tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: enforcing SSL only for external clients
Date Wed, 08 Dec 2010 22:01:32 GMT
Aggarwal, Ajay wrote:
> Thanks to all who have given different suggestions.
> Binding HTTP (port 80) to and HTTPS (port 443) to external/public IP will not
work for me. My situation is slightly more complicated. 

Now why did I guess that already ?
Probably the experience of customer-written specifications.

For external clients, I want to enforce SSL only on part of my application (certain URLs)

not all.
> I will look into URL Rewrite as suggested by Nicholas.
And when you really take into account all aspects of the requirements (authentication for

the externals ?), you may still want to have a second look at the 2 <Host> possibilities.

Mixing SSL and non-SSL parts within the same application is - in my humble view - a recipe

for a lot of complications and user inconvenience.
(Such as : some browsers will pop up a message to the user, when switching from HTTP to 
HTTPS and vice-versa)

Q: if a part of it, for some category of users, has to go through HTTPS, then what stops 
you from making it all HTTPS for everyone, internal and external ?

Q: what about a simple front-end proxy, which would take care of the HTTPS part for the 
externals, and connect internally to Tomcat over standard HTTP ?
The internals can go around the proxy and access the application directly via HTTP.

A minimal Apache httpd, running on the same box, would do that easily.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message