Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 04C6910FCE for ; Thu, 11 Dec 2014 21:48:22 +0000 (UTC) Received: (qmail 58439 invoked by uid 500); 11 Dec 2014 21:48:12 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 58373 invoked by uid 500); 11 Dec 2014 21:48:12 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 58359 invoked by uid 99); 11 Dec 2014 21:48:12 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Dec 2014 21:48:12 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [206.46.173.25] (HELO vms173025pub.verizon.net) (206.46.173.25) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Dec 2014 21:47:46 +0000 MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=utf-8 Received: from Christophers-MacBook-Pro.local ([108.48.29.18]) by vms173025.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0NGF008LSTTWIM70@vms173025.mailsrvcs.net> for users@tomcat.apache.org; Thu, 11 Dec 2014 15:46:45 -0600 (CST) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=D9vw8UVm c=1 sm=1 tr=0 a=3wmL2lkTLz9OZwEdKhDxIw==:117 a=ajofOHJKZv0A:10 a=IkcTkHD0fZMA:10 a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8 a=-9mUelKeXuEA:10 a=A92cGCtB03wA:10 a=mV9VRH-2AAAA:8 a=j4nzMFrpAAAA:8 a=MqGyNF_rVOAyFMwKtbIA:9 a=IvWE5c94PURkB8Lp:21 a=VxTj7QdIvKpUAQBK:21 a=QEXdDO2ut3YA:10 Message-id: <548A10C4.6020003@christopherschultz.net> Date: Thu, 11 Dec 2014 16:46:44 -0500 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 To: Tomcat Users List Subject: Re: Reverse proxy with ARR and HTTPS References: <61600725-2F96-4F12-92DB-8E8F36A38423@360works.com> <5489EDEE.8020601@apache.org> <7FA99BDF-1925-48F0-A6F6-2AA327F16846@360works.com> In-reply-to: <7FA99BDF-1925-48F0-A6F6-2AA327F16846@360works.com> X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jesse, On 12/11/14 2:42 PM, Jesse Barnum wrote: > I should have mentioned in my original post - IIS receives both > HTTP as well as HTTPS requests. Both types of requests are proxied > to a single HTTP connector in Tomcat. > > Is the only option to create two separate HTTP connectors on two > different ports, set the secure attribute to true on one of them, > and then configure ARR to send to HTTPS requests to the secure > one? That's exactly what we do in our load-balanced setups: a separate port for each. Note that if you use an , there is very little overhead to maintaining two separate connectors, one for each port: they can both share a thread pool (which is what Tomcat calls an ). > It seems like there should be a simpler solution. Could we instead > configure ARR to include some header that Tomcat would recognize? When using mod_jk from Apache httpd and the AJP13 protocol, this information is transmitted in the way you describe (the SSL information is transmitted to Tomcat in a format that is not easy to forge -- like it would be if it were part of an HTTP header). I've never used the ISAPI redirector, but I think mod_jk supports IIS and might be able to provide this information in a similar way. Reading the Tomcat IIS reference, it doesn't say anything about SSL, so I'm not entirely sure. Hope that helps, - -chris > >> On Dec 11, 2014, at 2:18 PM, Mark Thomas >> wrote: >> >> On 11/12/2014 19:12, Jesse Barnum wrote: >>> I have IIS 7 running with an SSL certificate. It receives >>> HTTPS requests, and using ARR, it proxies them over HTTP to >>> Tomcat. This works fine. >>> >>> The problem is that when we call >>> HttpServletRequest.isSecure(), it returns false. This makes >>> sense, since the request to tomcat is HTTP, but it’s not >>> correct from the user’s standpoint, who is using HTTPS. >>> >>> Is there a recommended way to configure ARR with Tomcat so >>> that the original HTTPS protocol can be recognized by Tomcat? >> >> Set the secure attribute on the connector to "true" but make >> sure you only proxy requests originally received over HTTPS to >> it. >> >> Mark > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUihDEAAoJEBzwKT+lPKRY9C0P/1h6MKBx7AN64/0APisjKeya NaeM2Ekvbb7vH+gDcWBcWxkWKu6DKZuIz7/8GIv/obq1UwoOCTlgcjRJNrQU6CEi DS6ZQoq5eGvW/X8oXUQdbj0a8LKxdWcZnqxCL8mwm2KzAAQbnfgsAhv+zeI26PnV w1fOCKKRmYsrnox5Vsomat2SbR1E1oXspmv2RhfcgxelCvhc24n4nt6T6N7mwOqP rbYF43lxLCIVzMMTYEnrBLIw1S25bLBbOrBkbwWQQiy8IqmyBasyGvGtdKtxHVvw ADjwR+Jjx0kxUkcN2Z9s1NTyE9YaUK2VyCqFcek61feyVgcY3RvVHfd3N7RHwW+S Ns0GGZPFUjgwYNURjJJ2WzMKAEusD0wvvz0qGLh/KfOVLru8hr6mciEHiR3Obwhm cykK7hQRf94dA5vykr3SUwplU4pOAqQJPQiWrMVwkJMUyg0IgjXmDwL2xOEIRPmZ dfU+KIcREQZKkSGhRGwCQ5edNWgi44cFKXnyhSM9qcWA9T4pB9it85sOEbCALBuw GVurHspeO43bRIfELLRQpxnfUPk+LFC/ELyPQ6Auem/vGBu19WqbWYdc6KTXxd7I FKMWutL/zSBN+s1vgbiMEmX25s6S0B+Dn6gra7duEGXK3ZKDQIAxKqUMBoX6WsZd 56zH63Y21oDdf68s5sYZ =aAun -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org