Thanks, Peter. That kind of practical advice is very good to know in advance.
Geoff On 09/02/2010, at 10:20 PM, Peter Stavrinides wrote: > Hi Geoff, > > Yes thats a pretty robust configuration, we have Tapestry configured this way > in production for a couple of years now without issues, if you can use a > recent version of Apache, i.e.: 2.1 onwards then its best to use the built in > mod_proxy_ajp module: http://httpd.apache.org/docs/2.1/mod/mod_proxy_ajp.html > > The only drawback I have found using this set-up is that using reverse AJAX > (or Comet if u prefer) through the proxy can be unreliable (under Tomcat6 > with DWR it was leaking), but Jetty faired better. > > Kind regards, > Peter > > > > ----- Original Message ----- > From: "Geoff Callender" <geoff.callender.jumpst...@gmail.com> > To: "Tapestry users" <users@tapestry.apache.org> > Sent: Tuesday, 9 February, 2010 05:33:07 GMT +02:00 Athens, Beirut, > Bucharest, Istanbul > Subject: @Secure solution (was Re: [t5.0.18] Secure Annotation / > BaseURLSource) > > I've found a solution - use AJP (instead of HTTP) from Apache to > Jetty/Tomcat. Apache handles the SSL and AJP preserves the security info, so > Tapestry knows a secure channel was used and the @Secure annotation just > works. Perfect. > > For the record, the key lines for httpd-ssl.conf are like this: > > SSLOptions +ExportCertData > > ProxyRequests Off > ProxyPreserveHost On > > <Proxy *> > AddDefaultCharset Off > Order deny,allow > Allow from all > </Proxy> > > ProxyPass /myapp ajp://gc1.local:18080/myapp retry=5 > ProxyPassReverse /myapp ajp://gc1.local:18080/myapp > > The full config info is in these articles: > > > http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start > (see "Between Apache and Tomcat") > http://docs.codehaus.org/display/JETTY/Configuring+mod_proxy > (alternative 1 causes the problem, whereas alternative 2 works!) > > HTH someone else, > > Geoff > > On 09/02/2010, at 12:23 AM, Geoff Callender wrote: > >> Hi Dave et al, >> >> Did you find an OK solution to this? I too am hoping to have Apache look >> after https and feed only http to the web server, but any page marked >> @Secure will reject http and redirect to https, so you end in a loop >> bouncing between browser and webserver via Apache. >> >> Cheers, >> >> Geoff >> >> On 20/05/2009, at 1:02 AM, Dave Greggory wrote: >> >>> >>> I'm attempting to contribute my own RequestSecurityManager, but if anybody >>> else has a better idea where I don't have to touch internal stuff let me >>> know. >>> >>> >>> >>> ----- Original Message ---- >>> From: Dave Greggory <davegregg...@yahoo.com> >>> To: Tapestry users <users@tapestry.apache.org> >>> Sent: Tuesday, May 19, 2009 10:51:41 AM >>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource >>> >>> >>> Well looks like our internal network structure is pretty set and can't be >>> changed. >>> >>> Users <-- internet (http / https connections ) --> load balancer/firewall >>> <-- internal network (http) --> tomcat >>> >>> We have a way of determining from within a tomcat application whether >>> internet connection to firewall is secure. This can be done because the >>> firewall adds a request header indicating SSL status. This is how we >>> usually determine this. Can I get tapestry use my helper method that does >>> this check to determine whether the connection was secure? How can I get >>> secure connections working in this situation? >>> >>> Thanks so much. >>> Dave >>> >>> >>> >>> >>> ----- Original Message ---- >>> From: Dave Greggory <davegregg...@yahoo.com> >>> To: Tapestry users <users@tapestry.apache.org> >>> Sent: Monday, May 18, 2009 12:16:36 PM >>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource >>> >>> >>> Don't worry about it, turns out our internal network is screwed up... >>> connections between users and the load balancer is secure, but not between >>> load balancer and app server. >>> >>> >>> >>> ----- Original Message ---- >>> From: Dave Greggory <davegregg...@yahoo.com> >>> To: Tapestry users <users@tapestry.apache.org> >>> Sent: Monday, May 18, 2009 11:56:56 AM >>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource >>> >>> >>> obviously, it is. >>> >>> >>> >>> ----- Original Message ---- >>> From: Martin Strand <do.not.eat.yellow.s...@gmail.com> >>> To: Tapestry users <users@tapestry.apache.org> >>> Sent: Monday, May 18, 2009 11:40:40 AM >>> Subject: Re: [t5.0.18] Secure Annotation / BaseURLSource >>> >>> Just a guess... perhaps baseSecureURL is not an https url? >>> >>> >>> On Mon, 18 May 2009 15:15:50 +0200, Dave Greggory <davegregg...@yahoo.com> >>> wrote: >>> >>>> >>>> I've been using BaseURLSource(since behind a firewall/load balancer) fine >>>> all this time, and recently I needed a secure page, so I added the @Secure >>>> annotation on that page. But that page is no longer working because >>>> @Secure annotation ends up sending continuous redirects. What am I doing >>>> wrong? >>>> >>>> My BaseURLSource implementation: >>>> >>>> BaseURLSource source = new BaseURLSource() >>>> { >>>> public String getBaseURL(boolean secure) >>>> { >>>> return (secure) ? baseURL : baseSecureURL; >>>> } >>>> } >>>> >>>> Thanks, >>>> Dave >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
