Typically, when SSL is offloaded to an Apache proxy, that proxy should add
a number of X-Forwarded-* headers to any requests sent to the backend.
The servlet container then uses those headers to set up request.scheme,
request.secure, request.remotAddr, etc so that they match the original
request sent to the proxy.
With Jetty, all you have to do to support this is set forwarded=true on
the connector in question.
I haven't used Tomcat for a long time, but this page seems to have the
info you need:
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Basic_configuration_to_handle_'x-forwarded-for'_and_'x-forwarded-proto'
On the Apache side, mod_proxy automatically adds these headers:
X-Forwarded-For (original IP)
X-Forwarded-Host (original Host header)
X-Forwarded-Server (proxy IP)
( see http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers )
But you need to add X-Forwarded-Proto manually, using mod_headers:
RequestHeader set X-Forwarded-Proto https env=HTTPS
RequestHeader set X-Forwarded-Proto http env=!HTTPS
Once this is done, and Tomcat is configured to take these headers into
account, you won't need to fiddle around with any BaseURLSource since the
webapp will be able to get all the info it needs directly from the Request
object.
If you happen to be using an old version of Jetty or Tomcat, where there
is no support for X-Forwarded-* headers, you can use this servlet filter
instead:
http://code.google.com/p/xebia-france/wiki/XForwardedFilter
Martin
On Mon, 19 Sep 2011 16:29:17 +0200, Michael Molloy
<tapestrya...@gmail.com> wrote:
Unfortunately, the Apache expert is no longer here. Does the following
code from my tomcat server.xml file answer your question? I don't think
we're using AJP or anything else. It looks to me like the Apache server
is just sending it to Tomcat over port 8080.
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="350" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" >
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="xxxxxxxxxxxx" deny=""/>
</Connector>
The corresponding line from the apache httpd.conf file is
BalancerMember http://xxx.xxx.xxx.xxx:8080 loadfactor=50 route=APP01
timeout=60
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org