You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by 李征 <us...@yahoo.com.cn> on 2008/09/16 12:43:27 UTC

回复：回复：回复： about Connector's attribute redirectPort

thank u so much for explaining the quesion so clearly.
i think i understand how redirect works now.
and in my case, i think apache handles all the ssl process, and redirectPort is not necessary.

----- 原始邮件 ----
发件人： André Warnier <aw...@ice-sa.com>
收件人： Tomcat Users List <us...@tomcat.apache.org>
已发送： 2008/9/16(周二), 下午5:10:34
主题： Re: 回复： 回复： about Connector's attribute redirectPort

李征 wrote:
> I use apache as the web server and tomcat as the jsp container, and use mod_jk to make them work together.
> when a request comes, apache will send it to tomcat via ajp:8009, 
> and if it is a secure request, i think tomcat will redirect it to port 8443
> 

Hi 李征,

as both Chris and Chuck tried to explain :

1) if the <Connector> that is enabled for "normal" HTTP requests has an
redirectPort="8443" attribute, it does mean what you say in the first
part of your question above : if Tomcat receives a request on this
Connector's "main" port (8009 in your case), and it appears to Tomcat
that this request should be using HTTPS, then Tomcat will automatically
send back a response to the browser, telling the browser : "Browser,
this request should be re-issued to this different address :
https://samehost.samedomain.com:8443/...". This is called an "external
redirect" response.
Normally, the browser will then automatically re-issue the same request,
but now to the indicated "new" address and port (and, in this case, also
using HTTPS instead of HTTP).

> if Tomcat is not listening on the port 8443, i just don't understand
how redirect could happen?
>
2) As explained above, the re-direct by Tomcat *will* happen.
Whether Tomcat is listening on that port or not, has nothing to do with
that first part.  Tomcat just issues the response it has been told to
issue, and that's it.  The rest is not its problem (at least for now).
For Tomcat, this request is finished, done, and it waits for the next one.

In the architecture you describe (Apache in from of Tomcat, AJP
connector, Tomcat), here is the sequence :

The Apache server receives browser requests on its port 80, decides
which requests should go to Tomcat, and for those requests that should
go to Tomcat, passes them to the AJP connector in Apache.
The AJP connector in Apache passes the request to Tomcat, on Tomcat's
port 8009 (because so is your configuration).
The Tomcat connector on port 8009 receives the request, and passes it to
the Tomcat machinery.
The Tomcat machinery notices that this request requires HTTPS, so it
automatically issues a re-direct response, to the redirect port
indicated in the <Connector>, or to the standard HTTPS port 443 by default.
The response is picked up by the Tomcat connector, and sent back to Apache.
Apache receives the Tomcat response (the re-direct) from the AJP
connector, and passes it back to the browser.
The browser gets the re-direct response, which tells him to re-send the
request, but using the HTTPS protocol and port 8443 (in this case,
because that is what Tomcat said).
The browser re-issues the request, *to the same Apache host as before*,
but this time via HTTPS and to port 8443 (because that is what it has
been told to do, in the Tomcat re-direct response).

Now is the clinch :
the server receiving this new request is not Tomcat, it is Apache !  So,
it is Apache that should have something listening on port 8443.  And,
maybe, Apache will be set up so that when it receives a HTTPS request on
port 8443, it also passes it to Tomcat, using some other connector.
For Tomcat to handle these HTTPS requests, you will then need, under
Tomcat, *another* <Connector>, this one set up properly to handle HTTPS
requests.
But this new Connector will not necessarily be on port 8443.
The port 8443 (or whatever you put in "redirectPort" in the original
Connector), is just to tell Tomcat which port number it should include
in its original re-direct response.
It is "just a string".

Yes ?

> 
> 
> ----- 原始邮件 ----
> 发件人： "Caldarale, Charles R" <Ch...@unisys.com>
> 收件人： Tomcat Users List <us...@tomcat.apache.org>
> 已发送： 2008/9/13(周六), 上午1:36:14
> 主题： RE: 回复： about Connector's attribute redirectPort
> 
>> From: 李征 [mailto:ustc9703er@yahoo.com.cn]
>> Subject: 回复： about Connector's attribute redirectPort
>>
>> this is my setting for connector
>>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>>                port="8009" minProcessors="5" maxProcessors="150"
>>                enableLookups="true" redirectPort="8443"
>>                acceptCount="10" debug="0" connectionTimeout="0"
>>                useURIValidationHack="false"
>>
>> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
> 
> That's the <Connector> for port 8009; if you want Tomcat to listen for HTTPS on 8443, you need another <Connector> for that port.  The one for 8443 is commented out in server.xml by default.
> 
> - Chuck
> 
>> From: 李征 [mailto:ustc9703er@yahoo.com.cn]
>> Subject: 回复： about Connector's attribute redirectPort
>>
>> Mark
>>
>> thanks a lot for ur reply, 
>>
>> this is my setting for connector
>>
>>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>>                port="8009" minProcessors="5" maxProcessors="150"
>>                enableLookups="true" redirectPort="8443"
>>                acceptCount="10" debug="0" connectionTimeout="0"
>>                useURIValidationHack="false"
>>                protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
>>
>> and i can't get anything from 
>> netstat -apn | grep 8443
> 
> 
> 发件人： Mark Thomas <ma...@apache.org>
> 收件人： Tomcat Users List <us...@tomcat.apache.org>
> 已发送： 2008/9/12(周五), 下午4:21:38
> 主题： Re: about Connector's attribute redirectPort
> 
> 李征 wrote:
>> at tomcat official site, 
>>
>> http://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html
>> redirectPort is described as below
>>
>>
> If this Connector is supporting non-SSL requests, and a request is
> received for which a matching <security-constraint> requires SSL
> transport, Catalina will automatically redirect the request to the port
> number specified here. The default value is 443.
>>
>> but i still don't understand what redirectPort is used for.
> Which part of the description don't you understand?
> 
>> and actually, tomcat doesn't listen on the port specified by redirectPort,
>> so how does the redirect work?
> If Tomcat isn't listening on that port with a secure connector it won't work.
> 
> Mark
> 
> 
> 
>       ___________________________________________________________ 
>  雅虎邮箱，您的终生邮箱！ 
> http://cn.mail.yahoo.com/

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

      ___________________________________________________________ 
 雅虎邮箱，您的终生邮箱！ 
http://cn.mail.yahoo.com/

Re: 回复：回复：回复： about Connector's attribute redirectPort

Posted by André Warnier <aw...@ice-sa.com>.

李征 wrote:
> thank u so much for explaining the quesion so clearly.
> i think i understand how redirect works now.
You are welcome.
This is the first time I've answered a question by someone who'se name I
can write, but neither read nor pronounce :-)

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: 回复：回复：回复： about Connector's attribute redirectPort

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

李征,

李征 wrote:
> thank u so much for explaining the quesion so clearly. i think i
> understand how redirect works now. and in my case, i think apache
> handles all the ssl process, and redirectPort is not necessary.

redirectPort might still be necessary, but you need to set it to the
port that Apache httpd uses to provide SSL services (probably 443).

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjReMgACgkQ9CaO5/Lv0PAruQCgm6w+YC6U1boM9RIyukH/HeQ+
hFYAn3k+GBs9Fge2vumImF/HFyX2qgRL
=WNPD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

回复： 回复： 回复： about Connector's attribute redirectPort

Re: 回复： 回复： 回复： about Connector's attribute redirectPort

Re: 回复： 回复： 回复： about Connector's attribute redirectPort

回复：回复：回复： about Connector's attribute redirectPort

Re: 回复：回复：回复： about Connector's attribute redirectPort

Re: 回复：回复：回复： about Connector's attribute redirectPort