tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Blaxton <blaxx...@yahoo.com>
Subject Re: Change Default SSL port on Tomcat
Date Fri, 16 Dec 2011 21:12:35 GMT




________________________________
 From: André Warnier <aw@ice-sa.com>
To: Tomcat Users List <users@tomcat.apache.org> 
Sent: Friday, December 16, 2011 10:34:24 PM
Subject: Re: Change Default SSL port on Tomcat
 
Pid * wrote:
>> Thank you pid,
>> 
>> I looked in Catalina.out and found out 443 port is already in use error
>> and I had listen 443 in apache, so removed it and now tomcat
>> comes up and all is good.
>> 
>> I am not sure if it is better to serve ssl and https through Tomcat or Apache
> 
> So your plan is to serve normal traffic via HTTPD, mod_jk but send the
> SSL traffic straight to Tomcat?
> 
> That would be, erm, unusual.
> 
Yes, there is something in that whole explanation which didn't sound quite right.

To the Original Poster, if this wasn't clear yet :
The AJP protocol does not support SSL connections.
In other words, if your connection schema is :

browser <-(1)-> Apache + mod_jk  <-(2)-> AJP Connector on port 8009 + Tomcat
                   (or mod_proxy_ajp)

then (2) cannot be a HTTPS connection.
The normal thing is to have (1) be a HTTPS connection, which ends at the Apache level.
Then mod_jk (or mod_proxy_ajp) forwards the requests to Tomcat via (2), but that is an AJP
protocol connection, which is not encrypted.
It can forward the original SSL headers, so that Tomcat can have a look at them, but that's
it.

Most likely, when you are establishing an HTTPS connection between the browser and Tomcat,
it goes "around" Apache httpd, directly to Tomcat, like this :

browser <--(1)-------------------------> HTTPS Connector + Tomcat

           Apache + mod_jk (totally unaware of what's going on now)

Maybe you are just unaware of this because both Apache httpd and Tomcat are running on the
same host, so have the same hostname and IP address, which just the port being different.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Thank you for the tip. 
That's a good point.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message