tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobias Crefeld ...@cataneo.eu>
Subject Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Date Fri, 22 Jan 2010 13:24:49 GMT
I guess that you should exchange the "JkMount /* tomcatssl" by
"JkMount /* tomcat1" provided you use a "standard" Tomcat-setup.

For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2
virtual-hosts in Apache2. One for Port 443 with the
standard-SSL-parameters Apache2 expects to integrate OpenSSL for https
and another for Port 80 / plain http. The Jk-directives are the same for
both virtual hosts and don't care about SSL and go to Tomcats port 8009
(= using standard configuration). 
8443 is typically the http-over-ssl-port (=http) for direct SSL access via
coyote-connector and has nothing to do with ajp.

If your Apache2 is doing the SSL-integration Tomcat "sees" no
SSL-traffic because Apache2 lets openssl do the conversion from SSL and
is connecting to Tomcat without any SSL-traffic but simple http.

You can give Tomcat some information about the SSL-session like you did
with

>  JkExtractSSL On
>  JkHTTPSIndicator HTTPS
>  JkSESSIONIndicator SSL_SESSION_ID
>  JkCIPHERIndicator SSL_CIPHER
>  JkCERTSIndicator SSL_CLIENT_CERT

but then you have to give Apache2 an advice to deliver these
information by a 
 "SSLOptions +StdEnvVars +ExportCertData"

(http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might
give you an idea about the two possibilities to setup Tomcat + SSL)


On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat
6 on Solaris - nearly the same setup as under Linux.
These servers run with SSL and Non-SSL parallel but without these extra
Jk-SSL-indicator-parameters you are using.


Gruß,
 Tobias.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message