Thanks for the responses. In between times I tried the ProxyPass which seems to work fine, but I'd much rather use plain AJP so I'll try that next. I've had problems previously getting CAS working where the SSL is handled by the webserver - however from what everyone has said and having read around the issue a bit more, it does sound like using AJP ought to work, so long as Apache is configured to pass through all the relevant SSL and cert. info to tomcat (presumably so that isSecure() can work, plus I think CAS validates certificates too).
> Date: Fri, 22 Jan 2010 14:53:21 -0500 > From: ch...@christopherschultz.net > To: users@tomcat.apache.org > Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matt, > > On 1/22/2010 9:25 AM, Matt Turner wrote: > > In my case sometimes I do need to pass through the SSL to Tomcat, as > > I'm running CAS which requires geniune SSL requests. > > mod_jk ought to be able to forward all SSL information to Tomcat. > Specifically, what does CAS require? > > > (I do also have some SSL requests that tomcat doesn't need to see - > > which I will send via 8009 as has been suggested). > > > > The SSL pass-through requirement explains why I was attempting to > > pass through to :8443 directly - but it sounds like that's the wrong > > approach. > > Unless something specific is actually not working, you ought to be able > to use a vanilla AJP connection for both secure and non-secure HTTP > (even via the same worker/<Connector>). > > > Should I just use something like.. > > > > ProxyPass /cas https://10.13.0.218:8443/cas ? > > Now, you're switching from mod_jk to mod_proxy_http(s). Can CAS really > not function properly with an AJP connection? > > If you proxy HTTPS you are likely to get in all kinds of trouble because > the client is no longer your user... it's your web server. And the > server is no longer the web server... it's Tomcat. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAktaAjEACgkQ9CaO5/Lv0PAV6ACfYlbK3Kws26nq7xPYICSlucmC > JqMAoLyACwFx0JxEBozCMWt81KvGmq+B > =Br3o > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
