Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 63594 invoked from network); 6 Jul 2007 06:32:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Jul 2007 06:32:12 -0000 Received: (qmail 33081 invoked by uid 500); 6 Jul 2007 09:20:02 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 33060 invoked by uid 500); 6 Jul 2007 09:20:02 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 33049 invoked by uid 99); 6 Jul 2007 09:20:02 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jul 2007 02:20:02 -0700 X-ASF-Spam-Status: No, hits=1.4 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: 24.24.2.57 is neither permitted nor denied by domain of dns4@cornell.edu) Received: from [24.24.2.57] (HELO ms-smtp-03.nyroc.rr.com) (24.24.2.57) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jul 2007 02:19:56 -0700 Received: from [192.168.5.102] (cpe-24-59-111-127.twcny.res.rr.com [24.59.111.127]) by ms-smtp-03.nyroc.rr.com (8.13.6/8.13.6) with ESMTP id l669JYiH003040 for ; Fri, 6 Jul 2007 05:19:35 -0400 (EDT) Message-ID: <468E0924.70507@cornell.edu> Date: Fri, 06 Jul 2007 05:19:32 -0400 From: David Smith User-Agent: Thunderbird 1.5 (X11/20051201) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Tomcat 6 + Apache 2.0 with SSL References: <468D177A.9020309@hanik.com> <468D3979.3000901@cern.ch> <468D2322.4010003@hanik.com> <468D4AD0.4030000@cern.ch> <468D3D14.8090000@hanik.com> <468E1568.5000107@cern.ch> In-Reply-To: <468E1568.5000107@cern.ch> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine X-Virus-Checked: Checked by ClamAV on apache.org But all the contents of $CATALINA_HOME/webapps/$YOUR_APPLICATION/WEB-INF does become exposed and that should not be. If you are going to do that, you should consider making sure you configure apache httpd to not server up anything contained there. --David Arian Abrahantes wrote: > Hi Filik: > > Just to end this because, probably, I am making a mistake or I didn't > make myself clear in my previous post. Do you mean that in the apache > configuration in the virtual host definition one must not point the > DocumentRoot directive to the folder where your contents are?. > Something like: > > DocumentRoot $CATALINA_HOME/webapps/$YOUR_APPLICATION > > I meant documents or applications not tomcat config files or whatever > alike? or at least is what the previous line looks like. Please if > this is wrong kindly consider to tell me how it must be done? I don't > see where is the security issue cause like this, IMHO, any other file > from tomcat is out of sight for sniffers. > > And Roger, original poster, just an example of how to integrate apache > and tomcat with mod proxy for an application based in tomcat. Which > will clarify any doubt you had for setting up a configuration with > apache as proxy. I think I should have posted the example instead of > try to explain myself, my english is not goot after all. > http://195.14.236.181/opencms/opencms/alkacon-documentation/howto_apache_httpd/mod_proxy.html > > > Hope you can explain me and thanking you in advance, > > arian > > > Filip Hanik - Dev Lists wrote: >> Arian Abrahantes wrote: >>> Hi Filik: >>> >>> I understood what he wanted to do. My post is about how needed is >>> this for him?. If it is a company requirement ok. But if there is no >>> requirement why to slow the server down?. >>> >>> IMHO, in a properly set apache proxy configuration nobody except >>> apache will interact with the aplication (you name it) that lies >>> bellow him. So even if companies or users wishes this double >>> encryption I seriously doubt they will be getting more security. >>> >>> Anyway, as far as I know both servers can share the same keys for >>> authentication (I am pretty sure there is a quite close in date >>> -previous month- thread posted in this list or in Opencms' one) and >>> just looking into his config it should work so just try it out. He >>> is just missing the addition of the DocumentRoot where his contents >>> under tomcat lies. >> >> uh, absolutely not, never point your DocumentRoot to the Tomcat file >> structure unless you know exactly how to secure it. >> Filip >> >>> >>> hth, >>> >>> arian >>> >>> >>> Filip Hanik - Dev Lists wrote: >>>> I think what he wants is >>>> >>>> browser -> http -> Apache -> http -> tomcat >>>> browser -> https-> Apache -> https-> tomcat >>>> >>>> a lot of companies have these requirements >>>> >>>> Filip >>>> >>>> >>>> Arian Abrahantes wrote: >>>>> Hi: >>>>> >>>>> I think this has alraedy being discussed somewhere here. Why do >>>>> you need double enchriptation? It is enough with the apache one. >>>>> Use something like: >>>>> >>>>> broweser -> https -> Apache -> http -> tomcat >>>>> >>>>> pro: >>>>> >>>>> 1- Single enchiptation fast server response. >>>>> >>>>> cons (at least fo security): >>>>> >>>>> 1- none >>>>> >>>>> I may be wrong plesa verify in the mailing list archive >>>>> >>>>> Filip Hanik - Dev Lists wrote: >>>>>> question, does it work? or does it always send requests to 8080, >>>>>> for both http and https? >>>>>> >>>>>> for your SSL, you can/need to add in your httpd client >>>>>> certificate, ie, the certificate to use when contacting Tomcat >>>>>> for SSL >>>>>> >>>>>> >>>>>> SSLProxyEngine On >>>>>> ProxyPass / https://localhost:8443/ >>>>>> ProxyPassReverse / https://localhost:8443/ >>>>>> # >>>>>> # Put your Proxy SSL Certificate directives here >>>>>> # >>>>>> >>>>>> >>>>>> >>>>>> Filip >>>>>> >>>>>> Roger wrote: >>>>>>> Hi there! >>>>>>> >>>>>>> I have some questions about how to setup Apache and Tomcat with SSL >>>>>>> support. Currently I have the following setup: >>>>>>> >>>>>>> - Windows 2003 >>>>>>> - Tomcat 6.0.13 >>>>>>> - Apache 2.0.59 with >>>>>>> - openssl 0.9.7j >>>>>>> - mod_ssl >>>>>>> - mod_proxy >>>>>>> - mod_rewrite (not used) >>>>>>> >>>>>>> I have generated keys that work with Apache. So I can open a >>>>>>> page like >>>>>>> https://localhost/. I've tried to use mod_proxy to redirect all >>>>>>> traffic to Tomcat, which works for http and https, using the >>>>>>> following >>>>>>> setup: >>>>>>> >>>>>>> >>>>>>> Include conf/ssl.conf >>>>>>> >>>>>>> >>>>>>> ProxyPass / http://localhost:8080/ >>>>>>> ProxyPassReverse / http://localhost:8080/ >>>>>>> >>>>>>> >>>>>>> SSLProxyEngine On >>>>>>> ProxyPass https://localhost:443/ https://localhost:8443/ >>>>>>> ProxyPassReverse https://localhost:443/ https://localhost:8443/ >>>>>>> >>>>>>> >>>>>>> I have the following questions: >>>>>>> >>>>>>> 1) Is this a normal setup? Anything that could cause a problem? >>>>>>> 2) I want to be able to route traffic for one webapp to https, not >>>>>>> allowing it to be used via http. I don't care if this is done using >>>>>>> mod_rewrite or mod_proxy or anything else. >>>>>>> >>>>>>> All suggestions are appreciated! >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Roger >>>>>>> >>>>>>> - --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org