tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: https & j_security_check apparently Solved :P
Date Tue, 19 Aug 2008 17:14:51 GMT
Hash: SHA1


Julio César Chaves Fernández wrote:
> I'm sorry but i read the previous question and now that i notice i
> doesn't make any sense given that apache is connecting tomcat by AJP
> connector ... the question would be if there is a way to redirect a
> request over http for an application that has a confidential
> transport guarantee defined in the application not through the port
> defined in the AJP connector but by port 443?

If you want all traffic to be handled by Apache httpd and mod_jk in this

Client --- HTTP  (80)  ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat

Then you need only a single connector:

<Connector port="8100" protocol="AJP/1.3" />

(Plus any other settings you want to add).

Apache httpd will handle all of the HTTPS stuff for you. Remove all
other connectors from Tomcat.

If you want to be able to support alternate ports that go directly to
Tomcat, like this:

Client --- HTTP  (80)  ---> Tomcat
Client --- HTTPS (443) ---> Tomcat

Then you will need two connectors:

<Connector port="80" />
<Connector port="443" scheme="https" sslProtocol="TLS"/>

(Plus any other settings you want to add).

If you want to support both configurations at the same time, you will
need 3 connectors, but each with unique port numbers. Something like this:

Client --- HTTP  (80)  ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTP  (8080) ---> Tomcat
Client --- HTTPS (8443) ---> Tomcat

<Connector port="8100" protocol="AJP/1.3" />    <!-- for AJP   -->
<Connector port="8080" redirectPort="8443" />   <!-- for HTTP  -->
<Connector port="8443" scheme="https" sslProtocol="TLS"/>

If you want to use port 443 as the redirect port for your 8080
connector, then go ahead and do it. However, to me it only makes sense
to support /either/ direct-to-Tomcat /or/ via-Apache-httpd configurations.

- -chris

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message