If you have configured your webapp with CONFIDENTIAL, you will need to make Tomcat flag the connections as secure, despite the fact it sees them coming from its plain HTTP port. This second option requires a bit more configuration to deal with the client certificates and Tomcat's security constraints. Using an iptables-based load-balancer, without going through Httpd, ending the connections in Tomcat directly.Įnding the SSL/TLS connection at Httpd and using a plain HTTP reverse proxy to Tomcat. Its documentation doesn't mention SSL/HTTPS (" It provides load balancing support for HTTP, FTP and AJP13 protocols"), whereas mod_proxy talks at least about SSL when mentioning CONNECT. The only option that doesn't seem to depend on a URL in the mod_proxy documentation is AllowCONNECT, which is what's used for forward proxy servers for HTTPS.Įven the options in mod_proxy_balancer expect a path at some point of the configuration. This means that Apache Httpd won't be able to look into the URL: it will know the host name at best (when using Server Name Indication). I guess I might be wrong (I've just never seen this done, but that doesn't strictly mean it doesn't exist.).Īs you know, you need a direct connection, or a connection entirely relayed, between the user-agent and the SSL endpoint (in this case, you want it to be Tomcat). I admit it's a bit short of links to back this claim. The clients connect to Tomcat directly and let it handle the SSL The traffic to Tomcat (SSL is rarely useful in this case), or you make Your SSL connection ends at Apache, and then you should reverse proxy You can't just relay the SSL/TLS traffic to Tomcat from Apache. This sounds similar to this question, where I've answered that it's not possible: Happy to have this moved if necessary but it is kind of programming with config files ) I am very familiar with the webapps and SSL and HTTPS and Tomcat, but my knowledge of the outer reaches of Apache HTTPD is limited. Is this possible with the configuration I've described?
HTTPD just passes ciphertext directly to Tomcat so that TC can keep doing what it is already doing with logins, SSL, web.xml confidentialty guarantees, and most importantly client authentication.
What I want to accomplish for HTTPS requests is that they are redirected 'blind' to Tomcat without HTTPD being the SSL endpoint, i.e. I am now in the process of inserting Apache HTTPD with mod-proxy and mod-proxy-balancer in front of Tomcat as a load balancer, prior to adding more Tomcat instances. I really don't want to disturb any of that while accomplishing the below.
THE FOREST MOD API 0.54 CODE
I also have a rather extensive JAAS-based authorization & authentication scheme, and there is all kinds of shared code and different JAAS configurations etc between the various webapps.
One of the apps also accepts client-authentication via certificate. the login page protected by SSL as defined by confidentiality elements in their web.xmls. I have several web-apps running in Tomcat, with some pages e.g. I'm sure this is an FAQ but I couldn't find anything I recognized as being the same question.
0 kommentar(er)
