Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9BC1C7C9B for ; Mon, 18 Jul 2011 09:25:31 +0000 (UTC) Received: (qmail 233 invoked by uid 500); 18 Jul 2011 09:25:27 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 99609 invoked by uid 500); 18 Jul 2011 09:25:14 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 99582 invoked by uid 99); 18 Jul 2011 09:25:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jul 2011 09:25:08 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jul 2011 09:24:59 +0000 Received: from [192.168.245.129] (p549E917E.dip0.t-ipconnect.de [84.158.145.126]) by tor.combios.es (Postfix) with ESMTPA id CBF69DA010E for ; Mon, 18 Jul 2011 11:24:37 +0200 (CEST) Message-ID: <4E23FBC6.9050707@ice-sa.com> Date: Mon, 18 Jul 2011 11:24:22 +0200 From: =?ISO-8859-1?Q?Andr=E9_Warnier?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: https server behind apache References: <32081628.post@talk.nabble.com> In-Reply-To: <32081628.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org AngeloChen wrote: > Hi, > > I set up a virtual host for ssl in apache, We will assume that you know what you are doing, but just as a reminder : HTTPS and VirtualHosts are not really compatible. You can make it work, but only with one name-based VirtualHost. If you are not sure or do not understand this, read the relevant Apache documentation carefully. www.sample.com, it uses mod_proxy > to redirect to a tomcat server: > > ProxyPass / https://localhost:8443/ > ProxyPassReverse / https://localhost:8443/ > ProxyPreserveHost on > > SSLEngine on > SSLProxyEngine on > > SSLCertificateFile /etc/httpd/sample.crt > SSLCertificateKeyFile /etc/httpd/sample.key > > do I need a jks in the tomcat side? Thanks, > The usual way to do this, is to "terminate HTTPS" at the Apache level, and proxy to Tomcat over normal HTTP, particularly if Tomcat is on the same host. The reason is that HTTPS has a cost : every packet going to Tomcat has to be encrypted, and decrypted at the Tomcat side; and every packet sent by Tomcat to Apache, similarly. If the browsers use HTTPS to communicate with Apache, then that part of the link is secure, and that is usually what you want. If the link between Apache and Tomcat is "private" (and if it is on the same host, you can probably consider it so), there is no real need to encrypt the traffic between them, and have all the complication of SSL there again. Now also : considering your Proxy directives above, it looks like you are proxying *everything* to Tomcat, and that Apache does nothing except forwarding requests/responses back and forth. So the question is : do you really need Apache httpd for any reason ? Tomcat alone can act as a webserver, HTTP or HTTPS. You could set up Tomcat to respond to port 80 (and 443) directly, and save yourself the complication and overhead of Apache httpd. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org