You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by AngeloChen <an...@gmail.com> on 2011/07/18 10:55:46 UTC

https server behind apache

Hi,

I set up a virtual host for ssl in apache, www.sample.com, it uses mod_proxy
to redirect to a tomcat server:

ProxyPass /  https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
ProxyPreserveHost on

SSLEngine on
SSLProxyEngine on

SSLCertificateFile /etc/httpd/sample.crt
SSLCertificateKeyFile /etc/httpd/sample.key

do I need a jks in the tomcat side? Thanks,

Angelo


-- 
View this message in context: http://old.nabble.com/https-server-behind-apache-tp32081628p32081628.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: https server behind apache

Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Angelo,

On 7/18/2011 4:55 AM, AngeloChen wrote:
> I set up a virtual host for ssl in apache, www.sample.com, it uses
> mod_proxy to redirect to a tomcat server:
> 
> ProxyPass /  https://localhost:8443/ ProxyPassReverse /
> https://localhost:8443/ ProxyPreserveHost on
> 
> SSLEngine on SSLProxyEngine on
> 
> SSLCertificateFile /etc/httpd/sample.crt SSLCertificateKeyFile
> /etc/httpd/sample.key
> 
> do I need a jks in the tomcat side? Thanks,

No, because you are not using AJP, you're using HTTP(S).

If you trust your web server and you have a secured network, you don't
need to have the link between httpd and Tomcat use HTTPS. You'll get a
performance improvement if you drop that SSL connection. Also, you might
want to make sure you are using the APR connector on the Tomcat side,
which will significantly improve your SSL performance in Tomcat.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4kSa8ACgkQ9CaO5/Lv0PCAiACdEcslVe78JP1p60s7MvphvNYr
VQYAnRlE5U9Ix8++n5Ouwa0tM5TMSGYf
=G8x9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: https server behind apache

Posted by André Warnier <aw...@ice-sa.com>.
AngeloChen wrote:
> Hi,
> 
> I set up a virtual host for ssl in apache, 

We will assume that you know what you are doing, but just as a reminder : HTTPS and 
VirtualHosts are not really compatible. You can make it work, but only with one name-based 
VirtualHost.  If you are not sure or do not understand this, read the relevant Apache 
documentation carefully.


www.sample.com, it uses mod_proxy
> to redirect to a tomcat server:
> 
> ProxyPass /  https://localhost:8443/
> ProxyPassReverse / https://localhost:8443/
> ProxyPreserveHost on
> 
> SSLEngine on
> SSLProxyEngine on
> 
> SSLCertificateFile /etc/httpd/sample.crt
> SSLCertificateKeyFile /etc/httpd/sample.key
> 
> do I need a jks in the tomcat side? Thanks,
> 

The usual way to do this, is to "terminate HTTPS" at the Apache level, and proxy to Tomcat 
over normal HTTP, particularly if Tomcat is on the same host.
The reason is that HTTPS has a cost : every packet going to Tomcat has to be encrypted, 
and decrypted at the Tomcat side; and every packet sent by Tomcat to Apache, similarly.
If the browsers use HTTPS to communicate with Apache, then that part of the link is 
secure, and that is usually what you want.
If the link between Apache and Tomcat is "private" (and if it is on the same host, you can 
probably consider it so), there is no real need to encrypt the traffic between them, and 
have all the complication of SSL there again.

Now also : considering your Proxy directives above, it looks like you are proxying 
*everything* to Tomcat, and that Apache does nothing except forwarding requests/responses 
back and forth.
So the question is : do you really need Apache httpd for any reason ?
Tomcat alone can act as a webserver, HTTP or HTTPS.  You could set up Tomcat to respond to 
port 80 (and 443) directly, and save yourself the complication and overhead of Apache httpd.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org