tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Date Fri, 13 Jun 2008 07:54:42 GMT
Hi List.

(Indirect ref : previous thread "Moving from a very old Tomcat to a new 

Ref :
Item : JkExtractSSL

Do I understand this right that this parameter JkExtractSSL (default On) 
controls whether Tomcat receives of not the information, through mod_jk, 
that the original request to Apache was made via HTTPS ?

Or, in other words, that if one wanted Tomcat "not to know" and handle 
the current session as a normal non-secure HTTP connection, one could 
just set this parameter to "Off" ?

And, again in other words, if this parameter was set to Off, and Tomcat 
generated a new session and a JSESSIONID session cookie for this 
session, that the cookie would thus not be marked secure ?

---- maybe separately ----

The above refers generally to the following kind of scenario.  It is 
also generally speaking a question to the specialists here. My purpose 
is to make sure I understand this whole thing correctly.

Scenario :

For whatever good reason, Apache is used as the front-end HTTP/HTTPS 
server and (possibly) serving some portion of the content itself, while 
some (or all) requests are being forwarded, through mod_jk, to a 
background Tomcat for content generation.
For whatever good reason also, the connection between the client 
(browser) and Apache is a HTTPS (encrypted) connection.

The connection between the front-end Apache and the back-end Tomcat 
through mod_jk is never secure (the AJP protocol does not support 
In this scenario, it does not matter because this connection is deemed 
secure for other reasons (e.g. both are running on the same host, and 
Tomcat is set up so that it accepts only connections through Apache).

The unencrypted content, as generated and delivered by Tomcat back to 
Apache via mod_jk, will be forwarded back to the browser by Apache over 
the HTTPS connection, thus encrypted by Apache (generally speaking; in 
reality probably this happens in an underlying SSL connection layer).

It is possible, but not mandatory, to let Tomcat know about the HTTPS 
nature of the original HTTPS nature of the browser/Apache connection. 
This might be necessary/helpful in some scenarios (such as ?)

To let Tomcat know that the original connection is HTTPS, one uses the 
"JkExtractSSL On" mod_jk directive. ("On" is the default value.)
To prevent Tomcat from knowing, one uses "JkExtractSSL Off".

If "JkExtractSSL On" is used, then one may/must also pass additional 
HTTPS-related information from Apache to Tomcat via the 
"JkHTTPSIndicator", "JkCERTSIndicator", et al. directives.
This is useful/required for (?)

The general gist is that if for some reason, it is necessary to have 
Apache handle HTTPS connections anayway, and the connection between 
Apache and Tomcat is inherently secure, then there might be no reasons 
to "propagate" the HTTPS overhead to Tomcat, and one might as well 
handle it all at the Apache level.
Or am I missing something ?


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message