tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject RE: SSL Connectors - config proposal
Date Tue, 17 Oct 2006 21:17:29 GMT
 

> -----Original Message-----
> From: Jean-frederic Clere [mailto:jfclere@gmail.com] 
> Sent: Tuesday, October 17, 2006 1:12 PM
> To: Tomcat Developers List
> Subject: Re: SSL Connectors - config proposal
> 
> 
> Filip Hanik - Dev Lists wrote:
> 
> > gents and ladies,
> >
> > currently we are doing SSL a little bit differently between APR and 
> > the Java connectors.
> > The APR connector requires an attribute sslEngine="On" to kick in.
> >
> > I believe this attribute to be useful for two reasons:
> >
> > 1.
> > Config should be as consistent as possible.
> >
> > 2.
> > If I use a SSL network card, or apache doing SSL etc, I 
> would like to 
> > trick Tomcat into thinking it is running in SSL
> > for example:
> >
> > Apache Port 80 -> mod_proxy(http) -> Tomcat 8080
> > <Connector protocol="HTTP/1.1" port="8080"/>
> > Apache Port 443 -> mod_proxy(http) -> Tomcat 8081
> > <Connector protocol="HTTP/1.1" port="8081" secure="true" 
> > scheme="https" sslEngine="off"/>
> >
> > This example here is with Apache, but if you use any kind of SSL 
> > accelerator, be it a network card or an appliance,
> > there is a risk of getting stuck in a redirect loop when using 
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > in web.xml
> >
> > Currently, you have to work around it using Valves or 
> filters, but it 
> > can get a little messy.
> >
> > Useful?
> 
> What would you propose if we use HTTP/AJP + SSL between 
> Apache httpd and TC?
> BTW: In TC 5.x the secure="true" or secure="false" does not 
> behave as in 
> the documentation (See PR 40766).
> 

There are a lot of people that are relying on the current behavior (e.g.
using the same worker for both the HTTP and HTTPS vhost, and using the value
that is passed to TC).  IMHO, it is the documentation that should be fixed,
since the AJP connector has never allowed you to configure secure outside
the AJP protocol (going all the way back to TC 3.x :).

> Cheers
> 
> Jean-Frederic
> 
> >
> > Filip
> >
> >
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 



This message is intended only for the use of the person(s) listed above as the intended recipient(s),
and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended
recipient, you may not read, copy, or distribute this message or any attachment. If you received
this communication in error, please notify us immediately by e-mail and then delete all copies
of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message