You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christian Andersson <ca...@ofs.no> on 2007/09/18 23:08:03 UTC
Re: problem with https and apache+httpd+tomcat [SOLVED]
Hi Rainer, and thanks for trying to help me.
I had been trying most of what you wrote, and it still looked like it
was tomcat, but there was one thing that "struck me" while doing all
these tests/changes
"mod_jk transfers the knowledge of the hostname and port used in Apache
htpd to the AJP connector, so that self referring URLs can be produced
correctly."
Comparing my virtualhost definition
<VirtualHost *:443>
ServerName demo.mydomain
JkMount /* worker1
</VirtualHost>
with one provided with the installation for squirrelmail (php based)
I did some changes to my virtualhost....
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName demo.mydomain
JkMount /* worker1
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
</IfModule>
and Voila, now it works...
apparently https WAS working without all of this SSL parameters, but
mod_jk sent the wrong information to the server.
so even if your suggestions on what to check did not leave me to an
answer, your message still helped :-)
Rainer Jung wrote:
> Hi Christian,
>
> with the combination of mod_jk and AJP connector, this should not
> happen. mod_jk transfers the knowledge of the hostname and port used
> in Apache htpd to the AJP connector, so that self referring URLs can
> be produced correctly. Even the attributes "redirectPort" and "scheme"
> should not be necessary. I would also remove the "secure" attribute.
> As far as I can remember, that one also gets set by mod_jk/AJP (true,
> if communication against apache httpd was encrypted). There is an
> attribute called "proxyPort", but for the AJP connector this normally
> works automatically.
>
> So I would expect, that if the redirect is really what comes back,
> this gets produced by some other component:
>
> - proxy
> - Apache httpd itself
> - Some web framework used by your app
>
> I would:
>
> - check what is really coming back. You canuse a comandline client
> like e.g. "curl", that exists in an ssl enabled version and is able to
> showyou the raw response
>
> - check whether the requests was really handled by Tomcat, e.e. by
> adding an access log to Tomcat and checking if the request gets logged
> there
>
> - check, whether the http to https redirect works for a simple hello
> world webapp.
>
> HTH.
>
> Regards,
>
> Rainer
>
> Christian Andersson wrote:
>> Hi there I have a problem with tomcat, but first version information for
>> some of the applications used.
>>
>>
>> Apache/2.2.3 (Mandriva Linux/PREFORK-1.1.20060mlcs4)
>>
>> Apache Tomcat/6.0.13
>>
>> java version "1.6.0_01"
>> Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
>> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_01-b06, mixed mode)
>>
>> I have setup apache httpd to only answer on port 443 using https
>> and I have several virtual hosts.
>> one of them I have setup to use mod_jk to connect to tomcat using this
>> configuration
>> <VirtualHost *:443>
>> ServerName demo.mydomain
>> JkMount /* worker1
>> </VirtualHost>
>>
>> in tomcat I have only configured this single connector
>> <Connector port="8009" protocol="AJP/1.3" secure="true" scheme="https"
>> redirectPort="443"/>
>>
>> now, everything works allright, I can surf to the server using the
>> following url..
>>
>> https://demo.mydomain/mywebapp/
>>
>> and everything works.
>>
>> HOWEVER, I have 2 problems with this setup and that is, IF I surf to the
>> same address but forgets to add that last /
>> (https://demo.mydomain/mywebapp) tomcat redirects the browser to surf to
>> the correct url (add the ending /) BUT the url it sends to the browser
>> is WRONG!!! it is not sending https://demo.mydomain/mywebapp/ as one
>> could suppose, it is sending https://demo.mydomain:80/mywebapp/
>>
>> (atleast that is what I suppose is happening.. sicne I cannot check what
>> is being sent on the Ethernet, since that is encrypted, however firefox
>> tries to connect to that url.)
>>
>> I also got the same problem in my forms based login
>> when the browser is sending the login form, it gets a redirect from the
>> server with the port 80 instead of "no port"
>> if I remove the :80 in the url I get the real page, and I am logged in..
>>
>> so somewhere (I think it is tomcat) the browser is told to go to port 80
>>
>> can anyone help me with this?
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: problem with https and apache+httpd+tomcat [SOLVED]
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Christian,
thanks for your feedback. Good to know the reason and that the theory
works, at least if SSL is explicitely activated in the vhost.
mod_jk gets the ssl info froom an apache httpd internal environment
variable. It looks like this wasn't set by your configuration. In case
one offloads ssl to an appliance, one can still configure mod_jk inside
Apache to think it's SSL.
Regards,
Rainer
Christian Andersson wrote:
> Hi Rainer, and thanks for trying to help me.
>
> I had been trying most of what you wrote, and it still looked like it
> was tomcat, but there was one thing that "struck me" while doing all
> these tests/changes
>
> "mod_jk transfers the knowledge of the hostname and port used in Apache
> htpd to the AJP connector, so that self referring URLs can be produced
> correctly."
>
> Comparing my virtualhost definition
> <VirtualHost *:443>
> ServerName demo.mydomain
> JkMount /* worker1
> </VirtualHost>
>
> with one provided with the installation for squirrelmail (php based)
> I did some changes to my virtualhost....
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
> ServerName demo.mydomain
> JkMount /* worker1
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> </VirtualHost>
> </IfModule>
>
> and Voila, now it works...
> apparently https WAS working without all of this SSL parameters, but
> mod_jk sent the wrong information to the server.
>
> so even if your suggestions on what to check did not leave me to an
> answer, your message still helped :-)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org