tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aladin Dajani <>
Subject Re: SSl Query-- please help
Date Sun, 21 Oct 2012 13:05:38 GMT
Terminating SSL at the Apache level assumes all tomcat servers behind
Apache are on a secure, externally inaccessible, network.  But In
cloud-based, hosted systems, there is no guarantee someone isn't
listening.  Does this make a case for securing Apache<->tomcat

On Oct 21, 2012, at 6:09 AM, ""
<> wrote:

> Thanks André for such a elaborate reply.
> Just want to check another thing, is it possible to setup SSL at  tomcat level using
mod_proxy module.. But i think it does not work in load balancing case. Does my understanding
is correct??
> Thanks for your support,
> Vicky
> On Oct 20, 2012, at 7:21 PM, André Warnier <> wrote:
>> vivek aggarwal wrote:
>>> Hello All,
>>> I need to setup the SSL over my tomcat ,which i am able to do it by generating
Self signed certificate using Keytool
>>> But when  i am redirecting the request form apache using "mod_jk "module its
not working.
>>> I am not sure how to make Apache & Tomcat work in SSL when using Mod_jk module
as i need load balancing
>>> Can someone please share the steps for doing ssl setup when apache is used along
with Tomcat
>> A simplified graphical view of the recommended setup :
>> browser <- HTTPS -> Apache + mod_jk <- AJP -> Tomcat-1 (AJP Connector)
>>                                   <- AJP -> Tomcat-2 (AJP Connector)
>>                                   ...
>>                                   <- AJP -> Tomcat-n (AJP Connector)
>> In other words, you should handle the HTTPS/SSL at the front-end Apache httpd level,
not at the Tomcat level.  (This is also sometimes called "terminating SSL at the Apache level").
>> The reason is that the AJP protocol does not support HTTPS/SSL (so, there is no way
to set up the AJP Connector in Tomcat for SSL) (and no way to set up mod_jk to "talk SSL to
>> What the Apache/mod_jk combination can do however, is pass on all the required SSL
headers of the original requests to Tomcat, over the AJP connection, so that a Tomcat application
could make use of them.
>> To see how to set up Apache for SSL, check the Apache httpd on-line documentation.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message