Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 19493 invoked from network); 6 Apr 2005 10:03:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 6 Apr 2005 10:03:18 -0000 Received: (qmail 90392 invoked by uid 500); 6 Apr 2005 10:03:05 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 90339 invoked by uid 500); 6 Apr 2005 10:03:04 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 90323 invoked by uid 99); 6 Apr 2005 10:03:04 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from dgate2.fujitsu-siemens.com (HELO dgate2.fujitsu-siemens.com) (217.115.66.36) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 06 Apr 2005 03:03:02 -0700 Received: from trulli.pdb.fsc.net (172.25.96.20) by dgate2.fujitsu-siemens.com with ESMTP; 06 Apr 2005 12:03:00 +0200 X-SBRSScore: None X-IronPort-AV: i="3.92,78,1112565600"; d="scan'208"; a="5606731:sNHT24905488" Received: from deejai2.mch.fsc.net (deejai2.mch.fsc.net [172.25.124.236]) by trulli.pdb.fsc.net (8.11.6/8.11.6) with ESMTP id j36A2xE17756 for ; Wed, 6 Apr 2005 12:02:59 +0200 Received: from vtxclere.bcn.fsc.net (vtxclere.bcn.fsc.net [172.25.182.35]) by deejai2.mch.fsc.net (8.13.3/8.13.3) with ESMTP id j36A2mAS070516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 6 Apr 2005 12:02:49 +0200 (CEST) (envelope-from jfrederic.clere@fujitsu-siemens.com) Received: from [172.25.182.35] (vtxclere.bcn.fsc.net [172.25.182.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vtxclere.bcn.fsc.net (Postfix) with ESMTP id 8CB1457F0E for ; Wed, 6 Apr 2005 12:02:47 +0200 (CEST) Message-ID: <4253B3C5.3080403@fujitsu-siemens.com> Date: Wed, 06 Apr 2005 12:02:45 +0200 From: jean-frederic clere Reply-To: jfrederic.clere@fujitsu-siemens.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20050401 X-Accept-Language: fr, en, ca, de MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: [PATCH] Tomcat 5.X connectors SSL Accelerator proxy support References: <33076.38.116.134.159.1112508042.squirrel@secure.wispertel.net> In-Reply-To: <33076.38.116.134.159.1112508042.squirrel@secure.wispertel.net> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N watler@wispertel.net wrote: > Dev Team, > > Attached is a patch to address the Tomcat 5.X inability to specify a > secure proxy without an SSL connection. The goal is to specify > secure="true", scheme="https", proxyPort="443", and > proxyName="ssl-accelerator.domain.com" on a plain HTTP Connector in > server.xml. BTW: This proxy does not allow to get client certificates doesn't it? > I am not sure if this is the best, (or even acceptable), > solution, but it is the simplest I could come up with while not changing > the documented Tomcat 5.X Connector attributes. The configuration above > used to work with Tomcat 4.1, because the SSL support was never enabled > unless the tag was specified within the Connector > specification. > > The approach here for Tomcat 5.X is to ignore the secure > attribute/property configuration in the underlying Http11Protocol instance > if the Connector is configured with either a proxyPort or proxyName and > there are no other explicit SSL configuration attributes specified. The > logic behind this choice is that use of an SSL Accelerator will imply a > proxied port and/or host and will not specify any SSL related options. > Furthermore, in the event a proxied SSL Connection was desired afterall, > it will almost always require at least some keystore access configuration. > One possible variation might be to only ignore the secure configuration if > the proxyName is set; this might be preferable if simple port forwarding > on the host server is more prevalent than the use of SSL Accelerators, > (albeit potentially more confusing). > > The patch is limited to the jakarta-tomcat-connectors module and should be > compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested > only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that > this patch is acceptable, I can certainly proceed with Tomcat 4.1 and > Tomcat 5.5 testing... I just would like a sanity check first if at all > possible. > > Note: I believe that the minor patch to o/a/coyote/Request.java has > already been performed against the Tomcat 5.5 main trunk by Remy, but was > missing on the Tomcat 5.0 branch. > > Thanks for your consideration in advance, > > Randy Watler > Finali-Convergys Corporation > > > > ------------------------------------------------------------------------ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org