Return-Path: 
 <users-return-184147-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 87800 invoked from network); 19 Aug 2008 17:15:35 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 19 Aug 2008 17:15:35 -0000
Received: (qmail 56731 invoked by uid 500); 19 Aug 2008 17:15:21 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 56711 invoked by uid 500); 19 Aug 2008 17:15:21 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 56700 invoked by uid 99); 19 Aug 2008 17:15:21 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Aug 2008 10:15:21 -0700
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [76.96.62.80] (HELO QMTA08.westchester.pa.mail.comcast.net)
 (76.96.62.80)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Aug 2008 17:14:23 +0000
Received: from OMTA04.westchester.pa.mail.comcast.net ([76.96.62.35])
	by QMTA08.westchester.pa.mail.comcast.net with comcast
	id 4Gl71a0040ldTLk58HErQh; Tue, 19 Aug 2008 17:14:51 +0000
Received: from [192.168.1.105] ([68.55.225.178])
	by OMTA04.westchester.pa.mail.comcast.net with comcast
	id 4HEr1a00W3ra03G3QHErb0; Tue, 19 Aug 2008 17:14:51 +0000
X-Authority-Analysis: v=1.0 c=1 a=4Anb-S8jY5cA:10 a=G78sZn4wCE8A:10
 a=xe8BsctaAAAA:8 a=Cr3PYhOTbpVAjz5NUzYA:9 a=8NCX2K7zgoABRq10mrsA:7
 a=ioJ8wuWEbh2PD4c5xSLb8pJbzQYA:4 a=rPt6xJ-oxjAA:10
Message-ID: <48AAFF8B.30703@christopherschultz.net>
Date: Tue, 19 Aug 2008 13:14:51 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: https & j_security_check apparently Solved :P
References: <BLU119-W3261EEA210B632D8C56769FB740@phx.gbl>
 <489D04ED.5000706@christopherschultz.net>
   <BLU119-W542B1A21A22910DE001D90FB770@phx.gbl> <489DC7B6.8060703@apache.org>
   <BLU119-W22BB8E84789208DDD01731FB770@phx.gbl>
  <BLU119-W380E5992985060823F06E7FB730@phx.gbl>
  <48A30423.1020209@christopherschultz.net>
  <BLU119-W326D9021A1BE4ED59DFBDAFB730@phx.gbl>
  <48A309EB.5040305@christopherschultz.net>
  <BLU119-W20137673BB8DFE939E044FFB730@phx.gbl>
  <48A31D87.7000602@christopherschultz.net>
  <BLU119-W1333B2C7A6F098A4C12D94FB720@phx.gbl>
  <48A45D72.1020507@christopherschultz.net>
  <BLU119-W3A4AC89498871780D9B44FB6D0@phx.gbl>
  <48A59C51.20807@christopherschultz.net>
  <BLU119-W32D961A9320C4C9D4BFFF9FB6D0@phx.gbl>
  <48A5B7D5.2070802@christopherschultz.net>
  <BLU119-W52151F9D98F22195DF3864FB690@phx.gbl>
 <BLU119-W511F8507CF255F868A2ACEFB690@phx.gbl>
In-Reply-To: <BLU119-W511F8507CF255F868A2ACEFB690@phx.gbl>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Virus-Checked: Checked by ClamAV on apache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julio,

Julio César Chaves Fernández wrote:
> I'm sorry but i read the previous question and now that i notice i
> doesn't make any sense given that apache is connecting tomcat by AJP
> connector ... the question would be if there is a way to redirect a
> request over http for an application that has a confidential
> transport guarantee defined in the application not through the port
> defined in the AJP connector but by port 443?

If you want all traffic to be handled by Apache httpd and mod_jk in this
way:

Client --- HTTP  (80)  ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat

Then you need only a single connector:

<Connector port="8100" protocol="AJP/1.3" />

(Plus any other settings you want to add).

Apache httpd will handle all of the HTTPS stuff for you. Remove all
other connectors from Tomcat.

If you want to be able to support alternate ports that go directly to
Tomcat, like this:

Client --- HTTP  (80)  ---> Tomcat
Client --- HTTPS (443) ---> Tomcat

Then you will need two connectors:

<Connector port="80" />
<Connector port="443" scheme="https" sslProtocol="TLS"/>

(Plus any other settings you want to add).

If you want to support both configurations at the same time, you will
need 3 connectors, but each with unique port numbers. Something like this:

Client --- HTTP  (80)  ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTPS (443) ---> Apache httpd --- AJP (8100) ---> Tomcat
Client --- HTTP  (8080) ---> Tomcat
Client --- HTTPS (8443) ---> Tomcat

<Connector port="8100" protocol="AJP/1.3" />    <!-- for AJP   -->
<Connector port="8080" redirectPort="8443" />   <!-- for HTTP  -->
<Connector port="8443" scheme="https" sslProtocol="TLS"/>

If you want to use port 443 as the redirect port for your 8080
connector, then go ahead and do it. However, to me it only makes sense
to support /either/ direct-to-Tomcat /or/ via-Apache-httpd configurations.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiq/4sACgkQ9CaO5/Lv0PC7dwCgky/b57zH2RYKBc14jPo1mNXQ
/g8AnAhjkevlaEyaoG0B7Pz3txgn8FFp
=BhcA
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org