You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brett Delle Grazie <Br...@Intact-is.com> on 2010/07/22 19:31:19 UTC
SSL, mod_proxy_ajp and AJP connectors query
Hi,
I'm using RHEL5.5 (Up-to-date)
Apache httpd-2.2.3 (from RHEL) with mod_proxy/mod_proxy_ajp
Tomcat 6.0.28 (binary distribution from apache).
Tomcat native libs (1.1.20, compiled)
I have a question regarding AJP connectors and SSL
Our application is being SSL offloaded at the HTTPD server end so communication with Tomcat doesn't need to be encrypted.
I have two virtual hosts configured in Apache HTTPD (one for :80, one for :443) with the application being proxied
in both virtual hosts.
My question is, in the Tomcat server.xml, do I require _two_ AJP connectors as follows:
(executor omitted for simplicity)
<!-- AJP connector pair (HTTP and fake HTTPS), proxied -->
<Connector executor="tomcatThreadPool"
enableLookups="false"
port="8009" protocol="org.apache.coyote.ajp.AjpAprProtocol"
redirectPort="8010"
proxyPort="80" />
<Connector executor="tomcatThreadPool"
enableLookups="false"
port="8010" protocol="org.apache.coyote.ajp.AjpAprProtocol"
scheme="https" secure="true"
proxyPort="443" />
Or can I proxy both HTTP and HTTPS requests to the same AJP connector and have Tomcat correctly recognise when its
SSL and return the correct port to the application so URLs are constructed properly? If I do this, are there any
special configuration needed in the SSL vhost?
Essentially I'm wondering if I can do this:
<VirtualHost _default_:80>
<!-- ... snip ... -->
ProxyPass /examples/ ajp://tomcat:8009/examples/
ProxyPassReverse /examples/ ajp://tomcat:8009/examples/
</VirtualHost>
<VirtualHost _default_:443>
SSLEngine on
<!-- ... snipped ssl config ... -->
ProxyPass /examples/ ajp://tomcat:8009/examples/
ProxyPassReverse /examples/ ajp://tomcat:8009/examples/
<!-- Note the AJP port above is the same as the one in the port 80 vhost -->
</VirtualHost>
Rather than this:
Port 80 vhost identical to above
Port 443 vhost as follows
<VirtualHost _default_:443>
SSLEngine on
<!-- ... snipped ssl config ... -->
ProxyPass /examples/ ajp://tomcat:8010/examples/
ProxyPassReverse /examples/ ajp://tomcat:8010/examples/
<!-- Note the AJP port is different to that in the port 80 vhost -->
</VirtualHost>
Any advice appreciated,
Thanks,
Best Regards,
Brett Delle Grazie
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Re: SSL, mod_proxy_ajp and AJP connectors query
Posted by Brett Delle Grazie <br...@intact-is.com>.
To Christopher and Rainer,
Thanks, that resolved the issue completely.
Best Regards,
Brett
On Thu, 2010-07-22 at 17:35 -0400, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Brett,
>
> On 7/22/2010 1:31 PM, Brett Delle Grazie wrote:
> > Tomcat 6.0.28 (binary distribution from apache).
> >
> > My question is, in the Tomcat server.xml, do I require _two_ AJP
> > connectors as follows:
> >
> > (executor omitted for simplicity)
> >
> > <!-- AJP connector pair (HTTP and fake HTTPS), proxied -->
> > <Connector executor="tomcatThreadPool"
> > enableLookups="false"
> > port="8009" protocol="org.apache.coyote.ajp.AjpAprProtocol"
> > redirectPort="8010"
> > proxyPort="80" />
> >
> > <Connector executor="tomcatThreadPool"
> > enableLookups="false"
> > port="8010" protocol="org.apache.coyote.ajp.AjpAprProtocol"
> > scheme="https" secure="true"
> > proxyPort="443" />
>
> In addition to Rainer's notes, I have a couple of comments:
>
> It's not necessary to specify
> protocol="org.apache.coyote.ajp.AjpAprProtocol" in the <Connector>. If
> libapr isn't available, you'll be left with no working connectors. If,
> instead, you simply have protocol="AJP/1.3", your <Connector> can
> fall-back to the BIO (i.e. blocking pure-Java connector).
>
> Your redirectPort should point to the port that is visible to the
> outside world, not to the port that is being used for Tomcat. Probably,
> your redirectPort should be set to "443" so that requests will be
> redirected (remember, via the user agent) and hit your Apache httpd
> instance out in front of Tomcat. If you specify "8010", and that port is
> blocked to the outside world, you'll find that your users will receive a
> "cannot contact server" message. if port 8010 is /not/ blocked, they'll
> get a weird SSL error saying that the server isn't speaking HTTPS....
> because it's speaking AJP!
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxIuZcACgkQ9CaO5/Lv0PBAfwCfQN9zGWDLjE8flIPh3xpmUoWx
> MrUAn1Epj1dKmzh0/SAD2KI+C44i2bvX
> =xF9L
> -----END PGP SIGNATURE-----
>
--
Best Regards,
Brett Delle Grazie
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL, mod_proxy_ajp and AJP connectors query
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brett,
On 7/22/2010 1:31 PM, Brett Delle Grazie wrote:
> Tomcat 6.0.28 (binary distribution from apache).
>
> My question is, in the Tomcat server.xml, do I require _two_ AJP
> connectors as follows:
>
> (executor omitted for simplicity)
>
> <!-- AJP connector pair (HTTP and fake HTTPS), proxied -->
> <Connector executor="tomcatThreadPool"
> enableLookups="false"
> port="8009" protocol="org.apache.coyote.ajp.AjpAprProtocol"
> redirectPort="8010"
> proxyPort="80" />
>
> <Connector executor="tomcatThreadPool"
> enableLookups="false"
> port="8010" protocol="org.apache.coyote.ajp.AjpAprProtocol"
> scheme="https" secure="true"
> proxyPort="443" />
In addition to Rainer's notes, I have a couple of comments:
It's not necessary to specify
protocol="org.apache.coyote.ajp.AjpAprProtocol" in the <Connector>. If
libapr isn't available, you'll be left with no working connectors. If,
instead, you simply have protocol="AJP/1.3", your <Connector> can
fall-back to the BIO (i.e. blocking pure-Java connector).
Your redirectPort should point to the port that is visible to the
outside world, not to the port that is being used for Tomcat. Probably,
your redirectPort should be set to "443" so that requests will be
redirected (remember, via the user agent) and hit your Apache httpd
instance out in front of Tomcat. If you specify "8010", and that port is
blocked to the outside world, you'll find that your users will receive a
"cannot contact server" message. if port 8010 is /not/ blocked, they'll
get a weird SSL error saying that the server isn't speaking HTTPS....
because it's speaking AJP!
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxIuZcACgkQ9CaO5/Lv0PBAfwCfQN9zGWDLjE8flIPh3xpmUoWx
MrUAn1Epj1dKmzh0/SAD2KI+C44i2bvX
=xF9L
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL, mod_proxy_ajp and AJP connectors query
Posted by Rainer Jung <ra...@kippdata.de>.
On 22.07.2010 19:31, Brett Delle Grazie wrote:
> Hi,
>
> I'm using RHEL5.5 (Up-to-date)
> Apache httpd-2.2.3 (from RHEL) with mod_proxy/mod_proxy_ajp
> Tomcat 6.0.28 (binary distribution from apache).
> Tomcat native libs (1.1.20, compiled)
>
> I have a question regarding AJP connectors and SSL
>
> Our application is being SSL offloaded at the HTTPD server end so communication with Tomcat doesn't need to be encrypted.
>
> I have two virtual hosts configured in Apache HTTPD (one for :80, one for :443) with the application being proxied
> in both virtual hosts.
>
> My question is, in the Tomcat server.xml, do I require _two_ AJP connectors as follows:
>
> (executor omitted for simplicity)
>
> <!-- AJP connector pair (HTTP and fake HTTPS), proxied -->
> <Connector executor="tomcatThreadPool"
> enableLookups="false"
> port="8009" protocol="org.apache.coyote.ajp.AjpAprProtocol"
> redirectPort="8010"
> proxyPort="80" />
>
> <Connector executor="tomcatThreadPool"
> enableLookups="false"
> port="8010" protocol="org.apache.coyote.ajp.AjpAprProtocol"
> scheme="https" secure="true"
> proxyPort="443" />
>
> Or can I proxy both HTTP and HTTPS requests to the same AJP connector and have Tomcat correctly recognise when its
> SSL and return the correct port to the application so URLs are constructed properly? If I do this, are there any
> special configuration needed in the SSL vhost?
It will work with well-behaved apps without special configuration.
That's one strength of the AJP protocol.
See
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
for more details.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org