tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <>
Subject Re: [PATCH] Tomcat 5.X connectors SSL Accelerator proxy support
Date Wed, 06 Apr 2005 10:02:45 GMT wrote:
> Dev Team,
> Attached is a patch to address the Tomcat 5.X inability to specify a
> secure proxy without an SSL connection. The goal is to specify
> secure="true", scheme="https", proxyPort="443", and
> proxyName="" on a plain HTTP Connector in
> server.xml.

BTW: This proxy does not allow to get client certificates doesn't it?

> I am not sure if this is the best, (or even acceptable),
> solution, but it is the simplest I could come up with while not changing
> the documented Tomcat 5.X Connector attributes. The configuration above
> used to work with Tomcat 4.1, because the SSL support was never enabled
> unless the <Factory/> tag was specified within the Connector
> specification.
> The approach here for Tomcat 5.X is to ignore the secure
> attribute/property configuration in the underlying Http11Protocol instance
> if the Connector is configured with either a proxyPort or proxyName and
> there are no other explicit SSL configuration attributes specified. The
> logic behind this choice is that use of an SSL Accelerator will imply a
> proxied port and/or host and will not specify any SSL related options.
> Furthermore, in the event a proxied SSL Connection was desired afterall,
> it will almost always require at least some keystore access configuration.
> One possible variation might be to only ignore the secure configuration if
> the proxyName is set; this might be preferable if simple port forwarding
> on the host server is more prevalent than the use of SSL Accelerators,
> (albeit potentially more confusing).
> The patch is limited to the jakarta-tomcat-connectors module and should be
> compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested
> only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that
> this patch is acceptable, I can certainly proceed with Tomcat 4.1 and
> Tomcat 5.5 testing... I just would like a sanity check first if at all
> possible.
> Note: I believe that the minor patch to o/a/coyote/ has
> already been performed against the Tomcat 5.5 main trunk by Remy, but was
> missing on the Tomcat 5.0 branch.
> Thanks for your consideration in advance,
> Randy Watler
> Finali-Convergys Corporation
> ------------------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message