tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Turner <m4tt_tur...@hotmail.com>
Subject RE: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
Date Fri, 22 Jan 2010 14:25:11 GMT

In my case sometimes I do need to pass through the SSL to Tomcat, as I'm running CAS which
requires geniune SSL requests.

(I do also have some SSL requests that tomcat doesn't need to see - which I will send via
8009 as has been suggested).

 

The SSL pass-through requirement explains why I was attempting to pass through to :8443 directly
- but it sounds like that's the wrong approach.

 

Should I just use something like..

  ProxyPass /cas https://10.13.0.218:8443/cas ?

 

Many thanks,

 

matt.
 
> Date: Fri, 22 Jan 2010 14:24:49 +0100
> From: tc@cataneo.eu
> To: users@tomcat.apache.org
> Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
> 
> I guess that you should exchange the "JkMount /* tomcatssl" by
> "JkMount /* tomcat1" provided you use a "standard" Tomcat-setup.
> 
> For a parallel SSL- + Non-SSL-Setup using Apache2 you basically need 2
> virtual-hosts in Apache2. One for Port 443 with the
> standard-SSL-parameters Apache2 expects to integrate OpenSSL for https
> and another for Port 80 / plain http. The Jk-directives are the same for
> both virtual hosts and don't care about SSL and go to Tomcats port 8009
> (= using standard configuration). 
> 8443 is typically the http-over-ssl-port (=http) for direct SSL access via
> coyote-connector and has nothing to do with ajp.
> 
> If your Apache2 is doing the SSL-integration Tomcat "sees" no
> SSL-traffic because Apache2 lets openssl do the conversion from SSL and
> is connecting to Tomcat without any SSL-traffic but simple http.
> 
> You can give Tomcat some information about the SSL-session like you did
> with
> 
> > JkExtractSSL On
> > JkHTTPSIndicator HTTPS
> > JkSESSIONIndicator SSL_SESSION_ID
> > JkCIPHERIndicator SSL_CIPHER
> > JkCERTSIndicator SSL_CLIENT_CERT
> 
> but then you have to give Apache2 an advice to deliver these
> information by a 
> "SSLOptions +StdEnvVars +ExportCertData"
> 
> (http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html might
> give you an idea about the two possibilities to setup Tomcat + SSL)
> 
> 
> On some of our servers we're still running Apache 2.0 + mod_jk + Tomcat
> 6 on Solaris - nearly the same setup as under Linux.
> These servers run with SSL and Non-SSL parallel but without these extra
> Jk-SSL-indicator-parameters you are using.
> 
> 
> Gruß,
> Tobias.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
_________________________________________________________________
Got a cool Hotmail story? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message