You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Andrew Miehs <an...@2sheds.de> on 2007/03/29 16:25:23 UTC

Tomcat 5.5 and secure="true"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear List,

After reading all the comments regarding mod_proxy_ajp, I am  
currently looking at
migrating to mod_proxy_http.

The application uses "isSecure" to check whether the request is an  
HTTPS connection
or not.

Therefore, I have created 2 virtual servers in Apache HTTPD and  
created proxy entries
from port 80 -> port 8080, and from 443 -> port 8081.

What I do not understand however is why does setting secure to true,  
require the
presence of a keystore?

See below

Thanks

Andrew



     <Connector port="8080" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25"  
maxSpareThreads="75"
                enableLookups="false" acceptCount="100"
                connectionTimeout="20000" disableUploadTimeout="true" />

     <Connector port="8081" maxHttpHeaderSize="8192" secure="true"
                maxThreads="150" minSpareThreads="25"  
maxSpareThreads="75"
                enableLookups="false" acceptCount="100"
                connectionTimeout="20000" disableUploadTimeout="true" />

Mar 29, 2007 4:18:56 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Mar 29, 2007 4:18:56 PM org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing endpoint
java.io.FileNotFoundException: /home/tomcat/.keystore (No such file  
or directory)
         at java.io.FileInputStream.open(Native Method)
         at java.io.FileInputStream.<init>(FileInputStream.java:106)
         at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore 
(JSSESocketFactory.java:279)
         at  
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore 
(JSSESocketFactory.java:222)
         at  
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers 
(JSSE14SocketFactory.java:141)
         at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init 
(JSSE14SocketFactory.java:109)
         at  
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket 
(JSSESocketFactory.java:88)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint 
(PoolTcpEndpoint.java:292)
         at org.apache.coyote.http11.Http11BaseProtocol.init 
(Http11BaseProtocol.java:138)
         at org.apache.catalina.connector.Connector.initialize 
(Connector.java:1016)
         at org.apache.catalina.core.StandardService.initialize 
(StandardService.java:580)
         at org.apache.catalina.core.StandardServer.initialize 
(StandardServer.java:791)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke 
(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke 
(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:585)
         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java: 
266)
         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java: 
431)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFGC8xTW126qUNSzvURAkUlAKCNQUiK337W8rYgOvvRN0Yjq56s5gCaArYa
TiJ2D/rimimeGMuPB3hjQ10=
=eG6k
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 5.5 and secure="true"

Posted by Andrew Miehs <an...@2sheds.de>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Filip,

Thanks for the info!

This was what I was planning on doing with Tomcat 5.5.

I have now gone back to use mod_proxy_ajp.

(I can not migrate to Tomcat 6.0 for political reasons)...

Regards

Andrew

On 29/03/2007, at 9:54 PM, Filip Hanik - Dev Lists wrote:

> With tomcat 6, you could do this:
>
>
> 1. For non SSL traffic
> Just ProxyPass to tomcat like always (set ProxyPreserveHost On)
>
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>          port="8080"
>          proxyPort="80">
>
> 2. For SSL traffic
> Proxy pass to another connector setup like this
>
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>          secure="true" scheme="https"
>          SSLEnabled="false"
>          port="8081"
>          proxyPort="443">
>
> SSLEnabled=false, means it is http, not https, but
> request.getScheme - will return https
> request.isSecure - will return true
> request.getServerPort - will return 443

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFGDP49W126qUNSzvURAogwAJ4vXzAmgsitlChwJGdkRv5FrZknEQCeK0S+
GLECaDbMWsDKc8xgFL5GmHQ=
=trjH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 5.5 and secure="true"

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

With tomcat 6, you could do this:


1. For non SSL traffic
Just ProxyPass to tomcat like always (set ProxyPreserveHost On)

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
          port="8080"
          proxyPort="80">

2. For SSL traffic
Proxy pass to another connector setup like this

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
          secure="true" scheme="https"
          SSLEnabled="false"
          port="8081"
          proxyPort="443">

SSLEnabled=false, means it is http, not https, but
request.getScheme - will return https
request.isSecure - will return true
request.getServerPort - will return 443

Do you need more?
Filip



Mladen Turk wrote:
> Andrew Miehs wrote:
>>
>> After reading all the comments regarding mod_proxy_ajp, I am 
>> currently looking at
>> migrating to mod_proxy_http.
>>
>> The application uses "isSecure" to check whether the request is an 
>> HTTPS connection
>> or not.
>>
>
> But you obviously didn't read all the comments.
> You will need to set up the whole bunch of headers in Apache and
> create your own Servlet filter in Tomcat to be able to use that.
>
> Regards,
> Mladen.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 5.5 and secure="true"

Posted by Mladen Turk <ml...@gmail.com>.

Andrew Miehs wrote:
> 
> After reading all the comments regarding mod_proxy_ajp, I am currently 
> looking at
> migrating to mod_proxy_http.
> 
> The application uses "isSecure" to check whether the request is an HTTPS 
> connection
> or not.
>

But you obviously didn't read all the comments.
You will need to set up the whole bunch of headers in Apache and
create your own Servlet filter in Tomcat to be able to use that.

Regards,
Mladen.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org