tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat connector settings
Date Wed, 04 May 2016 16:50:09 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

On 5/2/16 10:20 AM, Michael Fox wrote:
> I ultimately want to have a Tomcat application protected  by our 
> university's system for authentication, which is SiteMinder.  They 
> have told me that they can't protect Tomcat directly, but if user 
> communications can be passed through a web server then they can 
> protect the server with SiteMinder.

No problem.

> I have a working Tomcat application if I uncomment the non-SSL 
> HTTP/1.1 protocol in the Tomcat, but I believe I need all 
> communication to pass through the Apache web server.  Let me know
> if you need more information and, if so, what that would be.

You can use HTTP, HTTPS, or AJP as the communication mechanism between
the web server and Tomcat.

AJP works great with Apache httpd, but may be more complicated to get
set up with other web servers. HTTP is, by definition, always
supported. You want them to set up the web server as a
"reverse-proxy", and just give them the URL of your base application.
The configuration in httpd for using HTTP as the protocol is fairly
simple:

ProxyPass /myapp http://internal.ip:8080/myapp
ProxyPassReverse /myapp http://internal.ip:8080/myapp

You'll want to enable the standard HTTP connector (it was enabled by
default) and if you aren't using AJP (like you are NOT in this
example), then you'll want to enable the RemoteIPValve:
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Val
ve

That "valve" takes information from the HTTP headers coming from the
web server and makes sure that things like the base URL match what the
client is seeing from the outside world (e.g. they won't see URLs for
http://internal.ip:8080/etc.).

On the web server, you can use whatever protocol you want for your
clients. HTTPS is a good choice. Using HTTPS on the web server has no
impact on whether or not you want to use HTTP or HTTPS internally on
your private network. If you want to use HTTPS internally (also not a
bad idea, especially if you don't 100% trust everyone who has access
to your network), change the httpd configuration to this:

ProxyPass /myapp http://internal.ip:8443/myapp
ProxyPassReverse /myapp http://internal.ip:8443/myapp

You will, of course, have to configure a secure <Connector> on port
8443 for that purpose, including a TLS certificate, etc. If you always
expect to use a secure connection, then disable the non-secure
<Connector>: anyone coming to your web site using cleartext HTTP can
be redirected by the web server to HTTPS so Tomcat itself only has to
be providing an HTTPS connection.

Hope that helps,
- -chris

> -----Original Message----- From: Christopher Schultz 
> [mailto:chris@christopherschultz.net] Sent: Friday, April 29, 2016 
> 9:14 PM To: Tomcat Users List <users@tomcat.apache.org> Subject:
> Re: Tomcat connector settings
> 
> Michael,
> 
> On 4/29/16 4:25 PM, Michael Fox wrote:
>> I have an Apache web server(2.4.6) which is accessible at http or
>>  https at DNS_hostname, and a Tomcat server (9.0.0.M1)with an 
>> application available at DNS_hostname:8080/app_name.
> 
>> I then disabled the non-SSL HTTP/1.1 connector on port 8080 and 
>> enabled HTTP/2 in the Tomcat server.xml, using the certificate
>> key file and certificate where generated using the openssl
>> (1.0.2g) commands and used on the Apache web server.
> 
>> The Apache ssl.conf file is set to listen on port 8443 for
>> https, and the only virtual host is set for IP_address:8443 and
>> servername set to DNS_hostname
> 
>> In the file /etc/httpd/conf/workers.properties,
>> worker.worker1.host is set to DNS_hostname and
>> worker.worker1.port is set to 8443.
> 
>> Netstat -tamp shows httpd listening on port 8443 and java
>> listening on port 8009.
> 
>> Are these settings proper and correct?
> 
> It doesn't look like it.
> 
>> What should the URL look like in order to access the Tomcat 
>> application via Apache?
> 
> That depends upon what you are actually trying to do.
> 
>> Any help and/or guidance would most appreciated.
> 
> You have an HTTPS server listening on port 443 (httpd). You have 
> mod_jk (workers.properties) configured to connect to host:8443
> (which is the same host listening for HTTPS requests on port 8443)
> using AJP13 (not HTTP). So, if a client makes a call to host:8443,
> mod_jk will proxy the request through to host:8443. If the protocol
> were correct (it isn't), you'd have an infinite loop of request s.
> 
> Can you explain what you are actually trying to do and maybe we
> can help ?
> 
> -chris
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcqKEEACgkQ9CaO5/Lv0PDR0wCfU89GE1W6btEaUtHH2NJhm501
TlgAmQF9MCA6mpjiFr9Mo1EB1Bsn1p+n
=6mLT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message