tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: enforcing SSL only for external clients
Date Wed, 08 Dec 2010 22:01:32 GMT
Aggarwal, Ajay wrote:
> Thanks to all who have given different suggestions.
> 
> Binding HTTP (port 80) to 127.0.0.1 and HTTPS (port 443) to external/public IP will not
work for me. My situation is slightly more complicated. 

Now why did I guess that already ?
Probably the experience of customer-written specifications.
:-)

For external clients, I want to enforce SSL only on part of my application (certain URLs)

not all.
> 
> I will look into URL Rewrite as suggested by Nicholas.
> 
And when you really take into account all aspects of the requirements (authentication for

the externals ?), you may still want to have a second look at the 2 <Host> possibilities.

Mixing SSL and non-SSL parts within the same application is - in my humble view - a recipe

for a lot of complications and user inconvenience.
(Such as : some browsers will pop up a message to the user, when switching from HTTP to 
HTTPS and vice-versa)

Q: if a part of it, for some category of users, has to go through HTTPS, then what stops 
you from making it all HTTPS for everyone, internal and external ?

Q: what about a simple front-end proxy, which would take care of the HTTPS part for the 
externals, and connect internally to Tomcat over standard HTTP ?
The internals can go around the proxy and access the application directly via HTTP.

A minimal Apache httpd, running on the same box, would do that easily.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message