>> Taking the whole of the message above, it would look as if the new guy
>> wasn't too sure about how to set up SVN & SSL under Tomcat, and chose to set
>> it up on a front-end Apache instead. (Which, in the principle, is also how I
>> would set it up, since I have no idea if there exists an SVN-capable webapp
>> for Tomcat).
>>
>> The fact that you are seeing JSP pages "raw" probably means that he set
>> things up so that Apache can bypass Tomcat, and serve the JSP pages directly
>> from the Tomcat webapps directories (which is not good).
>>
>> The way in which this kind of setup is normally done, is ascii-graphically
>> as follows :
>>
>> browser <--(1)--> Apache + connector <--(2)--> Tomcat
>>
>> and usually in such a case, you would arrange for only the connection (1) to
>> be HTTPS (in other words, one would "terminate SSL" at the Apache level),
>> and have the conversation between Apache and Tomcat (2) remain unencrypted
>> (particularly if they are on the same server).
>>
>> For the "connector" at the Apache level, there exists several possibilities
>> :
>> 1) mod_jk (at the Apache level), talking to a <Connector
>> ..protocol="AJP/1.3"> on the Tomcat side
>> b) mod_proxy & mod_proxy_ajp at the Apache level, also talking to a
>> <Connector ..protocol="AJP/1.3"> on the Tomcat side
>> c) mod_proxy & mod_proxy_http at the Apache level, talking to a <Connector
>> ..protocol="HTTP/1.1"> on the Tomcat side
ProxyPass and ProxyPassReverse also work.
>>
>> Then, you have to configure Apache and its connector properly, so that it
>> will :
>> - process locally what is not destined to Tomcat (such as probably the SVN
>> bit)
>> - pass-through (or rather proxy) to Tomcat what belongs to Tomcat (such as
>> requests for JSP pages)
Yup.
>> The proper way to do that depends on the connector which is used.
>> So you would first need to find out which that is. Any "Proxy..."
>> statements in the Apache configuration ?
...
>> Hope that helps a bit to clarify what is going on.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
> Thanks for all the good suggestions thus far.
>
> Going forward, we will implement the connector approach. But for now,
> we just want to get 'back' to the previous configuration where tomcat
> was handling it's requests just fine. Svn can wait.
>
> We don't have any specific proxies and I don't think there are any
> proxy statements in the config files.
>
> For our main flow of requests, tomcat was listening on a custom port,
> which was (or should have been) totally unrelated to the https port.
>
> I've just been trying to get the config back to where it was, but have
> been unsuccessful. Stopping apache results in no web processing. How
> can I get tomcat to be THE web server again?
Why? You can easily get this done, you are closer than you think. I'll show you
how we do it.
We are on Solaris 10, Tomcat 6.0.29 and the latest HTTPD 2.2 package.
We actually have the 3 different tomcats behind httpd on this server -
confluence, jira, and our own admin webapps.
The svn+ssh is configured as a separate virtual host as is our admin webapps.
SVN also has viewvc setup and the svn is password protected.
There are also apache hosted directories.
Here is a good part of our config with domain names changed:
Here is the admin site's conf/server.xml:
<Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
URIEncoding="UTF-8" keystorePass="xxxxxx"
keystoreFile="/my/servers.jks" />
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="10.10.*.*,127.0.0.1"/>
<Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
directory="logs" prefix="access_local." suffix=".log"
pattern="common" resolveHosts="false"/>
</Host>
<Host name="admin.x.com" appBase="webapps-admin"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
prefix="access_public." suffix=".log" pattern="common"/>
</Host>
</Engine>
Here is the httpd.conf
NameVirtualHost *:80
NameVirtualHost *:443
SSLProtocol -ALL +SSLv2 +SSLv3
<VirtualHost _default_:80>
Redirect permanent / https://ops.x.com/
</VirtualHost>
<VirtualHost *:80>
ServerName ops.x.com
Redirect permanent / https://ops.x.com/
</VirtualHost>
<VirtualHost *:443>
ServerName ops.x.com
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /opt/pkg/etc/httpd/server.crt
SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key
SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jira/secure/popups/colorpicker.jsp !
ProxyPass /jira/secure/popups/grouppicker.jsp !
ProxyPass /jira/secure/popups/userpicker.jsp !
ProxyPass /jira https://localhost:8446/jira
ProxyPassReverse /jira https://localhost:8446/jira
ProxyPass /confluence https://localhost:8444/confluence
ProxyPassReverse /confluence https://localhost:8444/confluence
<Location /index.html >
AuthType Digest
AuthName "Web Users"
AuthDigestDomain /
AuthUserFile /opt/pkg/etc/httpd/davusers.digest
Require valid-user
SSLRequireSSL
</Location>
<Location /weblogs >
AuthType Digest
AuthName "Web Users"
AuthDigestDomain /weblogs
AuthUserFile /opt/pkg/etc/httpd/davusers.digest
Require valid-user
SSLRequireSSL
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName admin.x.com
Redirect permanent / https://admin.x.com/
</VirtualHost>
<VirtualHost *:443>
ServerName admin.x.com
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /opt/pkg/etc/httpd/server.crt
SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key
SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8445/
ProxyPassReverse / https://localhost:8445/
</VirtualHost>
<VirtualHost *:80>
ServerName svn.x.com
Redirect permanent / https://svn.x.com/
</VirtualHost>
<VirtualHost *:443>
#Alias /svn /export/repos
#DocumentRoot /export/repos
Servername svn.x.com
ServerAlias svn
CustomLog /opt/pkg/var/log/httpd/svn_access_log combined
ErrorLog /opt/pkg/var/log/httpd/svn_error_log
SSLEngine On
SSLCertificateFile /opt/pkg/etc/httpd/server.crt
SSLCertificateKeyFile /opt/pkg/etc/httpd/server.key
SSLCACertificateFile /opt/pkg/etc/httpd/intermediate.crt
<Location /repos >
DAV svn
# any "/svn/foo" URL will be mapped to a repository /export/repos/foo
SVNPath /path/to/repos/
SVNAutoversioning on
AuthType Digest
AuthName "Web Users"
AuthDigestDomain /repos
AuthUserFile /opt/pkg/etc/httpd/davusers.digest
AuthGroupFile /opt/pkg/etc/httpd/groups.db
Require valid-user
Require group repos
Satisfy All
SSLRequireSSL
</Location>
Alias /favicon.ico /opt/pkg/share/httpd/htdocs/subversion_logo.ico
ScriptAlias /viewvc /usr/local/viewvc/bin/cgi/viewvc.cgi
<Location /viewvc >
AuthType Digest
AuthName "Web Users"
DirectorySlash On
AuthDigestDomain /viewvc
AuthUserFile /opt/pkg/etc/httpd/davusers.digest
Require valid-user
SSLRequireSSL
</Location>
<Location /viewvc/repos >
AuthType Digest
AuthName "Web Users"
AuthDigestDomain /viewvc
AuthUserFile /opt/pkg/etc/httpd/davusers.digest
AuthGroupFile /opt/pkg/etc/httpd/groups.db
Require valid-user
Require group repos
Satisfy All
SSLRequireSSL
</Location>
</VirtualHost>
Good luck.
Regards,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
