tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: SSL/HTTPS forwarding under Apache + mod_jk + tomcat
Date Fri, 13 Jun 2008 08:47:37 GMT
André Warnier wrote:
> Hi List.
> (Indirect ref : previous thread "Moving from a very old Tomcat to a new 
> Tomcat.")
> Ref :
> Item : JkExtractSSL
> Do I understand this right that this parameter JkExtractSSL (default On) 
> controls whether Tomcat receives of not the information, through mod_jk, 
> that the original request to Apache was made via HTTPS ?

Yes. It controls this plus if info about certificate, ssl session id, 
key length etc. gets forwarded.

> Or, in other words, that if one wanted Tomcat "not to know" and handle 
> the current session as a normal non-secure HTTP connection, one could 
> just set this parameter to "Off" ?


> And, again in other words, if this parameter was set to Off, and Tomcat 
> generated a new session and a JSESSIONID session cookie for this 
> session, that the cookie would thus not be marked secure ?

Didn't try this. What does your tests say?

Additional info:

If your own knowledge about secure / non secure differs from the one of 
httpd (e.g. you use an ssl accelerator in front of httpd) and you want 
to present your own idea of secure / non secure via mod_jk to Tomcat, 
you can set JkHTTPSIndicator to the name of some httpd environment 
variable, and then set the environment variable depending on details of 
the request via mod_setenvif or mod_rewrite.

But if you simply want to drop all ssl info, setting JkExtractSSL to off 
is right.

> ---- maybe separately ----
> It is possible, but not mandatory, to let Tomcat know about the HTTPS 
> nature of the original HTTPS nature of the browser/Apache connection. 
> This might be necessary/helpful in some scenarios (such as ?)

To be able to enforce security constraints.

> If "JkExtractSSL On" is used, then one may/must also pass additional 
> HTTPS-related information from Apache to Tomcat via the 
> "JkHTTPSIndicator", "JkCERTSIndicator", et al. directives.
> This is useful/required for (?)

First of all I think it's required by the servlet spec, so if we want to 
present the developer a consistent environment either if using with 
standalone Tomcat or mod_jk/Tomcat we need to forward the info to Tomcat.

> The general gist is that if for some reason, it is necessary to have 
> Apache handle HTTPS connections anayway, and the connection between 
> Apache and Tomcat is inherently secure, then there might be no reasons 
> to "propagate" the HTTPS overhead to Tomcat, and one might as well 
> handle it all at the Apache level.
> Or am I missing something ?

Be aware, that there might be other ways into your app, like the default 
Tomcat http connector. If you are sure, you don't need the info and you 
don't need to double check the security of the connection, you can 
really disable using JkExtractSSL.



To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message