> -----Original Message----- > From: Jean-frederic Clere [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 17, 2006 1:12 PM > To: Tomcat Developers List > Subject: Re: SSL Connectors - config proposal > > > Filip Hanik - Dev Lists wrote: > > > gents and ladies, > > > > currently we are doing SSL a little bit differently between APR and > > the Java connectors. > > The APR connector requires an attribute sslEngine="On" to kick in. > > > > I believe this attribute to be useful for two reasons: > > > > 1. > > Config should be as consistent as possible. > > > > 2. > > If I use a SSL network card, or apache doing SSL etc, I > would like to > > trick Tomcat into thinking it is running in SSL > > for example: > > > > Apache Port 80 -> mod_proxy(http) -> Tomcat 8080 > > <Connector protocol="HTTP/1.1" port="8080"/> > > Apache Port 443 -> mod_proxy(http) -> Tomcat 8081 > > <Connector protocol="HTTP/1.1" port="8081" secure="true" > > scheme="https" sslEngine="off"/> > > > > This example here is with Apache, but if you use any kind of SSL > > accelerator, be it a network card or an appliance, > > there is a risk of getting stuck in a redirect loop when using > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > in web.xml > > > > Currently, you have to work around it using Valves or > filters, but it > > can get a little messy. > > > > Useful? > > What would you propose if we use HTTP/AJP + SSL between > Apache httpd and TC? > BTW: In TC 5.x the secure="true" or secure="false" does not > behave as in > the documentation (See PR 40766). >
There are a lot of people that are relying on the current behavior (e.g. using the same worker for both the HTTP and HTTPS vhost, and using the value that is passed to TC). IMHO, it is the documentation that should be fixed, since the AJP connector has never allowed you to configure secure outside the AJP protocol (going all the way back to TC 3.x :). > Cheers > > Jean-Frederic > > > > > Filip > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
