You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Roger <rx...@gmail.com> on 2007/07/05 14:51:25 UTC
Tomcat 6 + Apache 2.0 with SSL
Hi there!
I have some questions about how to setup Apache and Tomcat with SSL
support. Currently I have the following setup:
- Windows 2003
- Tomcat 6.0.13
- Apache 2.0.59 with
- openssl 0.9.7j
- mod_ssl
- mod_proxy
- mod_rewrite (not used)
I have generated keys that work with Apache. So I can open a page like
https://localhost/. I've tried to use mod_proxy to redirect all
traffic to Tomcat, which works for http and https, using the following
setup:
<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
<VirtualHost *:443>
SSLProxyEngine On
ProxyPass https://localhost:443/ https://localhost:8443/
ProxyPassReverse https://localhost:443/ https://localhost:8443/
</VirtualHost>
I have the following questions:
1) Is this a normal setup? Anything that could cause a problem?
2) I want to be able to route traffic for one webapp to https, not
allowing it to be used via http. I don't care if this is done using
mod_rewrite or mod_proxy or anything else.
All suggestions are appreciated!
Thanks,
Roger
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Roger <rx...@gmail.com>.
Hi there! First of all, thanks for all your replies. I don't know
why, but I missed all your replies except the last of course. I'll
try to answer your questions.
What I need is to have the option to use SSL with Tomcat. Apache
httpd is not a necessity. There is no need to have an https
connection between Apache and Tomcat. I tried several setups in the
past weeks.
1) Tomcat standalone + SSL; this worked with 5.5, but not 6.0.
2) Apache 2.2 with SSL; couldn't get SSL working.
3) Apache 2.0 with SSL; this worked without Tomcat, and I had a
working certificate.
4) Apache 2.0 + mod_proxy to Tomcat; this worked, but not with SSL.
-- At this point I mailed the list.
5) Apache 2.0 in a new setup, with SSL, mod_proxy, and server.xml
slightly modified. This worked!
6) Apache 2.2 in the same setup (modified httpd.conf)
In this setup all http traffic is redirected to https, which is not
ideal. To answer some questions:
- Apache httpd does not point to the Tomcat webapps.
- Double https is not needed (like: browser -> https-> Apache ->
https-> tomcat)
- I use this for my SSL certificate <IfModule ssl_module>Include conf/
ssl.conf</IfModule>
This is my current setup in 2.2:
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
> LoadModule ssl_module modules/mod_ssl.so
>
> <IfModule ssl_module>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> Include conf/ssl.conf
> </IfModule>
>
> ProxyPass / http://localhost:8080/
> ProxyPassReverse / http://localhost:8080/
>
> <VirtualHost *:443>
> SSLProxyEngine On
> ProxyPass https://localhost:443/ https://localhost:8443/
> ProxyPassReverse https://localhost:443/ https://localhost:8443/
> </VirtualHost>
Some questions:
1) Will this setup work to make https work for selected webapps or
subdirectories only? Or do I need mod_rewrite? Do you have examples
of how this can be done?
2) Could the same be done using mod_rewrite? It's not clear to me
what the differences are, and what for instance mod_jk could add
here. (Not that I plan to use mod_jk now, but I want to understand.)
3) I have difficulty understanding the mod_rewrite syntax. It this a
good book on how to learn it? Do you have other suggestions?
http://www.amazon.com/Definitive-Guide-Apache-mod_rewrite/dp/1590595610/
Roger
Op 6 jul 2007, om 11:19 heeft David Smith het volgende geschreven:
> But all the contents of $CATALINA_HOME/webapps/$YOUR_APPLICATION/
> WEB-INF does become exposed and that should not be. If you are
> going to do that, you should consider making sure you configure
> apache httpd to not server up anything contained there.
>
> --David
>
> Arian Abrahantes wrote:
>> Hi Filik:
>>
>> Just to end this because, probably, I am making a mistake or I
>> didn't make myself clear in my previous post. Do you mean that in
>> the apache configuration in the virtual host definition one must
>> not point the DocumentRoot directive to the folder where your
>> contents are?. Something like:
>>
>> DocumentRoot $CATALINA_HOME/webapps/$YOUR_APPLICATION
>>
>> I meant documents or applications not tomcat config files or
>> whatever alike? or at least is what the previous line looks like.
>> Please if this is wrong kindly consider to tell me how it must be
>> done? I don't see where is the security issue cause like this,
>> IMHO, any other file from tomcat is out of sight for sniffers.
>>
>> And Roger, original poster, just an example of how to integrate
>> apache and tomcat with mod proxy for an application based in
>> tomcat. Which will clarify any doubt you had for setting up a
>> configuration with apache as proxy. I think I should have posted
>> the example instead of try to explain myself, my english is not
>> goot after all.
>> http://195.14.236.181/opencms/opencms/alkacon-documentation/
>> howto_apache_httpd/mod_proxy.html
>>
>> Hope you can explain me and thanking you in advance,
>>
>> arian
>>
>>
>> Filip Hanik - Dev Lists wrote:
>>> Arian Abrahantes wrote:
>>>> Hi Filik:
>>>>
>>>> I understood what he wanted to do. My post is about how needed
>>>> is this for him?. If it is a company requirement ok. But if
>>>> there is no requirement why to slow the server down?.
>>>>
>>>> IMHO, in a properly set apache proxy configuration nobody except
>>>> apache will interact with the aplication (you name it) that lies
>>>> bellow him. So even if companies or users wishes this double
>>>> encryption I seriously doubt they will be getting more security.
>>>>
>>>> Anyway, as far as I know both servers can share the same keys
>>>> for authentication (I am pretty sure there is a quite close in
>>>> date -previous month- thread posted in this list or in Opencms'
>>>> one) and just looking into his config it should work so just try
>>>> it out. He is just missing the addition of the DocumentRoot
>>>> where his contents under tomcat lies.
>>>
>>> uh, absolutely not, never point your DocumentRoot to the Tomcat
>>> file structure unless you know exactly how to secure it.
>>> Filip
>>>
>>>>
>>>> hth,
>>>>
>>>> arian
>>>>
>>>>
>>>> Filip Hanik - Dev Lists wrote:
>>>>> I think what he wants is
>>>>>
>>>>> browser -> http -> Apache -> http -> tomcat
>>>>> browser -> https-> Apache -> https-> tomcat
>>>>>
>>>>> a lot of companies have these requirements
>>>>>
>>>>> Filip
>>>>>
>>>>>
>>>>> Arian Abrahantes wrote:
>>>>>> Hi:
>>>>>>
>>>>>> I think this has alraedy being discussed somewhere here. Why
>>>>>> do you need double enchriptation? It is enough with the apache
>>>>>> one. Use something like:
>>>>>>
>>>>>> broweser -> https -> Apache -> http -> tomcat
>>>>>>
>>>>>> pro:
>>>>>>
>>>>>> 1- Single enchiptation fast server response.
>>>>>>
>>>>>> cons (at least fo security):
>>>>>>
>>>>>> 1- none
>>>>>>
>>>>>> I may be wrong plesa verify in the mailing list archive
>>>>>>
>>>>>> Filip Hanik - Dev Lists wrote:
>>>>>>> question, does it work? or does it always send requests to
>>>>>>> 8080, for both http and https?
>>>>>>>
>>>>>>> for your SSL, you can/need to add in your httpd client
>>>>>>> certificate, ie, the certificate to use when contacting
>>>>>>> Tomcat for SSL
>>>>>>>
>>>>>>> <VirtualHost *:443>
>>>>>>> SSLProxyEngine On
>>>>>>> ProxyPass / https://localhost:8443/
>>>>>>> ProxyPassReverse / https://localhost:8443/
>>>>>>> #
>>>>>>> # Put your Proxy SSL Certificate directives here
>>>>>>> #
>>>>>>> </VirtualHost>
>>>>>>>
>>>>>>>
>>>>>>> Filip
>>>>>>>
>>>>>>> Roger wrote:
>>>>>>>> Hi there!
>>>>>>>>
>>>>>>>> I have some questions about how to setup Apache and Tomcat
>>>>>>>> with SSL
>>>>>>>> support. Currently I have the following setup:
>>>>>>>>
>>>>>>>> - Windows 2003
>>>>>>>> - Tomcat 6.0.13
>>>>>>>> - Apache 2.0.59 with
>>>>>>>> - openssl 0.9.7j
>>>>>>>> - mod_ssl
>>>>>>>> - mod_proxy
>>>>>>>> - mod_rewrite (not used)
>>>>>>>>
>>>>>>>> I have generated keys that work with Apache. So I can open a
>>>>>>>> page like
>>>>>>>> https://localhost/. I've tried to use mod_proxy to redirect all
>>>>>>>> traffic to Tomcat, which works for http and https, using the
>>>>>>>> following
>>>>>>>> setup:
>>>>>>>>
>>>>>>>> <IfModule mod_ssl.c>
>>>>>>>> Include conf/ssl.conf
>>>>>>>> </IfModule>
>>>>>>>>
>>>>>>>> ProxyPass / http://localhost:8080/
>>>>>>>> ProxyPassReverse / http://localhost:8080/
>>>>>>>>
>>>>>>>> <VirtualHost *:443>
>>>>>>>> SSLProxyEngine On
>>>>>>>> ProxyPass https://localhost:443/ https://localhost:8443/
>>>>>>>> ProxyPassReverse https://localhost:443/ https://localhost:
>>>>>>>> 8443/
>>>>>>>> </VirtualHost>
>>>>>>>>
>>>>>>>> I have the following questions:
>>>>>>>>
>>>>>>>> 1) Is this a normal setup? Anything that could cause a problem?
>>>>>>>> 2) I want to be able to route traffic for one webapp to
>>>>>>>> https, not
>>>>>>>> allowing it to be used via http. I don't care if this is
>>>>>>>> done using
>>>>>>>> mod_rewrite or mod_proxy or anything else.
>>>>>>>>
>>>>>>>> All suggestions are appreciated!
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Roger
>>>>>>>>
>>>>>>>> -
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by David Smith <dn...@cornell.edu>.
But all the contents of $CATALINA_HOME/webapps/$YOUR_APPLICATION/WEB-INF
does become exposed and that should not be. If you are going to do
that, you should consider making sure you configure apache httpd to not
server up anything contained there.
--David
Arian Abrahantes wrote:
> Hi Filik:
>
> Just to end this because, probably, I am making a mistake or I didn't
> make myself clear in my previous post. Do you mean that in the apache
> configuration in the virtual host definition one must not point the
> DocumentRoot directive to the folder where your contents are?.
> Something like:
>
> DocumentRoot $CATALINA_HOME/webapps/$YOUR_APPLICATION
>
> I meant documents or applications not tomcat config files or whatever
> alike? or at least is what the previous line looks like. Please if
> this is wrong kindly consider to tell me how it must be done? I don't
> see where is the security issue cause like this, IMHO, any other file
> from tomcat is out of sight for sniffers.
>
> And Roger, original poster, just an example of how to integrate apache
> and tomcat with mod proxy for an application based in tomcat. Which
> will clarify any doubt you had for setting up a configuration with
> apache as proxy. I think I should have posted the example instead of
> try to explain myself, my english is not goot after all.
> http://195.14.236.181/opencms/opencms/alkacon-documentation/howto_apache_httpd/mod_proxy.html
>
>
> Hope you can explain me and thanking you in advance,
>
> arian
>
>
> Filip Hanik - Dev Lists wrote:
>> Arian Abrahantes wrote:
>>> Hi Filik:
>>>
>>> I understood what he wanted to do. My post is about how needed is
>>> this for him?. If it is a company requirement ok. But if there is no
>>> requirement why to slow the server down?.
>>>
>>> IMHO, in a properly set apache proxy configuration nobody except
>>> apache will interact with the aplication (you name it) that lies
>>> bellow him. So even if companies or users wishes this double
>>> encryption I seriously doubt they will be getting more security.
>>>
>>> Anyway, as far as I know both servers can share the same keys for
>>> authentication (I am pretty sure there is a quite close in date
>>> -previous month- thread posted in this list or in Opencms' one) and
>>> just looking into his config it should work so just try it out. He
>>> is just missing the addition of the DocumentRoot where his contents
>>> under tomcat lies.
>>
>> uh, absolutely not, never point your DocumentRoot to the Tomcat file
>> structure unless you know exactly how to secure it.
>> Filip
>>
>>>
>>> hth,
>>>
>>> arian
>>>
>>>
>>> Filip Hanik - Dev Lists wrote:
>>>> I think what he wants is
>>>>
>>>> browser -> http -> Apache -> http -> tomcat
>>>> browser -> https-> Apache -> https-> tomcat
>>>>
>>>> a lot of companies have these requirements
>>>>
>>>> Filip
>>>>
>>>>
>>>> Arian Abrahantes wrote:
>>>>> Hi:
>>>>>
>>>>> I think this has alraedy being discussed somewhere here. Why do
>>>>> you need double enchriptation? It is enough with the apache one.
>>>>> Use something like:
>>>>>
>>>>> broweser -> https -> Apache -> http -> tomcat
>>>>>
>>>>> pro:
>>>>>
>>>>> 1- Single enchiptation fast server response.
>>>>>
>>>>> cons (at least fo security):
>>>>>
>>>>> 1- none
>>>>>
>>>>> I may be wrong plesa verify in the mailing list archive
>>>>>
>>>>> Filip Hanik - Dev Lists wrote:
>>>>>> question, does it work? or does it always send requests to 8080,
>>>>>> for both http and https?
>>>>>>
>>>>>> for your SSL, you can/need to add in your httpd client
>>>>>> certificate, ie, the certificate to use when contacting Tomcat
>>>>>> for SSL
>>>>>>
>>>>>> <VirtualHost *:443>
>>>>>> SSLProxyEngine On
>>>>>> ProxyPass / https://localhost:8443/
>>>>>> ProxyPassReverse / https://localhost:8443/
>>>>>> #
>>>>>> # Put your Proxy SSL Certificate directives here
>>>>>> #
>>>>>> </VirtualHost>
>>>>>>
>>>>>>
>>>>>> Filip
>>>>>>
>>>>>> Roger wrote:
>>>>>>> Hi there!
>>>>>>>
>>>>>>> I have some questions about how to setup Apache and Tomcat with SSL
>>>>>>> support. Currently I have the following setup:
>>>>>>>
>>>>>>> - Windows 2003
>>>>>>> - Tomcat 6.0.13
>>>>>>> - Apache 2.0.59 with
>>>>>>> - openssl 0.9.7j
>>>>>>> - mod_ssl
>>>>>>> - mod_proxy
>>>>>>> - mod_rewrite (not used)
>>>>>>>
>>>>>>> I have generated keys that work with Apache. So I can open a
>>>>>>> page like
>>>>>>> https://localhost/. I've tried to use mod_proxy to redirect all
>>>>>>> traffic to Tomcat, which works for http and https, using the
>>>>>>> following
>>>>>>> setup:
>>>>>>>
>>>>>>> <IfModule mod_ssl.c>
>>>>>>> Include conf/ssl.conf
>>>>>>> </IfModule>
>>>>>>>
>>>>>>> ProxyPass / http://localhost:8080/
>>>>>>> ProxyPassReverse / http://localhost:8080/
>>>>>>>
>>>>>>> <VirtualHost *:443>
>>>>>>> SSLProxyEngine On
>>>>>>> ProxyPass https://localhost:443/ https://localhost:8443/
>>>>>>> ProxyPassReverse https://localhost:443/ https://localhost:8443/
>>>>>>> </VirtualHost>
>>>>>>>
>>>>>>> I have the following questions:
>>>>>>>
>>>>>>> 1) Is this a normal setup? Anything that could cause a problem?
>>>>>>> 2) I want to be able to route traffic for one webapp to https, not
>>>>>>> allowing it to be used via http. I don't care if this is done using
>>>>>>> mod_rewrite or mod_proxy or anything else.
>>>>>>>
>>>>>>> All suggestions are appreciated!
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Roger
>>>>>>>
>>>>>>> -
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Arian Abrahantes <Ar...@cern.ch>.
Hi Filik:
Just to end this because, probably, I am making a mistake or I didn't
make myself clear in my previous post. Do you mean that in the apache
configuration in the virtual host definition one must not point the
DocumentRoot directive to the folder where your contents are?. Something
like:
DocumentRoot $CATALINA_HOME/webapps/$YOUR_APPLICATION
I meant documents or applications not tomcat config files or whatever
alike? or at least is what the previous line looks like. Please if this
is wrong kindly consider to tell me how it must be done? I don't see
where is the security issue cause like this, IMHO, any other file from
tomcat is out of sight for sniffers.
And Roger, original poster, just an example of how to integrate apache
and tomcat with mod proxy for an application based in tomcat. Which will
clarify any doubt you had for setting up a configuration with apache as
proxy. I think I should have posted the example instead of try to
explain myself, my english is not goot after all.
http://195.14.236.181/opencms/opencms/alkacon-documentation/howto_apache_httpd/mod_proxy.html
Hope you can explain me and thanking you in advance,
arian
Filip Hanik - Dev Lists wrote:
> Arian Abrahantes wrote:
>> Hi Filik:
>>
>> I understood what he wanted to do. My post is about how needed is
>> this for him?. If it is a company requirement ok. But if there is no
>> requirement why to slow the server down?.
>>
>> IMHO, in a properly set apache proxy configuration nobody except
>> apache will interact with the aplication (you name it) that lies
>> bellow him. So even if companies or users wishes this double
>> encryption I seriously doubt they will be getting more security.
>>
>> Anyway, as far as I know both servers can share the same keys for
>> authentication (I am pretty sure there is a quite close in date
>> -previous month- thread posted in this list or in Opencms' one) and
>> just looking into his config it should work so just try it out. He is
>> just missing the addition of the DocumentRoot where his contents
>> under tomcat lies.
>
> uh, absolutely not, never point your DocumentRoot to the Tomcat file
> structure unless you know exactly how to secure it.
> Filip
>
>>
>> hth,
>>
>> arian
>>
>>
>> Filip Hanik - Dev Lists wrote:
>>> I think what he wants is
>>>
>>> browser -> http -> Apache -> http -> tomcat
>>> browser -> https-> Apache -> https-> tomcat
>>>
>>> a lot of companies have these requirements
>>>
>>> Filip
>>>
>>>
>>> Arian Abrahantes wrote:
>>>> Hi:
>>>>
>>>> I think this has alraedy being discussed somewhere here. Why do you
>>>> need double enchriptation? It is enough with the apache one. Use
>>>> something like:
>>>>
>>>> broweser -> https -> Apache -> http -> tomcat
>>>>
>>>> pro:
>>>>
>>>> 1- Single enchiptation fast server response.
>>>>
>>>> cons (at least fo security):
>>>>
>>>> 1- none
>>>>
>>>> I may be wrong plesa verify in the mailing list archive
>>>>
>>>> Filip Hanik - Dev Lists wrote:
>>>>> question, does it work? or does it always send requests to 8080,
>>>>> for both http and https?
>>>>>
>>>>> for your SSL, you can/need to add in your httpd client
>>>>> certificate, ie, the certificate to use when contacting Tomcat for
>>>>> SSL
>>>>>
>>>>> <VirtualHost *:443>
>>>>> SSLProxyEngine On
>>>>> ProxyPass / https://localhost:8443/
>>>>> ProxyPassReverse / https://localhost:8443/
>>>>> #
>>>>> # Put your Proxy SSL Certificate directives here
>>>>> #
>>>>> </VirtualHost>
>>>>>
>>>>>
>>>>> Filip
>>>>>
>>>>> Roger wrote:
>>>>>> Hi there!
>>>>>>
>>>>>> I have some questions about how to setup Apache and Tomcat with SSL
>>>>>> support. Currently I have the following setup:
>>>>>>
>>>>>> - Windows 2003
>>>>>> - Tomcat 6.0.13
>>>>>> - Apache 2.0.59 with
>>>>>> - openssl 0.9.7j
>>>>>> - mod_ssl
>>>>>> - mod_proxy
>>>>>> - mod_rewrite (not used)
>>>>>>
>>>>>> I have generated keys that work with Apache. So I can open a page
>>>>>> like
>>>>>> https://localhost/. I've tried to use mod_proxy to redirect all
>>>>>> traffic to Tomcat, which works for http and https, using the
>>>>>> following
>>>>>> setup:
>>>>>>
>>>>>> <IfModule mod_ssl.c>
>>>>>> Include conf/ssl.conf
>>>>>> </IfModule>
>>>>>>
>>>>>> ProxyPass / http://localhost:8080/
>>>>>> ProxyPassReverse / http://localhost:8080/
>>>>>>
>>>>>> <VirtualHost *:443>
>>>>>> SSLProxyEngine On
>>>>>> ProxyPass https://localhost:443/ https://localhost:8443/
>>>>>> ProxyPassReverse https://localhost:443/ https://localhost:8443/
>>>>>> </VirtualHost>
>>>>>>
>>>>>> I have the following questions:
>>>>>>
>>>>>> 1) Is this a normal setup? Anything that could cause a problem?
>>>>>> 2) I want to be able to route traffic for one webapp to https, not
>>>>>> allowing it to be used via http. I don't care if this is done using
>>>>>> mod_rewrite or mod_proxy or anything else.
>>>>>>
>>>>>> All suggestions are appreciated!
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Roger
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>>
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Arian Abrahantes wrote:
> Hi Filik:
>
> I understood what he wanted to do. My post is about how needed is this
> for him?. If it is a company requirement ok. But if there is no
> requirement why to slow the server down?.
>
> IMHO, in a properly set apache proxy configuration nobody except
> apache will interact with the aplication (you name it) that lies
> bellow him. So even if companies or users wishes this double
> encryption I seriously doubt they will be getting more security.
>
> Anyway, as far as I know both servers can share the same keys for
> authentication (I am pretty sure there is a quite close in date
> -previous month- thread posted in this list or in Opencms' one) and
> just looking into his config it should work so just try it out. He is
> just missing the addition of the DocumentRoot where his contents under
> tomcat lies.
uh, absolutely not, never point your DocumentRoot to the Tomcat file
structure unless you know exactly how to secure it.
Filip
>
> hth,
>
> arian
>
>
> Filip Hanik - Dev Lists wrote:
>> I think what he wants is
>>
>> browser -> http -> Apache -> http -> tomcat
>> browser -> https-> Apache -> https-> tomcat
>>
>> a lot of companies have these requirements
>>
>> Filip
>>
>>
>> Arian Abrahantes wrote:
>>> Hi:
>>>
>>> I think this has alraedy being discussed somewhere here. Why do you
>>> need double enchriptation? It is enough with the apache one. Use
>>> something like:
>>>
>>> broweser -> https -> Apache -> http -> tomcat
>>>
>>> pro:
>>>
>>> 1- Single enchiptation fast server response.
>>>
>>> cons (at least fo security):
>>>
>>> 1- none
>>>
>>> I may be wrong plesa verify in the mailing list archive
>>>
>>> Filip Hanik - Dev Lists wrote:
>>>> question, does it work? or does it always send requests to 8080,
>>>> for both http and https?
>>>>
>>>> for your SSL, you can/need to add in your httpd client certificate,
>>>> ie, the certificate to use when contacting Tomcat for SSL
>>>>
>>>> <VirtualHost *:443>
>>>> SSLProxyEngine On
>>>> ProxyPass / https://localhost:8443/
>>>> ProxyPassReverse / https://localhost:8443/
>>>> #
>>>> # Put your Proxy SSL Certificate directives here
>>>> #
>>>> </VirtualHost>
>>>>
>>>>
>>>> Filip
>>>>
>>>> Roger wrote:
>>>>> Hi there!
>>>>>
>>>>> I have some questions about how to setup Apache and Tomcat with SSL
>>>>> support. Currently I have the following setup:
>>>>>
>>>>> - Windows 2003
>>>>> - Tomcat 6.0.13
>>>>> - Apache 2.0.59 with
>>>>> - openssl 0.9.7j
>>>>> - mod_ssl
>>>>> - mod_proxy
>>>>> - mod_rewrite (not used)
>>>>>
>>>>> I have generated keys that work with Apache. So I can open a page
>>>>> like
>>>>> https://localhost/. I've tried to use mod_proxy to redirect all
>>>>> traffic to Tomcat, which works for http and https, using the
>>>>> following
>>>>> setup:
>>>>>
>>>>> <IfModule mod_ssl.c>
>>>>> Include conf/ssl.conf
>>>>> </IfModule>
>>>>>
>>>>> ProxyPass / http://localhost:8080/
>>>>> ProxyPassReverse / http://localhost:8080/
>>>>>
>>>>> <VirtualHost *:443>
>>>>> SSLProxyEngine On
>>>>> ProxyPass https://localhost:443/ https://localhost:8443/
>>>>> ProxyPassReverse https://localhost:443/ https://localhost:8443/
>>>>> </VirtualHost>
>>>>>
>>>>> I have the following questions:
>>>>>
>>>>> 1) Is this a normal setup? Anything that could cause a problem?
>>>>> 2) I want to be able to route traffic for one webapp to https, not
>>>>> allowing it to be used via http. I don't care if this is done using
>>>>> mod_rewrite or mod_proxy or anything else.
>>>>>
>>>>> All suggestions are appreciated!
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Roger
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Arian Abrahantes <Ar...@cern.ch>.
Hi Filik:
I understood what he wanted to do. My post is about how needed is this
for him?. If it is a company requirement ok. But if there is no
requirement why to slow the server down?.
IMHO, in a properly set apache proxy configuration nobody except apache
will interact with the aplication (you name it) that lies bellow him. So
even if companies or users wishes this double encryption I seriously
doubt they will be getting more security.
Anyway, as far as I know both servers can share the same keys for
authentication (I am pretty sure there is a quite close in date
-previous month- thread posted in this list or in Opencms' one) and just
looking into his config it should work so just try it out. He is just
missing the addition of the DocumentRoot where his contents under tomcat
lies.
hth,
arian
Filip Hanik - Dev Lists wrote:
> I think what he wants is
>
> browser -> http -> Apache -> http -> tomcat
> browser -> https-> Apache -> https-> tomcat
>
> a lot of companies have these requirements
>
> Filip
>
>
> Arian Abrahantes wrote:
>> Hi:
>>
>> I think this has alraedy being discussed somewhere here. Why do you
>> need double enchriptation? It is enough with the apache one. Use
>> something like:
>>
>> broweser -> https -> Apache -> http -> tomcat
>>
>> pro:
>>
>> 1- Single enchiptation fast server response.
>>
>> cons (at least fo security):
>>
>> 1- none
>>
>> I may be wrong plesa verify in the mailing list archive
>>
>> Filip Hanik - Dev Lists wrote:
>>> question, does it work? or does it always send requests to 8080, for
>>> both http and https?
>>>
>>> for your SSL, you can/need to add in your httpd client certificate,
>>> ie, the certificate to use when contacting Tomcat for SSL
>>>
>>> <VirtualHost *:443>
>>> SSLProxyEngine On
>>> ProxyPass / https://localhost:8443/
>>> ProxyPassReverse / https://localhost:8443/
>>> #
>>> # Put your Proxy SSL Certificate directives here
>>> #
>>> </VirtualHost>
>>>
>>>
>>> Filip
>>>
>>> Roger wrote:
>>>> Hi there!
>>>>
>>>> I have some questions about how to setup Apache and Tomcat with SSL
>>>> support. Currently I have the following setup:
>>>>
>>>> - Windows 2003
>>>> - Tomcat 6.0.13
>>>> - Apache 2.0.59 with
>>>> - openssl 0.9.7j
>>>> - mod_ssl
>>>> - mod_proxy
>>>> - mod_rewrite (not used)
>>>>
>>>> I have generated keys that work with Apache. So I can open a page like
>>>> https://localhost/. I've tried to use mod_proxy to redirect all
>>>> traffic to Tomcat, which works for http and https, using the following
>>>> setup:
>>>>
>>>> <IfModule mod_ssl.c>
>>>> Include conf/ssl.conf
>>>> </IfModule>
>>>>
>>>> ProxyPass / http://localhost:8080/
>>>> ProxyPassReverse / http://localhost:8080/
>>>>
>>>> <VirtualHost *:443>
>>>> SSLProxyEngine On
>>>> ProxyPass https://localhost:443/ https://localhost:8443/
>>>> ProxyPassReverse https://localhost:443/ https://localhost:8443/
>>>> </VirtualHost>
>>>>
>>>> I have the following questions:
>>>>
>>>> 1) Is this a normal setup? Anything that could cause a problem?
>>>> 2) I want to be able to route traffic for one webapp to https, not
>>>> allowing it to be used via http. I don't care if this is done using
>>>> mod_rewrite or mod_proxy or anything else.
>>>>
>>>> All suggestions are appreciated!
>>>>
>>>> Thanks,
>>>>
>>>> Roger
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
I think what he wants is
browser -> http -> Apache -> http -> tomcat
browser -> https-> Apache -> https-> tomcat
a lot of companies have these requirements
Filip
Arian Abrahantes wrote:
> Hi:
>
> I think this has alraedy being discussed somewhere here. Why do you
> need double enchriptation? It is enough with the apache one. Use
> something like:
>
> broweser -> https -> Apache -> http -> tomcat
>
> pro:
>
> 1- Single enchiptation fast server response.
>
> cons (at least fo security):
>
> 1- none
>
> I may be wrong plesa verify in the mailing list archive
>
> Filip Hanik - Dev Lists wrote:
>> question, does it work? or does it always send requests to 8080, for
>> both http and https?
>>
>> for your SSL, you can/need to add in your httpd client certificate,
>> ie, the certificate to use when contacting Tomcat for SSL
>>
>> <VirtualHost *:443>
>> SSLProxyEngine On
>> ProxyPass / https://localhost:8443/
>> ProxyPassReverse / https://localhost:8443/
>> #
>> # Put your Proxy SSL Certificate directives here
>> #
>> </VirtualHost>
>>
>>
>> Filip
>>
>> Roger wrote:
>>> Hi there!
>>>
>>> I have some questions about how to setup Apache and Tomcat with SSL
>>> support. Currently I have the following setup:
>>>
>>> - Windows 2003
>>> - Tomcat 6.0.13
>>> - Apache 2.0.59 with
>>> - openssl 0.9.7j
>>> - mod_ssl
>>> - mod_proxy
>>> - mod_rewrite (not used)
>>>
>>> I have generated keys that work with Apache. So I can open a page like
>>> https://localhost/. I've tried to use mod_proxy to redirect all
>>> traffic to Tomcat, which works for http and https, using the following
>>> setup:
>>>
>>> <IfModule mod_ssl.c>
>>> Include conf/ssl.conf
>>> </IfModule>
>>>
>>> ProxyPass / http://localhost:8080/
>>> ProxyPassReverse / http://localhost:8080/
>>>
>>> <VirtualHost *:443>
>>> SSLProxyEngine On
>>> ProxyPass https://localhost:443/ https://localhost:8443/
>>> ProxyPassReverse https://localhost:443/ https://localhost:8443/
>>> </VirtualHost>
>>>
>>> I have the following questions:
>>>
>>> 1) Is this a normal setup? Anything that could cause a problem?
>>> 2) I want to be able to route traffic for one webapp to https, not
>>> allowing it to be used via http. I don't care if this is done using
>>> mod_rewrite or mod_proxy or anything else.
>>>
>>> All suggestions are appreciated!
>>>
>>> Thanks,
>>>
>>> Roger
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Arian Abrahantes <Ar...@cern.ch>.
Hi:
I think this has alraedy being discussed somewhere here. Why do you need
double enchriptation? It is enough with the apache one. Use something like:
broweser -> https -> Apache -> http -> tomcat
pro:
1- Single enchiptation fast server response.
cons (at least fo security):
1- none
I may be wrong plesa verify in the mailing list archive
Filip Hanik - Dev Lists wrote:
> question, does it work? or does it always send requests to 8080, for
> both http and https?
>
> for your SSL, you can/need to add in your httpd client certificate,
> ie, the certificate to use when contacting Tomcat for SSL
>
> <VirtualHost *:443>
> SSLProxyEngine On
> ProxyPass / https://localhost:8443/
> ProxyPassReverse / https://localhost:8443/
> #
> # Put your Proxy SSL Certificate directives here
> #
> </VirtualHost>
>
>
> Filip
>
> Roger wrote:
>> Hi there!
>>
>> I have some questions about how to setup Apache and Tomcat with SSL
>> support. Currently I have the following setup:
>>
>> - Windows 2003
>> - Tomcat 6.0.13
>> - Apache 2.0.59 with
>> - openssl 0.9.7j
>> - mod_ssl
>> - mod_proxy
>> - mod_rewrite (not used)
>>
>> I have generated keys that work with Apache. So I can open a page like
>> https://localhost/. I've tried to use mod_proxy to redirect all
>> traffic to Tomcat, which works for http and https, using the following
>> setup:
>>
>> <IfModule mod_ssl.c>
>> Include conf/ssl.conf
>> </IfModule>
>>
>> ProxyPass / http://localhost:8080/
>> ProxyPassReverse / http://localhost:8080/
>>
>> <VirtualHost *:443>
>> SSLProxyEngine On
>> ProxyPass https://localhost:443/ https://localhost:8443/
>> ProxyPassReverse https://localhost:443/ https://localhost:8443/
>> </VirtualHost>
>>
>> I have the following questions:
>>
>> 1) Is this a normal setup? Anything that could cause a problem?
>> 2) I want to be able to route traffic for one webapp to https, not
>> allowing it to be used via http. I don't care if this is done using
>> mod_rewrite or mod_proxy or anything else.
>>
>> All suggestions are appreciated!
>>
>> Thanks,
>>
>> Roger
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6 + Apache 2.0 with SSL
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
question, does it work? or does it always send requests to 8080, for
both http and https?
for your SSL, you can/need to add in your httpd client certificate, ie,
the certificate to use when contacting Tomcat for SSL
<VirtualHost *:443>
SSLProxyEngine On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
#
# Put your Proxy SSL Certificate directives here
#
</VirtualHost>
Filip
Roger wrote:
> Hi there!
>
> I have some questions about how to setup Apache and Tomcat with SSL
> support. Currently I have the following setup:
>
> - Windows 2003
> - Tomcat 6.0.13
> - Apache 2.0.59 with
> - openssl 0.9.7j
> - mod_ssl
> - mod_proxy
> - mod_rewrite (not used)
>
> I have generated keys that work with Apache. So I can open a page like
> https://localhost/. I've tried to use mod_proxy to redirect all
> traffic to Tomcat, which works for http and https, using the following
> setup:
>
> <IfModule mod_ssl.c>
> Include conf/ssl.conf
> </IfModule>
>
> ProxyPass / http://localhost:8080/
> ProxyPassReverse / http://localhost:8080/
>
> <VirtualHost *:443>
> SSLProxyEngine On
> ProxyPass https://localhost:443/ https://localhost:8443/
> ProxyPassReverse https://localhost:443/ https://localhost:8443/
> </VirtualHost>
>
> I have the following questions:
>
> 1) Is this a normal setup? Anything that could cause a problem?
> 2) I want to be able to route traffic for one webapp to https, not
> allowing it to be used via http. I don't care if this is done using
> mod_rewrite or mod_proxy or anything else.
>
> All suggestions are appreciated!
>
> Thanks,
>
> Roger
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org