tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: SSL Connectors - config proposal
Date Tue, 17 Oct 2006 20:16:29 GMT
Jean-frederic Clere wrote:
>
> Filip Hanik - Dev Lists wrote:
>
>> gents and ladies,
>>
>> currently we are doing SSL a little bit differently between APR and 
>> the Java connectors.
>> The APR connector requires an attribute sslEngine="On" to kick in.
>>
>> I believe this attribute to be useful for two reasons:
>>
>> 1.
>> Config should be as consistent as possible.
>>
>> 2.
>> If I use a SSL network card, or apache doing SSL etc, I would like to 
>> trick Tomcat into thinking it is running in SSL
>> for example:
>>
>> Apache Port 80 -> mod_proxy(http) -> Tomcat 8080
>> <Connector protocol="HTTP/1.1" port="8080"/>
>> Apache Port 443 -> mod_proxy(http) -> Tomcat 8081
>> <Connector protocol="HTTP/1.1" port="8081" secure="true" 
>> scheme="https" sslEngine="off"/>
>>
>> This example here is with Apache, but if you use any kind of SSL 
>> accelerator, be it a network card or an appliance,
>> there is a risk of getting stuck in a redirect loop when using 
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> in web.xml
>>
>> Currently, you have to work around it using Valves or filters, but it 
>> can get a little messy.
>>
>> Useful?
>
> What would you propose if we use HTTP/AJP + SSL between Apache httpd 
> and TC?
AJP doesn't support SSL, so its not affected.
> BTW: In TC 5.x the secure="true" or secure="false" does not behave as 
> in the documentation (See PR 40766).
yes, this is what we are trying to avoid, secure="value" should just 
result in request.getSecure to return value, and so on.
sslEngine="on" actually kicks in the SSL enc/dec

Filip

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message