You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rizwan Merchant <ri...@sysconet.ca> on 2006/05/27 19:05:07 UTC
SSL with Tomcat and Apache..IE problems
We are running tomcat 5.5.16 on Fedora Core 4 OS. We just installed
apache2.0 as a front to serve the pages using the mod_jk connector.
There are 2 apps on tomcat (virtual hosting), one of which needs to be
SSL enabled (lets say app1 and app2, app2 is the one that needs to be
SSL enabled).
Everything seems to be working fine on FireFox, both apps can be
accessed fine. When we access www.app1.com pages are served as expected,
and when we access www.app2.com the browser detects the certificate and
switches to https
But things are not well when it comes to IE. www.app1.com works the same
as FF, and the app can be accessed. But when we try to access
www.app2.com, IE shows the certificate and asks if we would like to
proceed. When we click on 'Yes', the browser cannot find the app after
that and returns "Page cannot be displayed error". Also, directly
accessing the https site by using the URL https://www.app2.com:8443
works fine on IE as well.
so its basically the switching from http to https for app2 that doesnt
seem to work.
I dont understand why this works on FF but not on IE..!
I hope someone can shed some light on this. I can post the httpd.conf ,
server.xml and workers.properties files if that helps..
Thanks,
-Riz.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Rizwan Merchant <ri...@sysconet.ca>.
P.S if it were up to me, I wouldnt use IE for anything..been having too
many problems with IE and SSL, IE and struts, etc etc
Unfortunately, as a web-app developer, we have to cater to 80% of the
population that still uses IE !!! :)
Bill Barker wrote:
> "Rizwan Merchant" <ri...@sysconet.ca> wrote in message
> news:447886C3.6070205@sysconet.ca...
>
>> We are running tomcat 5.5.16 on Fedora Core 4 OS. We just installed
>> apache2.0 as a front to serve the pages using the mod_jk connector. There
>> are 2 apps on tomcat (virtual hosting), one of which needs to be SSL
>> enabled (lets say app1 and app2, app2 is the one that needs to be SSL
>> enabled).
>>
>> Everything seems to be working fine on FireFox, both apps can be accessed
>> fine. When we access www.app1.com pages are served as expected, and when
>> we access www.app2.com the browser detects the certificate and switches to
>> https
>>
>> But things are not well when it comes to IE. www.app1.com works the same
>> as FF, and the app can be accessed. But when we try to access
>> www.app2.com, IE shows the certificate and asks if we would like to
>> proceed. When we click on 'Yes', the browser cannot find the app after
>> that and returns "Page cannot be displayed error". Also, directly
>> accessing the https site by using the URL https://www.app2.com:8443 works
>> fine on IE as well.
>> so its basically the switching from http to https for app2 that doesnt
>> seem to work.
>>
>>
>
> This used to pop up all the time when more people were using TC 4 :). What
> it happining is that IE gets confused easily when you redirect to to a
> non-default SSL port. This is especially true if the next page that you hit
> also does a redirect.
>
> The solution is to use the default SSL port of 443 (either that, or don't
> use IE ;-).
>
>
>> I dont understand why this works on FF but not on IE..!
>> I hope someone can shed some light on this. I can post the httpd.conf ,
>> server.xml and workers.properties files if that helps..
>>
>> Thanks,
>> -Riz.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Bill Barker <wb...@wilshire.com>.
"Rizwan Merchant" <ri...@sysconet.ca> wrote in message
news:4478D8A7.4070101@sysconet.ca...
>
> Thanks Bill,
> Can I change the redirect port in server.xml from 8443 to 443? Currently,
> we are running tomcat as non-root user (tomcat user). Will we need to
> change this as well?
>
Well, since you are fronting with Apache, you could setup Apache to handle
the SSL requests on 443 (probably easiest). Then you just configure that
VirtualHost to forward all to Tomcat.
Baring that, you can use the 'jsvc' program from commons-daemon (which is
bundled in a tarball with the Tomcat distro) to allow Tomcat to bind to 443
as root, and then switch to a non-privileged user to handle requests.
> Bill Barker wrote:
>> "Rizwan Merchant" <ri...@sysconet.ca> wrote in message
>> news:447886C3.6070205@sysconet.ca...
>>
>>> We are running tomcat 5.5.16 on Fedora Core 4 OS. We just installed
>>> apache2.0 as a front to serve the pages using the mod_jk connector.
>>> There are 2 apps on tomcat (virtual hosting), one of which needs to be
>>> SSL enabled (lets say app1 and app2, app2 is the one that needs to be
>>> SSL enabled).
>>>
>>> Everything seems to be working fine on FireFox, both apps can be
>>> accessed fine. When we access www.app1.com pages are served as expected,
>>> and when we access www.app2.com the browser detects the certificate and
>>> switches to https
>>>
>>> But things are not well when it comes to IE. www.app1.com works the same
>>> as FF, and the app can be accessed. But when we try to access
>>> www.app2.com, IE shows the certificate and asks if we would like to
>>> proceed. When we click on 'Yes', the browser cannot find the app after
>>> that and returns "Page cannot be displayed error". Also, directly
>>> accessing the https site by using the URL https://www.app2.com:8443
>>> works fine on IE as well.
>>> so its basically the switching from http to https for app2 that doesnt
>>> seem to work.
>>>
>>>
>>
>> This used to pop up all the time when more people were using TC 4 :).
>> What it happining is that IE gets confused easily when you redirect to to
>> a non-default SSL port. This is especially true if the next page that
>> you hit also does a redirect.
>>
>> The solution is to use the default SSL port of 443 (either that, or don't
>> use IE ;-).
>>
>>
>>> I dont understand why this works on FF but not on IE..!
>>> I hope someone can shed some light on this. I can post the httpd.conf ,
>>> server.xml and workers.properties files if that helps..
>>>
>>> Thanks,
>>> -Riz.
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Rizwan Merchant <ri...@sysconet.ca>.
Thanks Bill,
Can I change the redirect port in server.xml from 8443 to 443?
Currently, we are running tomcat as non-root user (tomcat user). Will we
need to change this as well?
Bill Barker wrote:
> "Rizwan Merchant" <ri...@sysconet.ca> wrote in message
> news:447886C3.6070205@sysconet.ca...
>
>> We are running tomcat 5.5.16 on Fedora Core 4 OS. We just installed
>> apache2.0 as a front to serve the pages using the mod_jk connector. There
>> are 2 apps on tomcat (virtual hosting), one of which needs to be SSL
>> enabled (lets say app1 and app2, app2 is the one that needs to be SSL
>> enabled).
>>
>> Everything seems to be working fine on FireFox, both apps can be accessed
>> fine. When we access www.app1.com pages are served as expected, and when
>> we access www.app2.com the browser detects the certificate and switches to
>> https
>>
>> But things are not well when it comes to IE. www.app1.com works the same
>> as FF, and the app can be accessed. But when we try to access
>> www.app2.com, IE shows the certificate and asks if we would like to
>> proceed. When we click on 'Yes', the browser cannot find the app after
>> that and returns "Page cannot be displayed error". Also, directly
>> accessing the https site by using the URL https://www.app2.com:8443 works
>> fine on IE as well.
>> so its basically the switching from http to https for app2 that doesnt
>> seem to work.
>>
>>
>
> This used to pop up all the time when more people were using TC 4 :). What
> it happining is that IE gets confused easily when you redirect to to a
> non-default SSL port. This is especially true if the next page that you hit
> also does a redirect.
>
> The solution is to use the default SSL port of 443 (either that, or don't
> use IE ;-).
>
>
>> I dont understand why this works on FF but not on IE..!
>> I hope someone can shed some light on this. I can post the httpd.conf ,
>> server.xml and workers.properties files if that helps..
>>
>> Thanks,
>> -Riz.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Bill Barker <wb...@wilshire.com>.
"Rizwan Merchant" <ri...@sysconet.ca> wrote in message
news:447886C3.6070205@sysconet.ca...
>
> We are running tomcat 5.5.16 on Fedora Core 4 OS. We just installed
> apache2.0 as a front to serve the pages using the mod_jk connector. There
> are 2 apps on tomcat (virtual hosting), one of which needs to be SSL
> enabled (lets say app1 and app2, app2 is the one that needs to be SSL
> enabled).
>
> Everything seems to be working fine on FireFox, both apps can be accessed
> fine. When we access www.app1.com pages are served as expected, and when
> we access www.app2.com the browser detects the certificate and switches to
> https
>
> But things are not well when it comes to IE. www.app1.com works the same
> as FF, and the app can be accessed. But when we try to access
> www.app2.com, IE shows the certificate and asks if we would like to
> proceed. When we click on 'Yes', the browser cannot find the app after
> that and returns "Page cannot be displayed error". Also, directly
> accessing the https site by using the URL https://www.app2.com:8443 works
> fine on IE as well.
> so its basically the switching from http to https for app2 that doesnt
> seem to work.
>
This used to pop up all the time when more people were using TC 4 :). What
it happining is that IE gets confused easily when you redirect to to a
non-default SSL port. This is especially true if the next page that you hit
also does a redirect.
The solution is to use the default SSL port of 443 (either that, or don't
use IE ;-).
> I dont understand why this works on FF but not on IE..!
> I hope someone can shed some light on this. I can post the httpd.conf ,
> server.xml and workers.properties files if that helps..
>
> Thanks,
> -Riz.
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Jim Jagielski <ji...@jaguNET.com>.
Another possible issue is the session cookie information,
which IE has problems with when doing simple HTTP redirects.
On May 27, 2006, at 1:05 PM, Rizwan Merchant wrote:
>
> We are running tomcat 5.5.16 on Fedora Core 4 OS. We just installed
> apache2.0 as a front to serve the pages using the mod_jk connector.
> There are 2 apps on tomcat (virtual hosting), one of which needs to
> be SSL enabled (lets say app1 and app2, app2 is the one that needs
> to be SSL enabled).
>
> Everything seems to be working fine on FireFox, both apps can be
> accessed fine. When we access www.app1.com pages are served as
> expected, and when we access www.app2.com the browser detects the
> certificate and switches to https
>
> But things are not well when it comes to IE. www.app1.com works the
> same as FF, and the app can be accessed. But when we try to access
> www.app2.com, IE shows the certificate and asks if we would like to
> proceed. When we click on 'Yes', the browser cannot find the app
> after that and returns "Page cannot be displayed error". Also,
> directly accessing the https site by using the URL https://
> www.app2.com:8443 works fine on IE as well.
> so its basically the switching from http to https for app2 that
> doesnt seem to work.
>
> I dont understand why this works on FF but not on IE..!
> I hope someone can shed some light on this. I can post the
> httpd.conf , server.xml and workers.properties files if that helps..
>
> Thanks,
> -Riz.
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Rizwan Merchant <ri...@sysconet.ca>.
Hi,
Thanks for the response.
apache is listening on standard port 80. Tomcat is listening on standard
port 8080 with a redirect to 8443 for SSL connections. So the request
http://www.app2.com comes in on port 80 (apache) and then the mod_jk
connector forwards this request to 8080 (which is then redirected to
8443). The web.xml file of app2 specifies the security-constraint to
ensure all pages are SSL encrypted.
Snippets from all the relevant files are shown below (with tags to
indicate start and end of each file).
<!--START Apache Virtual Hosting Snippet-->
<VirtualHost *:80>
ServerName www.app2.net
DocumentRoot /var/www/www.app2.net/html
ServerAdmin rizwan.merchant@sysconet.ca
ErrorLog /var/log/httpd/www.app2.net-error_log
CustomLog /var/log/httpd/www.app2.net-access_log common
JkMount / worker1
JkMount /* worker1
</VirtualHost>
<VirtualHost *:80>
ServerName www.app1.ca
DocumentRoot /var/www/www.app1.ca/html
ServerAdmin rizwan.merchant@sysconet.ca
ErrorLog /var/log/httpd/www.app1.ca-error_log
CustomLog /var/log/httpd/www.app1.ca-access_log common
JkMount / worker1
JkMount /* worker1
</VirtualHost>
<!--END Apache Virtual Hosting Snippet-->
<!--START Tomcat Connector/Virtual Hosting Snippet-->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/home/rmerchant/cww.keystore" keystorePass="abcdef" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" />
<Host name="www.app2.net" appBase="/home/app2/webapp"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Host name="www.app1.ca" appBase="/home/app1/webapp"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Listener className="org.apache.jk.config.ApacheConfig"
modJk="/usr/lib/httpd/modules/mod_jk.so"
workersConfig="/etc/httpd/conf/workers.properties"/>
<!--END Tomcat Connector/Virtual Hosting Snippet-->
<!--START WORKERS.PROPERTIES FILE-->
workers.tomcat_home=/usr/local/tomcat
workers.java_home=/usr/local/java
ps=/
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13
worker.worker1.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=worker1
worker.inprocess.type=jni
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.jvm_lib=$(workers.java_home)$(ps)jre$(ps)lib$(ps)i386$(ps)classic$(ps)libjvm.so
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderr
<!--END WORKERS.PROPERTIES FILE-->
<!--WEB.XML SNIPPET FOR APP2-->
<security-constraint>
<web-resource-collection>
<web-resource-name>app2</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Wade Chandler wrote:
> --- Rizwan Merchant <ri...@sysconet.ca>
> wrote:
>
>
>> We are running tomcat 5.5.16 on Fedora Core 4 OS. We
>> just installed
>> apache2.0 as a front to serve the pages using the
>> mod_jk connector.
>> There are 2 apps on tomcat (virtual hosting), one of
>> which needs to be
>> SSL enabled (lets say app1 and app2, app2 is the one
>> that needs to be
>> SSL enabled).
>>
>> Everything seems to be working fine on FireFox, both
>> apps can be
>> accessed fine. When we access www.app1.com pages are
>> served as expected,
>> and when we access www.app2.com the browser detects
>> the certificate and
>> switches to https
>>
>> But things are not well when it comes to IE.
>> www.app1.com works the same
>> as FF, and the app can be accessed. But when we try
>> to access
>> www.app2.com, IE shows the certificate and asks if
>> we would like to
>> proceed. When we click on 'Yes', the browser cannot
>> find the app after
>> that and returns "Page cannot be displayed error".
>> Also, directly
>> accessing the https site by using the URL
>> https://www.app2.com:8443
>> works fine on IE as well.
>> so its basically the switching from http to https
>> for app2 that doesnt
>> seem to work.
>>
>> I dont understand why this works on FF but not on
>> IE..!
>> I hope someone can shed some light on this. I can
>> post the httpd.conf ,
>> server.xml and workers.properties files if that
>> helps..
>>
>> Thanks,
>> -Riz.
>>
> Not sure what you mean that the browser detects the
> certificate and then changes to https. Also the
> standard https port is 443 and not 8443, so I'm not
> sure how anything would automatically think
> https://www.app2.com would be linked to
> https://www.app2.com:8443 when the default would be
> https://www.app2.com:443 (https://www.app2.com). I
> can't tell you why it works in FF, but given what you
> have provided I would not expect FF to work actually.
> Are you using a redirect or javascript to reload the
> page or something to redirect the http to your https
> site?
>
> Wade
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL with Tomcat and Apache..IE problems
Posted by Wade Chandler <hw...@yahoo.com>.
--- Rizwan Merchant <ri...@sysconet.ca>
wrote:
>
> We are running tomcat 5.5.16 on Fedora Core 4 OS. We
> just installed
> apache2.0 as a front to serve the pages using the
> mod_jk connector.
> There are 2 apps on tomcat (virtual hosting), one of
> which needs to be
> SSL enabled (lets say app1 and app2, app2 is the one
> that needs to be
> SSL enabled).
>
> Everything seems to be working fine on FireFox, both
> apps can be
> accessed fine. When we access www.app1.com pages are
> served as expected,
> and when we access www.app2.com the browser detects
> the certificate and
> switches to https
>
> But things are not well when it comes to IE.
> www.app1.com works the same
> as FF, and the app can be accessed. But when we try
> to access
> www.app2.com, IE shows the certificate and asks if
> we would like to
> proceed. When we click on 'Yes', the browser cannot
> find the app after
> that and returns "Page cannot be displayed error".
> Also, directly
> accessing the https site by using the URL
> https://www.app2.com:8443
> works fine on IE as well.
> so its basically the switching from http to https
> for app2 that doesnt
> seem to work.
>
> I dont understand why this works on FF but not on
> IE..!
> I hope someone can shed some light on this. I can
> post the httpd.conf ,
> server.xml and workers.properties files if that
> helps..
>
> Thanks,
> -Riz.
Not sure what you mean that the browser detects the
certificate and then changes to https. Also the
standard https port is 443 and not 8443, so I'm not
sure how anything would automatically think
https://www.app2.com would be linked to
https://www.app2.com:8443 when the default would be
https://www.app2.com:443 (https://www.app2.com). I
can't tell you why it works in FF, but given what you
have provided I would not expect FF to work actually.
Are you using a redirect or javascript to reload the
page or something to redirect the http to your https
site?
Wade
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org