Hi List.
(Indirect ref : previous thread "Moving from a very old Tomcat to a new
Tomcat.")
Ref : http://tomcat.apache.org/connectors-doc/reference/apache.html
Item : JkExtractSSL
Do I understand this right that this parameter JkExtractSSL (default On)
controls whether Tomcat receives of not the information, through mod_jk,
that the original request to Apache was made via HTTPS ?
Or, in other words, that if one wanted Tomcat "not to know" and handle
the current session as a normal non-secure HTTP connection, one could
just set this parameter to "Off" ?
And, again in other words, if this parameter was set to Off, and Tomcat
generated a new session and a JSESSIONID session cookie for this
session, that the cookie would thus not be marked secure ?
---- maybe separately ----
The above refers generally to the following kind of scenario. It is
also generally speaking a question to the specialists here. My purpose
is to make sure I understand this whole thing correctly.
Scenario :
For whatever good reason, Apache is used as the front-end HTTP/HTTPS
server and (possibly) serving some portion of the content itself, while
some (or all) requests are being forwarded, through mod_jk, to a
background Tomcat for content generation.
For whatever good reason also, the connection between the client
(browser) and Apache is a HTTPS (encrypted) connection.
The connection between the front-end Apache and the back-end Tomcat
through mod_jk is never secure (the AJP protocol does not support
encryption).
In this scenario, it does not matter because this connection is deemed
secure for other reasons (e.g. both are running on the same host, and
Tomcat is set up so that it accepts only connections through Apache).
The unencrypted content, as generated and delivered by Tomcat back to
Apache via mod_jk, will be forwarded back to the browser by Apache over
the HTTPS connection, thus encrypted by Apache (generally speaking; in
reality probably this happens in an underlying SSL connection layer).
It is possible, but not mandatory, to let Tomcat know about the HTTPS
nature of the original HTTPS nature of the browser/Apache connection.
This might be necessary/helpful in some scenarios (such as ?)
To let Tomcat know that the original connection is HTTPS, one uses the
"JkExtractSSL On" mod_jk directive. ("On" is the default value.)
To prevent Tomcat from knowing, one uses "JkExtractSSL Off".
If "JkExtractSSL On" is used, then one may/must also pass additional
HTTPS-related information from Apache to Tomcat via the
"JkHTTPSIndicator", "JkCERTSIndicator", et al. directives.
This is useful/required for (?)
The general gist is that if for some reason, it is necessary to have
Apache handle HTTPS connections anayway, and the connection between
Apache and Tomcat is inherently secure, then there might be no reasons
to "propagate" the HTTPS overhead to Tomcat, and one might as well
handle it all at the Apache level.
Or am I missing something ?
Thanks,
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
