tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Soto <asot...@gmail.com>
Subject Re: Apache HTTPD (with SSL) + mod_jk + TomEE (Tomcat) nullify the ssl session id
Date Thu, 09 Jul 2015 10:07:03 GMT
yes (LogFormat "%H %{SSL_SESSION_ID}e %h %l %u %t \"%r\" %>s %b")
note that in both cases %H is the same value. I think it is correct.

El dj., 9 jul. 2015 a les 12:06, André Warnier (<aw@ice-sa.com>) va
escriure:

> Hi.
>
> Alex Soto wrote:
> > Hi at the end it seems apache is doing something (wrong or not)
> >
> > HTTP/1.1 - 172.17.42.1 - - [09/Jul/2015:09:15:06 +0000] "GET /hello/hello
> > HTTP/1.1" 200 89
> >
> > HTTP/1.1 1b17f16f8ae73c1b4d706c1598aadb596db610bbdaeb1cd967e0bea98ec2abcb
> > 172.17.42.1 - - [09/Jul/2015:09:15:34 +0000] "GET /hello/hello HTTP/1.1"
> > 200 209
> >
>
> I only see a mention of HTTP here.  Did you also print the protocol (%H) ?
> (Is that the leading "HTTP/1.1" above ?)
>
>
> >
> > Notice how ssl session id is printed when it is ready. So now it is time
> to
> > start a discussion with apache and why this is happening.
> >
> > Thank you so much for all your support.
> >
> > Alex.
> >
> > El dj., 9 jul. 2015 a les 0:22, André Warnier (<aw@ice-sa.com>) va
> escriure:
> >
> >> Alex Soto wrote:
> >>> no they are always the same, I simply go to browser do
> >>> https://localhost/hello/hello and I only push refresh button several
> >> times,
> >>> until the id appears. Then after some pushes it disappears again and
> >>> appears after some time again. So I think I am not changing the
> protocol
> >>> from https to http. In fact the browser complains about that the
> >>> certificate is homemade. So yes I think so.
> >>>
> >>> In first mail I sent the Docker project
> >>> https://github.com/lordofthejars/apache-tomee-ssl just in case you
> >> didn't
> >>> know it.
> >>> Also one thing I done was to inspect the debugging file of mod_jk and I
> >> can
> >>> see the session id is not sent by mod_jk. But if it is because mod_jk
> >>> misses or not, I just don't know.
> >> Alex, what I think that your tests show, is that sometimes *Apache
> httpd*
> >> is not setting
> >> the SSL_SESSION_ID variable *as an Apache httpd environment variable*.
> >> Therefor, it is
> >> (also) not passed by mod_jk to Tomcat.
> >>
> >> That is also what Christopher was wondering, and that is why he asked
> you
> >> if you were
> >> really sure that all your requests were HTTPS.
> >> At this point, we also don't know why Apache httpd would in some cases
> not
> >> set this, but
> >> the first thing is to find out if it is so, or not. And if it is so,
> then
> >> why ?
> >>
> >> I believe that you can prove (or disprove) this by modifying the format
> of
> >> the Apache
> >> access log.  You can change it so that Apache httpd logs the content of
> >> this variable for
> >> each request.  Then you can again make a series of requests, and look at
> >> the Apache access
> >> log to verify what happens.
> >>
> >> Have a look here :
> >> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
> >> and in particular at
> >>   %{FOOBAR}e    The contents of the environment variable FOOBAR
> >>
> >> You can also log the request protocol :
> >> %H      The request protocol
> >>
> >> In summary : if you can show that Apache httpd is always setting what it
> >> should set, and
> >> that sometimes mod_jk or Tomcat does not react to it, then the problem
> is
> >> with mod_jk or
> >> Tomcat.  But if Apache is sometimes not setting this, then the problem
> is
> >> with Apache, or
> >> with something else in your setup.  We are just trying to locate the
> issue
> >> correctly, and
> >> to avoid spending time looking in the wrong places. (For us and for
> you).
> >>
> >>
> >>> El dc., 8 jul. 2015 a les 17:46, Christopher Schultz (<
> >>> chris@christopherschultz.net>) va escriure:
> >>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA256
> >>>>
> >>>> Alex,
> >>>>
> >>>> On 7/8/15 10:18 AM, Alex Soto wrote:
> >>>>> I have tried what you mention. When SSL_Id is there both
> >>>>> request.getAttribute("javax.servlet, ....."); and
> >>>>> request.getAttribute("SSL_SESSION_ID"); returns valid sslId and
in
> >>>>> the same way if one is null them the other one is null too so it
> >>>>> behaviour is consistent. About header approach always it is null,
> >>>>> probably something in rewrite is not set in header.
> >>>> That sounds like httpd isn't providing the session id.
> >>>>
> >>>> Are you absolutely sure that all of these requests are actually HTTPS
> >>>> from the client? Do you ever switch between HTTPS and HTTP?
> >>>>
> >>>> - -chris
> >>>> -----BEGIN PGP SIGNATURE-----
> >>>> Comment: GPGTools - http://gpgtools.org
> >>>>
> >>>> iQIcBAEBCAAGBQJVnUWVAAoJEBzwKT+lPKRYEuYQAKdxOcVmVjJI3ul57zCWys43
> >>>> KOO0cQddZUnuerb3zpBKSZn8ab6KCvVCs+usULV498OAjEUOaNl2PscgNCTbT7+G
> >>>> YjxvXsz3TsgDvf5tIDexEFnuteb1/zxwmxl/yREjITTl4XnSx3MHPDH7n9vBiYlO
> >>>> 4iHFdmSF5K3CIAKweCjBYpsQdKAaVtmrfJzdpfOnop2tIlC+vAL2w5pgHOshm18Z
> >>>> dR3oOcSztev9Vws4iOYQlwc47Cg3M0bxyZ/KyIOd2IAUp0vpc8KTa2Hym388VnP+
> >>>> UfnCUeAOfF2eKfk4c0aXJ3VNAkfIMJ44gG9oSI2lAChk8dbK4PE41sZ+ykHPwJgR
> >>>> gXXxXbAfrdbFuav2DtWAAoEUiGQGA4YuKqJxJMQa6LOI6sJ2+TXE/CIUkRwmijRs
> >>>> NkKRDGy9KW9eVsF6N7gtCsDAoL/qbu8yr01d1A6hLiofiUj3EkweNBVs2dzMmt+N
> >>>> WsY2Rbr9MdmYtaEcXI+uGsM5bLWatBDMxErnMCWve0QgrGiRjREns39ixuiuWpQI
> >>>> qbBMGhLajjDxtLpd2mMiqXvLLXVIHKem3bJ/lxACiSmYlw/5/gDayoHt9KYYbxEu
> >>>> adJ9wGjDRlaowokEKdGFd4GVndqoiK0NPfd2lgvSpZLuUL/qwoklTdiGr6zhkvT7
> >>>> T+GAJuwkYY7GSgMplLrS
> >>>> =vEii
> >>>> -----END PGP SIGNATURE-----
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message