dino Edwards wrote: >>> I'm not using Named-Based Virtual Hosts > >>> Yes, you are. :) > > I didn't think I was. How do you figure? https://httpd.apache.org/docs/2.4/mod/core.html#namevirtualhost >> I do, there are two different applications in the box that use >> two different Tomcat instances running in different ports and I >> use Apache to proxy to each app while using one common SSL >> config > >>> Understood. If you have two different applications on two >>> Tomcat instances, is that why the port numbers don't match >>> above? > > Yes, sorry I posted the wrong config. So, it looks like I figured > it out. Apparently, Apache 2.4 has a problem using a combination of > both AJP and HTTP proxy statements in the same config (Apache 2.2 > worked fine), so I ended up setting the following: I don't believe Apache httpd has any problem with mixing mod_proxy_ajp and mod_proxy_http directives in the same configuration. Do you have a reference for such a claim? > Tomcat Instance 1 server.xml file: > > <Server port="8006" shutdown="SHUTDOWN"> > > <Connector port="8888" protocol="HTTP/1.1" > connectionTimeout="20000" redirectPort="8443" /> > > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> > > > Tomcat Instance 2 server.xml file: > > <Server port="8005" shutdown="SHUTDOWN"> > > <Connector port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8444" > /> > > <Connector port="8010" protocol="AJP/1.3" redirectPort="8444" /> Looks good so far. How is this different than what you had before? > And in Apache config file I set the following: > > <IfModule mod_ssl.c> <VirtualHost _default_:443> ProxyRequests Off > > SSLEngine on SSLCertificateFile ......cer SSLCertificateKeyFile > ......key SSLCertificateChainFile .........chain.cer SSLProtocol > -all +TLSv1.2 > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > <Proxy *> Order deny,allow Allow from all </Proxy> > > #Tomcat 1 ProxyPass /admin ajp://localhost:8009/app1 > ProxyPassReverse /admin ajp://localhost:8009/app1 > > #Tomcat 2 ProxyPass /ciphermail ajp://localhost:8010/app2 > ProxyPassReverse /ciphermail ajp://localhost:8010/app2 If you want to be *really* explicit, you might want to add: SSLProxyProtocol TLSv1.2 ... if you want "TLSv1.2 everywhere". > ProxyTimeout 3600 ........ </VirtualHost> </IfModule> > > This seems to work. Do you see a problem with the above? What did you actually end up changing? That all looks like a fairly standard reverse-proxy setup. Note that re-naming a context path with mod_proxy (e.g. /admin -> app1) is likely to cause a lot of problem. If that's not a typo or copy/paste error, you probably want to map /admin -> /admin and /ciphermail -> /ciphermail. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvzPcYACgkQHPApP6U8 pFiLmA//XIuLIMa7BWHTLvRB2gQ6+KQjR+uB03EoigHKVXJJPHMK+Dal47xkeOLG lDvw5KCr32/QvewKUpEc2lvVDkidR6glF4T6O2NU3BWyU3x4rvaIV7V0fR89z9+h /gDfEntQeVHCzJd0LqTYaG8g3crRj40OtjJa+Jy7vKg3vnL4koI/lxS2jfcrRRz+ cRigBMlybhYt+eBBRQl9oYULykwdN8DqqSu3tbFg1PoJxB2XBg1Lo8ZwHX7/sToJ /xHwkrmoA2p/9DBmuQqvAnblsEzlISZ8AbD/KRtL3RDslOR4gjzSr2Y+AcA+4DUI TzayNVwqbvCI9OzDVKN4fUyKvTouFPiRQkwEJXwgNTf31B55psyrPq9TBeEpK3ky hCBMcoKja4YWkpnGhmyMtRx1VEqMowYvtr8+Y2L8lLT7XjMjxuAMt/T7fuO3LcXp +Hjs8tPZkWsDNjoi3NOFQ6pW62d6unEXXAIxiCOR+Pr2RKEVeW1aCH7MqUPJko7T 7kP2R0mfLtZ2tNcbFnEguj/0k4taIFoQHOdheAdFE3JHUEwV+722RGG8vB+rQUXk 9OkYuhy147dhGdr1RJ5tMoKnp2/dG48k7ztwtHI50tb7aMb5PpaQGUjb46KtTUNb AHdsfMHPO3zNZ/c6hg8K13phaidd2XuLwTCpt4QMt4Djup4unpo= =vrEW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org