tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Reverse proxy with ARR and HTTPS
Date Thu, 11 Dec 2014 21:46:44 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jesse,

On 12/11/14 2:42 PM, Jesse Barnum wrote:
> I should have mentioned in my original post - IIS receives both
> HTTP as well as HTTPS requests. Both types of requests are proxied
> to a single HTTP connector in Tomcat.
> 
> Is the only option to create two separate HTTP connectors on two 
> different ports, set the secure attribute to true on one of them,
> and then configure ARR to send to HTTPS requests to the secure
> one?

That's exactly what we do in our load-balanced setups: a separate port
for each. Note that if you use an <Executor>, there is very little
overhead to maintaining two separate connectors, one for each port:
they can both share a thread pool (which is what Tomcat calls an
<Executor>).

> It seems like there should be a simpler solution. Could we instead
>  configure ARR to include some header that Tomcat would recognize?

When using mod_jk from Apache httpd and the AJP13 protocol, this
information is transmitted in the way you describe (the SSL
information is transmitted to Tomcat in a format that is not easy to
forge -- like it would be if it were part of an HTTP header). I've
never used the ISAPI redirector, but I think mod_jk supports IIS and
might be able to provide this information in a similar way.

Reading the Tomcat IIS reference, it doesn't say anything about SSL,
so I'm not entirely sure.

Hope that helps,
- -chris

> 
>> On Dec 11, 2014, at 2:18 PM, Mark Thomas <markt@apache.org>
>> wrote:
>> 
>> On 11/12/2014 19:12, Jesse Barnum wrote:
>>> I have IIS 7 running with an SSL certificate. It receives
>>> HTTPS requests, and using ARR, it proxies them over HTTP to
>>> Tomcat. This works fine.
>>> 
>>> The problem is that when we call
>>> HttpServletRequest.isSecure(), it returns false. This makes
>>> sense, since the request to tomcat is HTTP, but it’s not
>>> correct from the user’s standpoint, who is using HTTPS.
>>> 
>>> Is there a recommended way to configure ARR with Tomcat so
>>> that the original HTTPS protocol can be recognized by Tomcat?
>> 
>> Set the secure attribute on the connector to "true" but make
>> sure you only proxy requests originally received over HTTPS to
>> it.
>> 
>> Mark
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUihDEAAoJEBzwKT+lPKRY9C0P/1h6MKBx7AN64/0APisjKeya
NaeM2Ekvbb7vH+gDcWBcWxkWKu6DKZuIz7/8GIv/obq1UwoOCTlgcjRJNrQU6CEi
DS6ZQoq5eGvW/X8oXUQdbj0a8LKxdWcZnqxCL8mwm2KzAAQbnfgsAhv+zeI26PnV
w1fOCKKRmYsrnox5Vsomat2SbR1E1oXspmv2RhfcgxelCvhc24n4nt6T6N7mwOqP
rbYF43lxLCIVzMMTYEnrBLIw1S25bLBbOrBkbwWQQiy8IqmyBasyGvGtdKtxHVvw
ADjwR+Jjx0kxUkcN2Z9s1NTyE9YaUK2VyCqFcek61feyVgcY3RvVHfd3N7RHwW+S
Ns0GGZPFUjgwYNURjJJ2WzMKAEusD0wvvz0qGLh/KfOVLru8hr6mciEHiR3Obwhm
cykK7hQRf94dA5vykr3SUwplU4pOAqQJPQiWrMVwkJMUyg0IgjXmDwL2xOEIRPmZ
dfU+KIcREQZKkSGhRGwCQ5edNWgi44cFKXnyhSM9qcWA9T4pB9it85sOEbCALBuw
GVurHspeO43bRIfELLRQpxnfUPk+LFC/ELyPQ6Auem/vGBu19WqbWYdc6KTXxd7I
FKMWutL/zSBN+s1vgbiMEmX25s6S0B+Dn6gra7duEGXK3ZKDQIAxKqUMBoX6WsZd
56zH63Y21oDdf68s5sYZ
=aAun
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message