Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6FF28200C01 for ; Thu, 19 Jan 2017 17:43:00 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 6E012160B54; Thu, 19 Jan 2017 16:43:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B7F58160B3A for ; Thu, 19 Jan 2017 17:42:59 +0100 (CET) Received: (qmail 98457 invoked by uid 500); 19 Jan 2017 16:42:58 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 98446 invoked by uid 99); 19 Jan 2017 16:42:58 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2017 16:42:58 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id C74D11A063F for ; Thu, 19 Jan 2017 16:42:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, SPF_HELO_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id ZLh9ROXWO39T for ; Thu, 19 Jan 2017 16:42:56 +0000 (UTC) Received: from mailbox.servedge.com (72.103.82.208.static.ipv4.dnsptr.net [208.82.103.72]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 213255F3BC for ; Thu, 19 Jan 2017 16:42:56 +0000 (UTC) Received: (qmail 8748 invoked by uid 513); 19 Jan 2017 10:42:52 -0600 Received: from pool-74-96-79-133.washdc.fios.verizon.net (HELO Christophers-iMac.local) (chris@christopherschultz.net@74.96.79.133) by mailbox.servedge.com with AES128-SHA encrypted SMTP; 19 Jan 2017 10:42:52 -0600 Subject: Re: Can Tomcat act as an HTTPS proxy? To: Tomcat Users List References: From: Christopher Schultz Message-ID: <8cb580e8-6389-8845-c151-1d42d991ae88@christopherschultz.net> Date: Thu, 19 Jan 2017 11:42:51 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit archived-at: Thu, 19 Jan 2017 16:43:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David, On 1/19/17 10:38 AM, David P. Caldwell wrote: > I'm trying to forward HTTPS requests through a Tomcat HTTP (or > HTTPS) server to a backend HTTPS server. > > The requests are initiated by a Java HTTP client > (java.net.URLConnection-based). > > So I have: > > backend HTTPS server (which works) Tomcat server running HTTP and > HTTPS connectors Java HTTPUrlConnection, using Tomcat HTTP > connector as a proxy > > The Java client can successfully: > > * use the backend HTTPS server directly * use the Tomcat HTTP > connector * use the Tomcat HTTPS connector > > For my scenario, I think using the HTTP connector to proxy is > correct, though I've also tried using the HTTPS connector. > > I'm not an expert on SSL or HTTPS. The HTTPS connector doesn't > work, but my understanding is that using it doesn't make sense; the > trust relationship is end-to-end, so you'd use ordinary HTTP to > proxy in between. It ends up with an unexpected EOF from server or > something. > > Assuming the HTTP connector is the right one to use, here's my > problem: Tomcat returns a 400 Bad Request when I attempt to request > an https: URL via an ordinary HTTP request to the HTTP connector. > > Conceptually, it seems like this ought to be fine, to me, but as I > said, my understanding of the concepts is a bit murky, so I might > be wrong. > > Am I on the right track? If so, is there something configurable > that will allow those requests to be forwarded rather than > rejected? So you've got this? client -- HTTP --> Tomcat proxy -- HTTPS --> backend server ? Or this? client -- HTTPS --> Tomcat proxy -- HTTP --> backend server ? Please post as much of your configuration (, proxy) as you ca n. Also, what is the purpose of the HTTPS wherever it is being used? It is for privacy or for authentication (or both)? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYgOyLAAoJEBzwKT+lPKRYcJ0P/jxtmltsNpilxkYnbTFopTFl 87GqViuIQOXdi/2EzP9jJhdieBv7XwIAI81hJ4qWCdUhANtxNoPeaytZPR2+E6hT 4zUC0x4ez4E9S2lUkhk7XcSr/0+hAM0rLd1TChJi0+tweZjWyaeCAbbdLHhjPb+e SRAs4Tz2qs0Y7i3qu3nV6VWt5u2eBEspogFHT8FXjXLYx/VPQOR9/60mnEDsaEek gC4Xqh5vMABd7Tcyslp0kfKrFEKjAgoej2cQ+p96faITV7X9ji0z35uvSwNErfD0 iIruVVUfe8MSBRR8jwpLor6ORAL3dZ0FmKegxjAOJ897eIv3hO6rS2JqmT3Ju1Ez dczMIIJA7c92xk4UINlMrTRit8MXJoOuJSR778pRS/j8WirNGw1y66U2U8Z3KZeM 4tDKpIwwXx2HX0Mrag/m3UB5Y59UNX/5TVJQr+2GhcvIHOXK1cWUmFOdZtbwD5Xc a7HpZDuMNSrxZjzrfWg18EMl2IfGLWllW6Qs73e+VO3cC8tlbQzjO0RQowl2e867 twZO8zXvGVrxtJcezaq1dRzPQDVRIVbedBAxNuN20JkdaWMcxGkBjsIiw99Vp4V7 XgX+5+6ZeLAFHhVyoAVFumL4Rr585PzloiZLQcOUGosqqreVh4L2Yp5YRfgOojOU EPPtfY44QI4Jq3SwTLCr =938w -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org