tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Bailey" <Bill.Bai...@northlandchurch.net>
Subject RE: AJP Connector - Problems Proxying HTTPS Connections
Date Mon, 05 Feb 2007 20:15:37 GMT
Chris and Hassan,

I removed the secure and scheme options to no avail; still seeing the
same behavior. Since the waters are getting a bit muddy, let me back up
and say what my goals are and maybe someone can suggest a change in
direction. Let me apologize in advance for the length of this message,
but I did not want to omit any detail that might shed light on the
problem.

I have a J2EE (Struts) Application running in Tomcat. I want to use
Apache HTTPD to provide the HTTPS connections and simply proxy all
requests to the Tomcat container. I want to use Tomcat only as a J2EE
container. I have not even configured SSL on Tomcat nor do I really want
to. I have set up SSL in Apache HTTPD and I can see convincing evidence
in the log files that Apache is accepting connections on port 443 and
attempting to handle them.

Another constraint is that I want the web site to be accessible by just
its hostname and domain (e.g. https://www.resourcepoint.org) and I don't
want to require a servlet context path to be typed as part of the URL
every time one accesses the site. This is why I created the virtual host
on Apache.

However, I found that I had problems if I deployed my application in
Tomcat using other than the ROOT context. The Struts tags I am using all
throughout my application embed the servlet context path in all of the
URL's generated by those tags. This means that a request for

http://www.resourcepoint.org/somefile.jsp

after being forwarded to my Tomcat application (deployed to
/resourcepoint for example) would return a page with embedded URL's that
look like

http://www.resourcepoint.org/resourcepoint/someotherfile.jsp

So the context (which I don't want visible to the end users) has
'escaped' into the browser world. I found that this was not a problem if
I made my application appear in the ROOT context for the server, but
didn't want to remove the standard ROOT applications (manager, etc.) for
the local host. Therefore, I decided to have a second virtual host on
the Tomcat side.

I configured it all as described above initially using just HTTP because
we were only in testing. Everything worked just fine.

I only ran into problems when I configured the additional virtual host
on Apache for SSL. Although Apache shows clearly in its log files that
it has accepted my HTTPS request AND although I can also see clearly in
the Tomcat log files that it has accepted a request on port 8009, the
next thing I see in the Tomcat logs is a redirect to the equivalent
http: URL.

I do not believe the redirect is coming from my application because I
see no evidence it gets far enough for any of my application code to
even execute. The default page for the application is index.jsp and the
redirect I see in the Tomcat logs is for this page, not any of the pages
it might forward to. One of my next tests is going to be to replace this
JSP with a vanilla HTML file to eliminate for certain the possibility
that my application is doing this unwanted redirect, but I'm reasonably
confident that it isn't.

My experimenting with proxyName, proxyPort, scheme, and secure on the
AJP connector were just that: experimentation. I tried almost every
combination including having none of them configured and I got the same
result with all the ones I tried. 

According to my interpretation of the documentation, these attributes
don't do much other than cause Tomcat to return the specified values for
the host, port, scheme, and secure attributes when you call the
corresponding Tomcat API calls (e.g. Request.isSecure(),
Request.getPort(), etc.) so it is not surprising in retrospect that
changing them hasn't altered the behavior.

Finally, I should mention that I have another application deployed on
this same platform (Apache SSL with Tomcat behind) that works perfectly.
The only difference is that in this other application there is no
virtual host on the Tomcat side; the Apache virtual host sends all
requests to the default host using the servlet context path of the
application.

If you've made it this far, thank you for your attention and any help
you can provide will be most appreciated.

Bill Bailey
Senior Developer / DBA
Northland, A Church Distributed

-----Original Message-----
From: Hassan Schroeder [mailto:hassan.schroeder@gmail.com] 
Sent: Monday, February 05, 2007 1:26 PM
To: Tomcat Users List
Subject: Re: AJP Connector - Problems Proxying HTTPS Connections

On 2/5/07, Bill Bailey <Bill.Bailey@northlandchurch.net> wrote:

>     ServerName www.resourcepoint.org:80
>     ServerAlias www.resourcepoint.org:80

again, the port # doesn't belong there, and there's no sense
to defining a ServerAlias the same as the ServerName

>     # Note that this approach with single argument
>     # nested in a Location element works just fine

>         ProxyPass ajp://127.0.0.1:8010/
>         ProxyPassReverse ajp://127.0.0.1:8010/

Personally I prefer to follow the documentation, even when
something "seems to work" otherwise... :-)

>     <Connector port="8009"
>                    address="127.0.0.1"
>                enableLookups="false"
>                protocol="AJP/1.3"
>                    secure="true"
>                    scheme="https"
>                    proxyName="www.resourcepoint.org"
>                    proxyPort="443" />

+1 on Christopher's comment -- AJP doesn't do https; I would remove
that from this connector and see what happens.

FWIW,
-- 
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message