>> Taking the whole of the message above, it would look as if the new guy >> wasn't too sure about how to set up SVN & SSL under Tomcat, and chose to set >> it up on a front-end Apache instead. (Which, in the principle, is also how I >> would set it up, since I have no idea if there exists an SVN-capable webapp >> for Tomcat). >> >> The fact that you are seeing JSP pages "raw" probably means that he set >> things up so that Apache can bypass Tomcat, and serve the JSP pages directly >> from the Tomcat webapps directories (which is not good). >> >> The way in which this kind of setup is normally done, is ascii-graphically >> as follows : >> >> browser <--(1)--> Apache + connector <--(2)--> Tomcat >> >> and usually in such a case, you would arrange for only the connection (1) to >> be HTTPS (in other words, one would "terminate SSL" at the Apache level), >> and have the conversation between Apache and Tomcat (2) remain unencrypted >> (particularly if they are on the same server). >> >> For the "connector" at the Apache level, there exists several possibilities >> : >> 1) mod_jk (at the Apache level), talking to a <Connector >> ..protocol="AJP/1.3"> on the Tomcat side
>> b) mod_proxy & mod_proxy_ajp at the Apache level, also talking to a >> <Connector ..protocol="AJP/1.3"> on the Tomcat side >> c) mod_proxy & mod_proxy_http at the Apache level, talking to a <Connector >> ..protocol="HTTP/1.1"> on the Tomcat side ProxyPass and ProxyPassReverse also work. >> >> Then, you have to configure Apache and its connector properly, so that it >> will : >> - process locally what is not destined to Tomcat (such as probably the SVN >> bit) >> - pass-through (or rather proxy) to Tomcat what belongs to Tomcat (such as >> requests for JSP pages) Yup. >> The proper way to do that depends on the connector which is used. >> So you would first need to find out which that is. Any "Proxy..." >> statements in the Apache configuration ? ... >> Hope that helps a bit to clarify what is going on. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > Thanks for all the good suggestions thus far. > > Going forward, we will implement the connector approach. But for now, > we just want to get 'back' to the previous configuration where tomcat > was handling it's requests just fine. Svn can wait. > > We don't have any specific proxies and I don't think there are any > proxy statements in the config files. > > For our main flow of requests, tomcat was listening on a custom port, > which was (or should have been) totally unrelated to the https port. > > I've just been trying to get the config back to where it was, but have > been unsuccessful. Stopping apache results in no web processing. How > can I get tomcat to be THE web server again? Why? You can easily get this done, you are closer than you think. I'll show you how we do it. We are on Solaris 10, Tomcat 6.0.29 and the latest HTTPD 2.2 package. We actually have the 3 different tomcats behind httpd on this server - confluence, jira, and our own admin webapps. The svn+ssh is configured as a separate virtual host as is our admin webapps. SVN also has viewvc setup and the svn is password protected. There are also apache hosted directories. Here is a good part of our config with domain names changed: Here is the admin site's conf/server.xml: <Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false" disableUploadTimeout="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" keystorePass="xxxxxx" keystoreFile="/my/servers.jks" /> <Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="10.10.*.*,127.0.0.1"/> <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" directory="logs" prefix="access_local." suffix=".log" pattern="common" resolveHosts="false"/> </Host> <Host name="admin.x.com" appBase="webapps-admin" unpackWARs="true" autoDeploy="true"> <Valve className="org.apache.catalina.valves.AccessLogValve" prefix="access_public." suffix=".log" pattern="common"/> </Host> </Engine> Here is the httpd.conf NameVirtualHost *:80 NameVirtualHost *:443 SSLProtocol -ALL +SSLv2 +SSLv3 <VirtualHost _default_:80> Redirect permanent / https://ops.x.com/ </VirtualHost> <VirtualHost *:80> ServerName ops.x.com Redirect permanent / https://ops.x.com/ </VirtualHost> <VirtualHost *:443> ServerName ops.x.com SSLEngine On SSLProxyEngine On SSLCertificateFile /opt/pkg/etc/httpd/server.crt SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass /jira/secure/popups/colorpicker.jsp ! ProxyPass /jira/secure/popups/grouppicker.jsp ! ProxyPass /jira/secure/popups/userpicker.jsp ! ProxyPass /jira https://localhost:8446/jira ProxyPassReverse /jira https://localhost:8446/jira ProxyPass /confluence https://localhost:8444/confluence ProxyPassReverse /confluence https://localhost:8444/confluence <Location /index.html > AuthType Digest AuthName "Web Users" AuthDigestDomain / AuthUserFile /opt/pkg/etc/httpd/davusers.digest Require valid-user SSLRequireSSL </Location> <Location /weblogs > AuthType Digest AuthName "Web Users" AuthDigestDomain /weblogs AuthUserFile /opt/pkg/etc/httpd/davusers.digest Require valid-user SSLRequireSSL </Location> </VirtualHost> <VirtualHost *:80> ServerName admin.x.com Redirect permanent / https://admin.x.com/ </VirtualHost> <VirtualHost *:443> ServerName admin.x.com SSLEngine On SSLProxyEngine On SSLCertificateFile /opt/pkg/etc/httpd/server.crt SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass / https://localhost:8445/ ProxyPassReverse / https://localhost:8445/ </VirtualHost> <VirtualHost *:80> ServerName svn.x.com Redirect permanent / https://svn.x.com/ </VirtualHost> <VirtualHost *:443> #Alias /svn /export/repos #DocumentRoot /export/repos Servername svn.x.com ServerAlias svn CustomLog /opt/pkg/var/log/httpd/svn_access_log combined ErrorLog /opt/pkg/var/log/httpd/svn_error_log SSLEngine On SSLCertificateFile /opt/pkg/etc/httpd/server.crt SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt <Location /repos > DAV svn # any "/svn/foo" URL will be mapped to a repository /export/repos/foo SVNPath /path/to/repos/ SVNAutoversioning on AuthType Digest AuthName "Web Users" AuthDigestDomain /repos AuthUserFile /opt/pkg/etc/httpd/davusers.digest AuthGroupFile /opt/pkg/etc/httpd/groups.db Require valid-user Require group repos Satisfy All SSLRequireSSL </Location> Alias /favicon.ico /opt/pkg/share/httpd/htdocs/subversion_logo.ico ScriptAlias /viewvc /usr/local/viewvc/bin/cgi/viewvc.cgi <Location /viewvc > AuthType Digest AuthName "Web Users" DirectorySlash On AuthDigestDomain /viewvc AuthUserFile /opt/pkg/etc/httpd/davusers.digest Require valid-user SSLRequireSSL </Location> <Location /viewvc/repos > AuthType Digest AuthName "Web Users" AuthDigestDomain /viewvc AuthUserFile /opt/pkg/etc/httpd/davusers.digest AuthGroupFile /opt/pkg/etc/httpd/groups.db Require valid-user Require group repos Satisfy All SSLRequireSSL </Location> </VirtualHost> Good luck. Regards, Dave --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org