You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michal Kwiatek <Mi...@cern.ch> on 2004/09/22 15:22:26 UTC
Https, mod_proxy and mod_jk
Hello All,
I am setting up an architecture with many servlet containers behind an
apache 2.0. I tried mod_proxy first, and it works fine for me, except
for https. Normally with mod_proxy, https connection is made to apache
and then it is forwaraded to servlet container as normal http. This is
ok as long as security is concerned (http is done in trusted
environment); the problem is that servlet container does not know that
the connection is safe (request.isSecure() returns false).
I know that this problem can be easily solved with mod_jk. For now, I
use only tomcat as servlet container, so this is ok. However, one day I
might be forced to chage servlet container to something else, like oc4j
for example. And then apache with mod_jk will not be a good solution.
So the question is: "Is it possible to use some magic proxy in front of
servlet containers of different brands so that https works properly?"
Thank you in advance for your help,
Michal.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
AW: Https, mod_proxy and mod_jk
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
> just use your imagination. I'm sure you can figure out how to pass the
remote host to tomcat, one way or the other, but to say it cannot be
circumvented, thats a little strong :)
You can do that, if you pass parameters, but then you have to change your
webapp, wich is not possible, if you have no control over that.
Regards,
Steffen
Re: Https, mod_proxy and mod_jk
Posted by Filip Hanik - Dev <de...@hanik.com>.
>This is a limitation of http which cannot be circumvented.
just use your imagination. I'm sure you can figure out how to pass the remote host to tomcat, one way or the other, but to say it
cannot be circumvented, thats a little strong :)
Filip
----- Original Message -----
From: "Steffen Heil" <li...@steffen-heil.de>
To: "'Tomcat Users List'" <to...@jakarta.apache.org>
Sent: Wednesday, September 22, 2004 8:49 AM
Subject: AW: Https, mod_proxy and mod_jk
Hi
> And I would say the opposite, mod_proxy is great, as a matter of fact, the
next version of it will have the AJP protocol in it, and mod_proxy is proven
to be very stable.
This is great news for me. Is there any date when this will be stable /
public??
> If you are into advanced config, you an use mod_rewrite, its true voodoo,
you can accomplish pretty much anything you want.
No, you cannot use mod_rewrite, if you need *remoteHost* information in your
servlet...
This is a limitation of http which cannot be circumvented.
Regards,
Steffen
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
AW: Https, mod_proxy and mod_jk
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
> And I would say the opposite, mod_proxy is great, as a matter of fact, the
next version of it will have the AJP protocol in it, and mod_proxy is proven
to be very stable.
This is great news for me. Is there any date when this will be stable /
public??
> If you are into advanced config, you an use mod_rewrite, its true voodoo,
you can accomplish pretty much anything you want.
No, you cannot use mod_rewrite, if you need *remoteHost* information in your
servlet...
This is a limitation of http which cannot be circumvented.
Regards,
Steffen
Re: Https, mod_proxy and mod_jk
Posted by Filip Hanik - Dev <de...@hanik.com>.
And I would say the opposite, mod_proxy is great, as a matter of fact, the next version of it will have the AJP protocol in it, and
mod_proxy is proven to be very stable.
If you are into advanced config, you an use mod_rewrite, its true voodoo, you can accomplish pretty much anything you want.
Filip
----- Original Message -----
From: <jo...@stormsi.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, September 22, 2004 8:33 AM
Subject: Re: Https, mod_proxy and mod_jk
Hello,
I wouldn't use the mod_proxy at all. If you are tomcat stand alone on
single server, you can set the firewall rules to direct and requests for
port 80 through port 8080. However, mod_jk or jk2 is the way to go. Basic
installation will direct all requests for jsp and servlets through your
container. It gets trickier when you start configuring for multiple
private containers, especially with mod_jk2 due to lack of documentation.
But single instance is a snap.
John L
> Hello All,
>
> I am setting up an architecture with many servlet containers behind an
> apache 2.0. I tried mod_proxy first, and it works fine for me, except
> for https. Normally with mod_proxy, https connection is made to apache
> and then it is forwaraded to servlet container as normal http. This is
> ok as long as security is concerned (http is done in trusted
> environment); the problem is that servlet container does not know that
> the connection is safe (request.isSecure() returns false).
>
> I know that this problem can be easily solved with mod_jk. For now, I
> use only tomcat as servlet container, so this is ok. However, one day I
> might be forced to chage servlet container to something else, like oc4j
> for example. And then apache with mod_jk will not be a good solution.
>
> So the question is: "Is it possible to use some magic proxy in front of
> servlet containers of different brands so that https works properly?"
>
> Thank you in advance for your help,
> Michal.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Https, mod_proxy and mod_jk
Posted by jo...@stormsi.com.
Hello,
I wouldn't use the mod_proxy at all. If you are tomcat stand alone on
single server, you can set the firewall rules to direct and requests for
port 80 through port 8080. However, mod_jk or jk2 is the way to go. Basic
installation will direct all requests for jsp and servlets through your
container. It gets trickier when you start configuring for multiple
private containers, especially with mod_jk2 due to lack of documentation.
But single instance is a snap.
John L
> Hello All,
>
> I am setting up an architecture with many servlet containers behind an
> apache 2.0. I tried mod_proxy first, and it works fine for me, except
> for https. Normally with mod_proxy, https connection is made to apache
> and then it is forwaraded to servlet container as normal http. This is
> ok as long as security is concerned (http is done in trusted
> environment); the problem is that servlet container does not know that
> the connection is safe (request.isSecure() returns false).
>
> I know that this problem can be easily solved with mod_jk. For now, I
> use only tomcat as servlet container, so this is ok. However, one day I
> might be forced to chage servlet container to something else, like oc4j
> for example. And then apache with mod_jk will not be a good solution.
>
> So the question is: "Is it possible to use some magic proxy in front of
> servlet containers of different brands so that https works properly?"
>
> Thank you in advance for your help,
> Michal.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
AW: Https, mod_proxy and mod_jk
Posted by Steffen Heil <li...@steffen-heil.de>.
Hi
If you do not have that much SSL traffic, you can use mod_proxy to forward
requests to servlet containers using SSL!
You only need to install a low-bit certificate in your container and make
that certificate accepted by your apache. It can even be self-signed.
However, your container will have request.isSecure() set to true!
But be carefull with high-load sites. Additional SSL will take more cpu
time.
However, running multiple servlet containers seems to be a development
szenario for me, since you would not do all that on one system on a
productive site, would you?
Regards,
Steffen