In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which requires geniune SSL requests.
(I do also have some SSL requests that tomcat doesn't need to see - which I will send via 8009 as has been suggested). The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly - but it sounds like that's the wrong approach. Should I just use something like.. ProxyPass /cas https://10.13.0.218:8443/cas ? Many thanks, matt. > Date: Fri, 22 Jan 2010 14:24:49 +0100 > From: t...@cataneo.eu > To: users@tomcat.apache.org > Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 > > I guess that you should exchange the "JkMount /* tomcatssl" by > "JkMount /* tomcat1" provided you use a "standard" Tomcat-setup. > > For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2 > virtual-hosts in Apache2. One for Port 443 with the > standard-SSL-parameters Apache2 expects to integrate OpenSSL for https > and another for Port 80 / plain http. The Jk-directives are the same for > both virtual hosts and don't care about SSL and go to Tomcats port 8009 > (= using standard configuration). > 8443 is typically the http-over-ssl-port (=http) for direct SSL access via > coyote-connector and has nothing to do with ajp. > > If your Apache2 is doing the SSL-integration Tomcat "sees" no > SSL-traffic because Apache2 lets openssl do the conversion from SSL and > is connecting to Tomcat without any SSL-traffic but simple http. > > You can give Tomcat some information about the SSL-session like you did > with > > > JkExtractSSL On > > JkHTTPSIndicator HTTPS > > JkSESSIONIndicator SSL_SESSION_ID > > JkCIPHERIndicator SSL_CIPHER > > JkCERTSIndicator SSL_CLIENT_CERT > > but then you have to give Apache2 an advice to deliver these > information by a > "SSLOptions +StdEnvVars +ExportCertData" > > (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might > give you an idea about the two possibilities to setup Tomcat + SSL) > > > On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat > 6 on Solaris - nearly the same setup as under Linux. > These servers run with SSL and Non-SSL parallel but without these extra > Jk-SSL-indicator-parameters you are using. > > > Gruß, > Tobias. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
