Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: neutral (athena.apache.org: local policy)
Message-ID: <4B5DC405.7090002@christopherschultz.net>
Date: Mon, 25 Jan 2010 11:17:09 -0500
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
 rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: mod_jk errors with tomcat 6.0.20 and Apache 2.0.52
References: 
 <SNT113-W31C752EB73131B446835A2C3620@phx.gbl>,<20100122142449.043bc6d5@tclx.cataneo.buero>
 <SNT113-W2793DD561B77C2714C236C3620@phx.gbl>,<4B5A0231.4040002@christopherschultz.net>
 <SNT113-W29379E2F0B47E65E4BF8C9C3620@phx.gbl>
In-Reply-To: <SNT113-W29379E2F0B47E65E4BF8C9C3620@phx.gbl>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt,

On 1/22/2010 5:09 PM, Matt Turner wrote:
> In between times I tried the ProxyPass which seems to work fine, but I'd much rather use plain AJP so I'll try that next.

AJP is the protocol used by both mod_jk and mod_proxy_ajp (which is what
you get if you use ProxyPass with an ajp:// URL). Which one depends on
your requirements:

mod_proxy_ajp is bundled with Aapche httpd and therefore has (usually)
no additional compilation and/or configuration to perform. Also, all
configuration for URL mapping, etc. occurs within httpd.conf.

mod_jk is separate and should be compiled on the target system, which is
inconvenient for some users. mod_jk is much older and had therefore
undergone much more in the way of testing in the wild. While
configuration can be done in httpd.conf, historically it's always been
done in an external file with a proprietary format, which increases
complexity.

In my experience, mod_jk is better with complex configurations than
mod_proxy_ajp, but mod_proxy_ajp is much more convenient for simple
configurations.

> I've had problems previously getting CAS working where the SSL is
> handled by the webserver - however from what everyone has said and
> having read around the issue a bit more, it does sound like using AJP
> ought to work, so long as Apache is configured to pass through all the
> relevant SSL and cert. info to tomcat (presumably so that isSecure() can
> work, plus I think CAS validates certificates too).

This will work: I've recently been playing around with client
certificates passed-through Apache httpd and it worked quite well once
the stars aligned for me (and I upgraded certain components that had
known issues with SSL cert chains).

I had Apache httpd validate the certs and then pass them through to
Tomcat, where I performed a manual certification-checking process as a
double-check as well as to pull some information from the cert for
identification purposes.

Good luck,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktdxAUACgkQ9CaO5/Lv0PA80wCeIPVTty+amdv3Nuj2pdI1n6Vh
wloAnjU7hz7RkhYH/24YfdW7ARdH3lxL
=J/l8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org