-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
On 12/7/2010 6:02 PM, Caldarale, Charles R wrote: >> From: André Warnier [mailto:a...@ice-sa.com] >> Subject: Re: enforcing SSL only for external clients > >> You will probably need 2 separate <Connectors>, one for HTTP and >> the other for HTTPS. > > I think that's true. It's definitely true: a single connector can't serve both secure and non-secure. ;) >> You probably need to set the "useIPVHosts" attribute inside your >> <Connector> tags to "true". > > Probably not necessary, nor are multiple <Host> elements. If the OP /really wants/ to use <transport-guarantee>, then dual hosts will be necessary. > How about just setting the address attribute for the port 80 > <Connector> to "127.0.0.1", and the port 443 <Connector> to the > public IP address, and *do not* set <transport-guarantee> to > CONFIDENTIAL in the web.xml files. I like this solution, unless of course the OP feels strongly about using <transport-guarantee>. If the web application needs to provide it's own enforcement of these requirements, it can be done with a custom filter or even with Tucky's urlrewrite. That way, the webapp can protect itself instead of having to rely on the (independent) server configuration. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/0T0ACgkQ9CaO5/Lv0PBGUwCgwSlYBCLwTfj3vgMpEo8dq90r 7GgAnRiNlPdKJmVWOY206/a2Ii36zJ8c =XXNO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org