tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Reverse proxy with ARR and HTTPS
Date Thu, 11 Dec 2014 21:46:44 GMT
Hash: SHA256


On 12/11/14 2:42 PM, Jesse Barnum wrote:
> I should have mentioned in my original post - IIS receives both
> HTTP as well as HTTPS requests. Both types of requests are proxied
> to a single HTTP connector in Tomcat.
> Is the only option to create two separate HTTP connectors on two 
> different ports, set the secure attribute to true on one of them,
> and then configure ARR to send to HTTPS requests to the secure
> one?

That's exactly what we do in our load-balanced setups: a separate port
for each. Note that if you use an <Executor>, there is very little
overhead to maintaining two separate connectors, one for each port:
they can both share a thread pool (which is what Tomcat calls an

> It seems like there should be a simpler solution. Could we instead
>  configure ARR to include some header that Tomcat would recognize?

When using mod_jk from Apache httpd and the AJP13 protocol, this
information is transmitted in the way you describe (the SSL
information is transmitted to Tomcat in a format that is not easy to
forge -- like it would be if it were part of an HTTP header). I've
never used the ISAPI redirector, but I think mod_jk supports IIS and
might be able to provide this information in a similar way.

Reading the Tomcat IIS reference, it doesn't say anything about SSL,
so I'm not entirely sure.

Hope that helps,
- -chris

>> On Dec 11, 2014, at 2:18 PM, Mark Thomas <>
>> wrote:
>> On 11/12/2014 19:12, Jesse Barnum wrote:
>>> I have IIS 7 running with an SSL certificate. It receives
>>> HTTPS requests, and using ARR, it proxies them over HTTP to
>>> Tomcat. This works fine.
>>> The problem is that when we call
>>> HttpServletRequest.isSecure(), it returns false. This makes
>>> sense, since the request to tomcat is HTTP, but it’s not
>>> correct from the user’s standpoint, who is using HTTPS.
>>> Is there a recommended way to configure ARR with Tomcat so
>>> that the original HTTPS protocol can be recognized by Tomcat?
>> Set the secure attribute on the connector to "true" but make
>> sure you only proxy requests originally received over HTTPS to
>> it.
>> Mark
> ---------------------------------------------------------------------
To unsubscribe, e-mail:
> For additional commands, e-mail:
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message