You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by wa...@wispertel.net on 2005/04/03 08:00:42 UTC

[PATCH] Tomcat 5.X connectors SSL Accelerator proxy support

Dev Team,

Attached is a patch to address the Tomcat 5.X inability to specify a
secure proxy without an SSL connection. The goal is to specify
secure="true", scheme="https", proxyPort="443", and
proxyName="ssl-accelerator.domain.com" on a plain HTTP Connector in
server.xml. I am not sure if this is the best, (or even acceptable),
solution, but it is the simplest I could come up with while not changing
the documented Tomcat 5.X Connector attributes. The configuration above
used to work with Tomcat 4.1, because the SSL support was never enabled
unless the <Factory/> tag was specified within the Connector
specification.

The approach here for Tomcat 5.X is to ignore the secure
attribute/property configuration in the underlying Http11Protocol instance
if the Connector is configured with either a proxyPort or proxyName and
there are no other explicit SSL configuration attributes specified. The
logic behind this choice is that use of an SSL Accelerator will imply a
proxied port and/or host and will not specify any SSL related options.
Furthermore, in the event a proxied SSL Connection was desired afterall,
it will almost always require at least some keystore access configuration.
One possible variation might be to only ignore the secure configuration if
the proxyName is set; this might be preferable if simple port forwarding
on the host server is more prevalent than the use of SSL Accelerators,
(albeit potentially more confusing).

The patch is limited to the jakarta-tomcat-connectors module and should be
compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested
only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that
this patch is acceptable, I can certainly proceed with Tomcat 4.1 and
Tomcat 5.5 testing... I just would like a sanity check first if at all
possible.

Note: I believe that the minor patch to o/a/coyote/Request.java has
already been performed against the Tomcat 5.5 main trunk by Remy, but was
missing on the Tomcat 5.0 branch.

Thanks for your consideration in advance,

Randy Watler
Finali-Convergys Corporation

Re: [PATCH] Tomcat 5.X connectors SSL Accelerator proxy support

Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.

watler@wispertel.net wrote:
> Dev Team,
> 
> Attached is a patch to address the Tomcat 5.X inability to specify a
> secure proxy without an SSL connection. The goal is to specify
> secure="true", scheme="https", proxyPort="443", and
> proxyName="ssl-accelerator.domain.com" on a plain HTTP Connector in
> server.xml.

BTW: This proxy does not allow to get client certificates doesn't it?

> I am not sure if this is the best, (or even acceptable),
> solution, but it is the simplest I could come up with while not changing
> the documented Tomcat 5.X Connector attributes. The configuration above
> used to work with Tomcat 4.1, because the SSL support was never enabled
> unless the <Factory/> tag was specified within the Connector
> specification.
> 
> The approach here for Tomcat 5.X is to ignore the secure
> attribute/property configuration in the underlying Http11Protocol instance
> if the Connector is configured with either a proxyPort or proxyName and
> there are no other explicit SSL configuration attributes specified. The
> logic behind this choice is that use of an SSL Accelerator will imply a
> proxied port and/or host and will not specify any SSL related options.
> Furthermore, in the event a proxied SSL Connection was desired afterall,
> it will almost always require at least some keystore access configuration.
> One possible variation might be to only ignore the secure configuration if
> the proxyName is set; this might be preferable if simple port forwarding
> on the host server is more prevalent than the use of SSL Accelerators,
> (albeit potentially more confusing).
> 
> The patch is limited to the jakarta-tomcat-connectors module and should be
> compatible with Tomcat 4.1 and Tomcat 5.X versions. It has been tested
> only against Tomcat 5.0.30 so far. If someone the Dev Team indicates that
> this patch is acceptable, I can certainly proceed with Tomcat 4.1 and
> Tomcat 5.5 testing... I just would like a sanity check first if at all
> possible.
> 
> Note: I believe that the minor patch to o/a/coyote/Request.java has
> already been performed against the Tomcat 5.5 main trunk by Remy, but was
> missing on the Tomcat 5.0 branch.
> 
> Thanks for your consideration in advance,
> 
> Randy Watler
> Finali-Convergys Corporation
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org