Unless I'm misunderstanding, I don't think this would apply since all SSL is being handled at the load balancer, correct? I apologize, I think I introduced that confusion at the beginning.
--Michael On Sep 19, 2011, at 9:52 AM, Martin Strand wrote: > Typically, when SSL is offloaded to an Apache proxy, that proxy should add a > number of X-Forwarded-* headers to any requests sent to the backend. > The servlet container then uses those headers to set up request.scheme, > request.secure, request.remotAddr, etc so that they match the original > request sent to the proxy. > > With Jetty, all you have to do to support this is set forwarded=true on the > connector in question. > I haven't used Tomcat for a long time, but this page seems to have the info > you need: > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Basic_configuration_to_handle_'x-forwarded-for'_and_'x-forwarded-proto' > > > On the Apache side, mod_proxy automatically adds these headers: > X-Forwarded-For (original IP) > X-Forwarded-Host (original Host header) > X-Forwarded-Server (proxy IP) > ( see http://httpd.apache.org/docs/current/mod/mod_proxy.html#x-headers ) > > But you need to add X-Forwarded-Proto manually, using mod_headers: > RequestHeader set X-Forwarded-Proto https env=HTTPS > RequestHeader set X-Forwarded-Proto http env=!HTTPS > > > Once this is done, and Tomcat is configured to take these headers into > account, you won't need to fiddle around with any BaseURLSource since the > webapp will be able to get all the info it needs directly from the Request > object. > > If you happen to be using an old version of Jetty or Tomcat, where there is > no support for X-Forwarded-* headers, you can use this servlet filter instead: > http://code.google.com/p/xebia-france/wiki/XForwardedFilter > > Martin > > On Mon, 19 Sep 2011 16:29:17 +0200, Michael Molloy <tapestrya...@gmail.com> > wrote: > >> Unfortunately, the Apache expert is no longer here. Does the following code >> from my tomcat server.xml file answer your question? I don't think we're >> using AJP or anything else. It looks to me like the Apache server is just >> sending it to Tomcat over port 8080. >> >> <Connector port="8080" maxHttpHeaderSize="8192" >> maxThreads="350" minSpareThreads="25" maxSpareThreads="75" >> enableLookups="false" redirectPort="8443" acceptCount="100" >> connectionTimeout="20000" disableUploadTimeout="true" > >> >> <Valve className="org.apache.catalina.valves.RemoteAddrValve" >> allow="xxxxxxxxxxxx" deny=""/> >> >> </Connector> >> >> >> The corresponding line from the apache httpd.conf file is >> >> BalancerMember http://xxx.xxx.xxx.xxx:8080 loadfactor=50 route=APP01 >> timeout=60 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
