My mistake, I meant x-forwarded-proto rather than x-forwarded-for.
Here is a sample of configuration where Apache adds the header X-Forwarded-Proto and Tomcat RemoteIpValve handles it. APACHE CONFIGURATION ===================== # 'myapplication' cluster <Proxy balancer://myapplication> BalancerMember http://node-1:8080 route=node-1 ... BalancerMember http://node-n:8080 route=node-n </Proxy> <VirtualHost default:80> # Declare X-Forwarded-Proto as "http" for incoming request RequestHeader set X-Forwarded-Proto "http" ... </VirtualHost> <VirtualHost default:443> # mod_ssl configuration SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/private/etc/apache2/server.crt" SSLCertificateKeyFile "/private/etc/apache2/server.key" # Overwrite X-Forwarded-Proto declaration for port 443, request are "https" RequestHeader set X-Forwarded-Proto "https" ... </VirtualHost> .. ProxyPreserveHost On ProxyPass /mypath balancer://myapplicationssl/mypath stickysession=JSESSIONID TOMCAT CONFIGURATION ===================== <Server ...> ... <Service name="Catalina"> <Connector ... /> <Engine ...> <!-- Process x-Forwarded-For to get remote address and X-Forwarded-Proto to identify SSL requests --> <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-For" /> <!-- AccessLogValve must be declared after RemoteIpValve to get the remote address and the scheme https/http --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="common" prefix="access_log." resolveHosts="false" suffix=".txt" /> ... </Host> </Engine> </Service> </Server> Hope this helps, Cyrille On Thu, Feb 25, 2010 at 5:44 PM, Cyrille Le Clerc <clecl...@apache.org> wrote: > > Hello, > > We tried to detail precisely on a blog post named "Tomcat, SSL, > communications sécurisées et X-Forwarded-Proto" (1) different > solutions to handle SSL with Tomcat including decrypting https on the > Apache layer. It is written in french but there are many schemas and > it is google translate friendly. > > My preferred solution is to use the RemoteIpValve in Tomcat in > addition with the X-Forwarded-For http header set in Apache httpd. > Another solution is to create two connectors in Tomcat, a non secured > one and a secured one. > > Please note that RemoteIpValve has been introduced in version 6.0.24 > of Tomcat and is available for previous versions in a separate jar > (2). > > Hope this helps, > > Cyrille > > -- > Cyrille Le Clerc > clecl...@xebia.fr > > (1) > http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ > (2) http://code.google.com/p/xebia-france/wiki/RemoteIpValve > > On Thu, Feb 25, 2010 at 4:56 PM, sikorsky <rsm...@sikorsky.com> wrote: > > > > I'm new to Apache 2.2 and TomCat 6.0. I thought I could use SSL on my > > Apache > > web server and not need to have SSL on my TomCat applications. Especially > > since they are both on the same server. I installed an Entrust Cert on my > > Apache webserver and it works fine with https. When I redirect to the > > TomCat servlet I get a 404. If I switch to http everything works fine. > > Shouldn't I be able to use https/443on my web server and http/8080 on the > > app server without issue? How? > > -- > > View this message in context: > > http://old.nabble.com/Apache-2.2-and-TomCat-6.0-using-SSL-tp27714427p27714427.html > > Sent from the Tomcat - User mailing list archive at Nabble.com. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
