Hello again, Christopher
(this is the separate thread you requested - which had
originated as "Connecting Apache 2.2 to Tomcat 5.0 using mod_jk")
Thanks for entertaining my (relatively non-technical) questions.
Nevertheless, the issue of supporting multiple web app servers/
containers through ports 80/443 comes up constantly in the list,
and is indeed an important one, and typically, with numerous
implications.
For example: I had originally set up Nick Kew's mod_proxy_html to
assist in forwarding from apache to tomcat. Because my tomcat
app consists of a Single-sign-on on one context and and several
other web app/contexts, with both http and https, configuring
this all with mod_proxy and mod_proxy_html was non-trivial.
But it worked very nicely, and the mod_proxy_html gave me
exactly the regex-based "scheme://domain:port/context/servlet... "
transformations that I required. However - and Nick does clearly
warn of this - it was slow - but powerful. It freed me from having
to make any intra-web-app regex-based transformations.
But I figured I would try a combination of mod_proxy, and
servlet/jsp based "scheme://domain:port/context/servlet/..."
regex-based transforms. This speeded things up a bunch,
and also worked well. But it was an unpleasant consession to
have to actually accomodate these transformations inside the
web app code - very NON-object oriented/ NON-portable/NON-modular.
(I could made it sexier - yes, abstracted and modular - but it was
only supposed to be an experiment.)
So then I tried pound to front not only the tomcat, but also apache,
and also two mongrel/rails clusters. Pound turned out to be
fast (after all, it is not a server), relatively easy to configure, and is
naturally secure (since it doesn't itself serve pages off of disk), and
it only lets through contexts that are indicated in its regex-based
config sections. Since it also supported https, it seemed to support
all my requirements.
There was only one issue. That was when rewriting https to http (for
leaving secure side to then view pages that require no unique session
and no encryption) it did not make the required https to http
transformations
to the URL.
Then I found the following post:
http://www.tapestryforums.com/-vt308.html?view=next
which explained a fix to the C source of pound which solved the "problem".
The fix was for an older pound version, so I had to hunt around to find
the equivalent section of code to fix in the version 2.1.3 that I have.
This, though not sanctioned by Robert Segall, the author of pound, did
solve the issue, and appears to be stable. Evidently, Robert explains (so
I have read) that in fact, this patch causes pound to forward from scheme
to scheme in a manner not consistent with the expected. But it gives the
behavior I require, and appears to be secure.
Well, so after all this, what have I learned ? What I found was that for
any by the simplest configurations, setting up multiple server forwarding
is not at all a simple issue. Moreover, it needs to be done
delicately, lest
one introduce non-obvious security issues. (I did run nikto web scanner
on the final configuration, and it found zero (0) security issues. Of
course, I had previously secured the apache and tomcat servers separately
up to but not including running in a chroot'd jail.)
Conclusion: I certainly hope others have less complicated requirements.
Maurice Yarrow
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
