You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Harsimranjit singh Kler <si...@gmail.com> on 2011/11/09 11:02:52 UTC
SSL for modjk and tomcat
Hi
I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my
setup.
i Am able to successfully on httpd.but there is lot of confusion how to
enable between httpd to AJP & AJP to tomcat.
There is not specific documentation also.
1) what are step for modjk configurations?
2)Is AJP support SSL?
3)Changes in server.xml for AJP port to support SSL requests via modjk?
regards
HArsimran
Re: SSL for modjk and tomcat
Posted by Harsimranjit singh Kler <si...@gmail.com>.
Thanks guys .i will take care while posting in future.
So far i will go for ssl between browser and httpd only.
On Thu, Nov 10, 2011 at 1:40 PM, chris derham <ch...@derham.me.uk> wrote:
> >
> > Simple i have setup httpd,modjk,tomcat .i want to enable SSL(i.e i can
> > handle everything on https).
> >
>
> If you have httpd sending traffic via mod_jk to tomcat, you are nearly
> there. Just configure httpd to listen over ssl.
>
> >
> > > If (instead) you want to encrypt the AJP connection between HTTPD and
> > Tomcat, you'll have to use an SSH tunnel because the AJP protocol is not
> > encrypted.
> >
> > Now AJP not support SSL fine. i.e AJP protocol is not
> > encrypted.
> > i dont want SSH tunnel.
> >
>
> That's fine if you don't want/need a tunnel
>
> >
> > What other approach i can follow now.i mean other way ?
> >
>
> > i am not sure where to configure those mod jk directive and what
> > configurations at tomcat side?
> >
>
> I don't think you quite understand how this list works. You need to ask a
> specific question, and people will generally try to provide a specific
> answer. In your email you say you have httpd/mod_jk/tomcat communicating.
> You keep saying that you want to "turn on ssl". As 3 people have already
> pointed out, you can have ssl between browser and httpd. You can have ssl
> between httpd and tomcat, but you said you don't want that. If you
> configure httpd for ssl, then you're probably there. IMO you only to worry
> about those mod_jk directives if you need tomcat to know that it is being
> handed a connection that has come from an ssl connection. Perhaps explain
> why you need this ssl information in your app? Perhaps supply a copy of
> web.xml with the security constraints?
>
> In short help us help you -
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> Chris
>
Re: SSL for modjk and tomcat
Posted by chris derham <ch...@derham.me.uk>.
>
> Simple i have setup httpd,modjk,tomcat .i want to enable SSL(i.e i can
> handle everything on https).
>
If you have httpd sending traffic via mod_jk to tomcat, you are nearly
there. Just configure httpd to listen over ssl.
>
> > If (instead) you want to encrypt the AJP connection between HTTPD and
> Tomcat, you'll have to use an SSH tunnel because the AJP protocol is not
> encrypted.
>
> Now AJP not support SSL fine. i.e AJP protocol is not
> encrypted.
> i dont want SSH tunnel.
>
That's fine if you don't want/need a tunnel
>
> What other approach i can follow now.i mean other way ?
>
> i am not sure where to configure those mod jk directive and what
> configurations at tomcat side?
>
I don't think you quite understand how this list works. You need to ask a
specific question, and people will generally try to provide a specific
answer. In your email you say you have httpd/mod_jk/tomcat communicating.
You keep saying that you want to "turn on ssl". As 3 people have already
pointed out, you can have ssl between browser and httpd. You can have ssl
between httpd and tomcat, but you said you don't want that. If you
configure httpd for ssl, then you're probably there. IMO you only to worry
about those mod_jk directives if you need tomcat to know that it is being
handed a connection that has come from an ssl connection. Perhaps explain
why you need this ssl information in your app? Perhaps supply a copy of
web.xml with the security constraints?
In short help us help you -
http://www.catb.org/~esr/faqs/smart-questions.html
Chris
Fwd: SSL for modjk and tomcat
Posted by Harsimranjit singh Kler <si...@gmail.com>.
Hi
Simple i have setup httpd,modjk,tomcat .i want to enable SSL(i.e i can
handle everything on https).
> If (instead) you want to encrypt the AJP connection between HTTPD and
Tomcat, you'll have to use an SSH tunnel because the AJP protocol is not
encrypted.
Now AJP not support SSL fine. i.e AJP protocol is not
encrypted.
i dont want SSH tunnel.
What other approach i can follow now.i mean other way ?
i am not sure where to configure those mod jk directive and what
configurations at tomcat side?
On Thu, Nov 10, 2011 at 11:23 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Harsimranjit,
>
> On 11/9/11 10:35 AM, Harsimranjit singh Kler wrote:
> > Doing this configuration first time.
> >
> > As per reply AJP not support SSL but still apache can pass some
> > information to tomcat.
>
> Correct: mod_ssl will forward the important SSL information from httpd
> to Tomcat. Note that connection between httpd and Tomcat is not
> encrypted (which is why Pid and Andre have said "no SSL"). The SSL
> information comes from the incoming HTTPS connection and is provided
> via AJP to Tomcat.
>
> > i found above parameter in documentation :
> >
> > http://tomcat.apache.org/connectors-doc/reference/apache.html
> >
> > but no example how to configure these and how helpful.
>
> Did you mean that you found all of those parameters (not just one) in
> the documentation?
>
> The documentation, while fairly short, contains everything you need.
> Each directive is documented as to its function, its value parameter
> values, and the default.
>
> > i dont know what is ideal configurations for above setup to support
> > SSL
>
> mod_jk supports SSL with no additional configuration. If you find that
> the default configuration is not meeting your needs, please tell us
> what you need and we can help you configure it.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk67ZsUACgkQ9CaO5/Lv0PCrWwCfSg0ul/7JUIoZDie/B2dm39Hz
> IXcAn3GpRRlRz7bntRBM0Gkh/yUxNGSo
> =oU31
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: SSL for modjk and tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Harsimranjit,
On 11/9/11 10:35 AM, Harsimranjit singh Kler wrote:
> Doing this configuration first time.
>
> As per reply AJP not support SSL but still apache can pass some
> information to tomcat.
Correct: mod_ssl will forward the important SSL information from httpd
to Tomcat. Note that connection between httpd and Tomcat is not
encrypted (which is why Pid and Andre have said "no SSL"). The SSL
information comes from the incoming HTTPS connection and is provided
via AJP to Tomcat.
> i found above parameter in documentation :
>
> http://tomcat.apache.org/connectors-doc/reference/apache.html
>
> but no example how to configure these and how helpful.
Did you mean that you found all of those parameters (not just one) in
the documentation?
The documentation, while fairly short, contains everything you need.
Each directive is documented as to its function, its value parameter
values, and the default.
> i dont know what is ideal configurations for above setup to support
> SSL
mod_jk supports SSL with no additional configuration. If you find that
the default configuration is not meeting your needs, please tell us
what you need and we can help you configure it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk67ZsUACgkQ9CaO5/Lv0PCrWwCfSg0ul/7JUIoZDie/B2dm39Hz
IXcAn3GpRRlRz7bntRBM0Gkh/yUxNGSo
=oU31
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL for modjk and tomcat
Posted by Harsimranjit singh Kler <si...@gmail.com>.
Doing this configuratiosn first time.
As per reply AJP not support SSL but still apache can pass some information
to tomcat.
i found above parameter in documentation :
http://tomcat.apache.org/connectors-doc/reference/apache.html
but no example how to configure these and how helpful.
i dont know what is ideal configurations for above setup to support SSL
Thank you very much
On Wed, Nov 9, 2011 at 5:52 PM, Pid <pi...@pidster.com> wrote:
> On 09/11/2011 11:20, Harsimranjit singh Kler wrote:
>
> Please don't top-post.
>
> > hi
> >
> > Thanks for reply.
> >
> > There are some parameters whate they are for i saw like:
> > :
> >
> >
> >
> > JkExtractSSL On
> >
> > JkHTTPSIndicator HTTPS
> >
> > JkSESSIONIndicator SSL_SESSION_ID
> >
> > JkCIPHERIndicator SSL_CIPHER
> >
> > JkCERTSIndicator SSL_CLIENT_CERT
> > and
> >
> >
> > JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
> >
> > JkExtractSSL
> >
> > etc etc
> >
> > these are not helpful?
>
> They are helpful and do serve a purpose.
>
> Whether that has any bearing on your problem is a different matter
> altogether. You might consider explaining more clearly what you are
> trying to achieve.
>
>
> > and some one post like this:
> >
> >
> http://ask.metafilter.com/53101/How-do-I-force-HTTPS-in-Tomcat-through-Apache-and-modjk
> >
> > is also wrong?
>
> Have you read any of the Tomcat documentation, or are you just googling?
>
>
> p
>
>
> > On Wed, Nov 9, 2011 at 3:47 PM, André Warnier <aw...@ice-sa.com> wrote:
> >
> >> Harsimranjit singh Kler wrote:
> >>
> >>> Hi
> >>> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL
> in my
> >>> setup.
> >>>
> >>> i Am able to successfully on httpd.but there is lot of confusion how to
> >>> enable between httpd to AJP & AJP to tomcat.
> >>>
> >>> There is no confusion. You can't do that. There is no SSL variant of
> the
> >> AJP protocol.
> >>
> >>
> >> There is not specific documentation also.
> >>>
> >>
> >> For the same reason.
> >>
> >>
> >>
> >>> 1) what are step for modjk configurations?
> >>> 2)Is AJP support SSL?
> >>>
> >>
> >> No. That should have been the first question.
> >>
> >>
> >> 3)Changes in server.xml for AJP port to support SSL requests via modjk?
> >>>
> >>> None, see above.
> >>
> >> Note : what you /can/ do, is to use mod_jk to pass all relevant SSL
> >> information about the original client<->Apache connection, to Tomcat,
> via
> >> HTTP headers.
> >>
> >> Additional note : of course, if you would really must do this, you could
> >> still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that
> >> would be something set up totally outside of Apache, Tomcat and their
> >> configuration.
> >> E.g.
> >>
> >> browser <-- HTTPS --> apache + mod_jk -> localhost:localport1
> >>
> >> localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 -->
> >> Tomcat
> >>
> >>
> ------------------------------**------------------------------**---------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<
> users-unsubscribe@tomcat.apache.org>
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> --
>
> [key:62590808]
>
>
Re: SSL for modjk and tomcat
Posted by Pid <pi...@pidster.com>.
On 09/11/2011 11:20, Harsimranjit singh Kler wrote:
Please don't top-post.
> hi
>
> Thanks for reply.
>
> There are some parameters whate they are for i saw like:
> :
>
>
>
> JkExtractSSL On
>
> JkHTTPSIndicator HTTPS
>
> JkSESSIONIndicator SSL_SESSION_ID
>
> JkCIPHERIndicator SSL_CIPHER
>
> JkCERTSIndicator SSL_CLIENT_CERT
> and
>
>
> JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
>
> JkExtractSSL
>
> etc etc
>
> these are not helpful?
They are helpful and do serve a purpose.
Whether that has any bearing on your problem is a different matter
altogether. You might consider explaining more clearly what you are
trying to achieve.
> and some one post like this:
>
> http://ask.metafilter.com/53101/How-do-I-force-HTTPS-in-Tomcat-through-Apache-and-modjk
>
> is also wrong?
Have you read any of the Tomcat documentation, or are you just googling?
p
> On Wed, Nov 9, 2011 at 3:47 PM, André Warnier <aw...@ice-sa.com> wrote:
>
>> Harsimranjit singh Kler wrote:
>>
>>> Hi
>>> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my
>>> setup.
>>>
>>> i Am able to successfully on httpd.but there is lot of confusion how to
>>> enable between httpd to AJP & AJP to tomcat.
>>>
>>> There is no confusion. You can't do that. There is no SSL variant of the
>> AJP protocol.
>>
>>
>> There is not specific documentation also.
>>>
>>
>> For the same reason.
>>
>>
>>
>>> 1) what are step for modjk configurations?
>>> 2)Is AJP support SSL?
>>>
>>
>> No. That should have been the first question.
>>
>>
>> 3)Changes in server.xml for AJP port to support SSL requests via modjk?
>>>
>>> None, see above.
>>
>> Note : what you /can/ do, is to use mod_jk to pass all relevant SSL
>> information about the original client<->Apache connection, to Tomcat, via
>> HTTP headers.
>>
>> Additional note : of course, if you would really must do this, you could
>> still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that
>> would be something set up totally outside of Apache, Tomcat and their
>> configuration.
>> E.g.
>>
>> browser <-- HTTPS --> apache + mod_jk -> localhost:localport1
>>
>> localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 -->
>> Tomcat
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
--
[key:62590808]
Re: SSL for modjk and tomcat
Posted by Harsimranjit singh Kler <si...@gmail.com>.
hi
Thanks for reply.
There are some parameters whate they are for i saw like:
:
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
and
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkExtractSSL
etc etc
these are not helpful?
and some one post like this:
http://ask.metafilter.com/53101/How-do-I-force-HTTPS-in-Tomcat-through-Apache-and-modjk
is also wrong?
On Wed, Nov 9, 2011 at 3:47 PM, André Warnier <aw...@ice-sa.com> wrote:
> Harsimranjit singh Kler wrote:
>
>> Hi
>> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my
>> setup.
>>
>> i Am able to successfully on httpd.but there is lot of confusion how to
>> enable between httpd to AJP & AJP to tomcat.
>>
>> There is no confusion. You can't do that. There is no SSL variant of the
> AJP protocol.
>
>
> There is not specific documentation also.
>>
>
> For the same reason.
>
>
>
>> 1) what are step for modjk configurations?
>> 2)Is AJP support SSL?
>>
>
> No. That should have been the first question.
>
>
> 3)Changes in server.xml for AJP port to support SSL requests via modjk?
>>
>> None, see above.
>
> Note : what you /can/ do, is to use mod_jk to pass all relevant SSL
> information about the original client<->Apache connection, to Tomcat, via
> HTTP headers.
>
> Additional note : of course, if you would really must do this, you could
> still run the mod_jk-to-Tomcat connection over an SSL tunnel. But that
> would be something set up totally outside of Apache, Tomcat and their
> configuration.
> E.g.
>
> browser <-- HTTPS --> apache + mod_jk -> localhost:localport1
>
> localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 -->
> Tomcat
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: SSL for modjk and tomcat
Posted by André Warnier <aw...@ice-sa.com>.
Harsimranjit singh Kler wrote:
> Hi
> I am using httpd 2.2.17 modjk 1.2.30 tomcat 6.0.I want to enable SSL in my
> setup.
>
> i Am able to successfully on httpd.but there is lot of confusion how to
> enable between httpd to AJP & AJP to tomcat.
>
There is no confusion. You can't do that. There is no SSL variant of the AJP protocol.
> There is not specific documentation also.
For the same reason.
>
> 1) what are step for modjk configurations?
> 2)Is AJP support SSL?
No. That should have been the first question.
> 3)Changes in server.xml for AJP port to support SSL requests via modjk?
>
None, see above.
Note : what you /can/ do, is to use mod_jk to pass all relevant SSL information about the
original client<->Apache connection, to Tomcat, via HTTP headers.
Additional note : of course, if you would really must do this, you could still run the
mod_jk-to-Tomcat connection over an SSL tunnel. But that would be something set up
totally outside of Apache, Tomcat and their configuration.
E.g.
browser <-- HTTPS --> apache + mod_jk -> localhost:localport1
localport1 <-- SSL tunnel --> remoteport1 --> remote AJP port 8009 --> Tomcat
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org