tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject RE: SSL Connectors - config proposal
Date Tue, 17 Oct 2006 21:33:38 GMT
 

> -----Original Message-----
> From: Jean-frederic Clere [mailto:jfclere@gmail.com] 
> Sent: Tuesday, October 17, 2006 1:43 PM
> To: Tomcat Developers List
> Subject: Re: SSL Connectors - config proposal
> 
> Filip Hanik - Dev Lists wrote:
> 
> > Jean-frederic Clere wrote:
> >
> >>
> >> Filip Hanik - Dev Lists wrote:
> >>
> >>> gents and ladies,
> >>>
> >>> currently we are doing SSL a little bit differently 
> between APR and 
> >>> the Java connectors.
> >>> The APR connector requires an attribute sslEngine="On" to kick in.
> >>>
> >>> I believe this attribute to be useful for two reasons:
> >>>
> >>> 1.
> >>> Config should be as consistent as possible.
> >>>
> >>> 2.
> >>> If I use a SSL network card, or apache doing SSL etc, I 
> would like 
> >>> to trick Tomcat into thinking it is running in SSL
> >>> for example:
> >>>
> >>> Apache Port 80 -> mod_proxy(http) -> Tomcat 8080
> >>> <Connector protocol="HTTP/1.1" port="8080"/>
> >>> Apache Port 443 -> mod_proxy(http) -> Tomcat 8081
> >>> <Connector protocol="HTTP/1.1" port="8081" secure="true" 
> >>> scheme="https" sslEngine="off"/>
> >>>
> >>> This example here is with Apache, but if you use any kind of SSL 
> >>> accelerator, be it a network card or an appliance,
> >>> there is a risk of getting stuck in a redirect loop when using 
> >>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >>> in web.xml
> >>>
> >>> Currently, you have to work around it using Valves or 
> filters, but 
> >>> it can get a little messy.
> >>>
> >>> Useful?
> >>
> >>
> >> What would you propose if we use HTTP/AJP + SSL between 
> Apache httpd 
> >> and TC?
> >
> > AJP doesn't support SSL, so its not affected.
> 
> Well. That would be protocol="AJP" sslEngine="on"  secure="value" 
> scheme="value".
> 
> BTW: Apache httpd does not yet support SSL proxy.
> ProxyPass /servlets-examplex 
> https://anotherhost:8443/servlets-examples 
> is not yet supported.
> Or do I miss something?
> 

I haven't tried in in 2.2.x, but I know it used to work.  Do you have
mod_ssl turned off?

> >> BTW: In TC 5.x the secure="true" or secure="false" does 
> not behave as 
> >> in the documentation (See PR 40766).
> >
> > yes, this is what we are trying to avoid, secure="value" 
> should just 
> > result in request.getSecure to return value, and so on.
> > sslEngine="on" actually kicks in the SSL enc/dec
> 
> +1
> 
> Cheers
> 
> Jean-Frederic
> 
> >
> >
> > Filip
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 
> 
> 



This message is intended only for the use of the person(s) listed above as the intended recipient(s),
and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended
recipient, you may not read, copy, or distribute this message or any attachment. If you received
this communication in error, please notify us immediately by e-mail and then delete all copies
of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message