tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aladin Dajani <aladin.daj...@gmail.com>
Subject Re: SSl Query-- please help
Date Sun, 21 Oct 2012 13:05:38 GMT
Hello,
Terminating SSL at the Apache level assumes all tomcat servers behind
Apache are on a secure, externally inaccessible, network.  But In
cloud-based, hosted systems, there is no guarantee someone isn't
listening.  Does this make a case for securing Apache<->tomcat
communication?


On Oct 21, 2012, at 6:09 AM, "vicky007aggarwal@yahoo.co.in"
<vicky007aggarwal@yahoo.co.in> wrote:

> Thanks André for such a elaborate reply.
> Just want to check another thing, is it possible to setup SSL at  tomcat level using
mod_proxy module.. But i think it does not work in load balancing case. Does my understanding
is correct??
>
> Thanks for your support,
> Vicky
>
>
>
> On Oct 20, 2012, at 7:21 PM, André Warnier <aw@ice-sa.com> wrote:
>
>> vivek aggarwal wrote:
>>> Hello All,
>>> I need to setup the SSL over my tomcat ,which i am able to do it by generating
Self signed certificate using Keytool
>>> But when  i am redirecting the request form apache using "mod_jk "module its
not working.
>>> I am not sure how to make Apache & Tomcat work in SSL when using Mod_jk module
as i need load balancing
>>> Can someone please share the steps for doing ssl setup when apache is used along
with Tomcat
>>
>> A simplified graphical view of the recommended setup :
>>
>> browser <- HTTPS -> Apache + mod_jk <- AJP -> Tomcat-1 (AJP Connector)
>>                                   <- AJP -> Tomcat-2 (AJP Connector)
>>                                   ...
>>                                   <- AJP -> Tomcat-n (AJP Connector)
>>
>> In other words, you should handle the HTTPS/SSL at the front-end Apache httpd level,
not at the Tomcat level.  (This is also sometimes called "terminating SSL at the Apache level").
>> The reason is that the AJP protocol does not support HTTPS/SSL (so, there is no way
to set up the AJP Connector in Tomcat for SSL) (and no way to set up mod_jk to "talk SSL to
Tomcat").
>> What the Apache/mod_jk combination can do however, is pass on all the required SSL
headers of the original requests to Tomcat, over the AJP connection, so that a Tomcat application
could make use of them.
>>
>> To see how to set up Apache for SSL, check the Apache httpd on-line documentation.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message