httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Murray" <ryan.mur...@elementn.com>
Subject RE: [users@httpd] apache pass ssl+http to tomcat
Date Tue, 01 May 2007 12:44:15 GMT
 

> >----- Original Message ----
> >From: Krist van Besien <krist.vanbesien@gmail.com>
> >
> >You can't do what you are trying to do. Passing SSL without 
> decrypting 
> >it to tomcat is something that can't be done with apache. 
> How is apache 
> >to know what to do with a request when the request is just a 
> stream of 
> >apparently random noise?
> >
> >It is also something you don't need apache for. Just do a 
> port forward 
> >on the OS level.
> 
> Thank you for the reply.  
> 
> 
> 
>  Unfortunately I can't do a port forward at the os level.  My 
> environment is on a shared server.  Many domains are setup on 
> the machine - all of course for port 80/443.  At the os level 
> can I determine that the request was for a certain domain and 
> forward to a different
> port based on that domain?   I think the way the hosting 
> company has it
> setup is that multiple domains are mapping to one ip - though 
> it might be a slightly different setup.  The requests then 
> all go to the one box where apache is sitting in front and 
> using connectors to direct the requests to the particular 
> instance of tomcat ( in the case of the ssl request it is 
> decrypting the request and directing them).  
>  
> 
>  My issue is that in Tomcat I want to have any http request 
> redirected to https.  mod_proxy creates an infinite loop in 
> this situation since apache turns the https into http and 
> tomcat thinks it needs to redirect.  mod_jk handles this 
> properly and is able to pass extra heuristics to tomcat but 
> for some reason creates a massive performance problem.  
> Rather than figure out why mod_jk is creating this 
> performance problem I was hoping there was someway just to 
> have apache send the ssl on....  seems like I am stuck either 
> switching to a dedicated machine and removing apache from the 
> equation or figureing out the problem with mod_jk.  
>  
> 
>  Any other ideas?
> 

I presume your problem is that someone can access the Tomcat directly via
HTTP as well as through Apache.  If it's just Apache then you can set up
your virtual hosts to only forward HTTPS connections to the Tomcat and not
proxy HTTP ones.  Another solution is to forward the SSL-decrypted
connection from Apache to a different HTTP connector (ie different port) on
Tomcat which only accepts connection from Apache.  On this HTTP connector
set "isSecure" to true.  Then your application should only redirect back to
https if the the connection is on the other HTTP connector (ie when the
request returns isSecure=false).


Ryan Murray
 
element^n
berytech technology centre
mkalles-beirut, lebanon
+961 4 533 040   ext. 3030 (office)
+961 3 767 083   (lebanon mobile)
+973 3603 9118  (bahrain mobile)
 
www.elementn.com
 
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information.  Any unauthorized review,
use, disclosure, or distribution is prohibited.  If you are not the intended
recipient(s) please contact the sender by reply email and destroy all copies
of the original message and any attachments.
 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message