actually, there is no news to configure SSL both in Apache and tomcat. just one side is okay. Apache or tomcat. 在 2012-9-28 下午2:01,"Martin Gainty" <mgai...@hotmail.com>写道:
> > you'll need to configure Apache mod_ssl to implement either Basic or > SSLRequire authentication > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients > > with regards to external hosts i would suggest you deny all and allow > secure access to only TC host to the secure folder of apache > > Buena Suerte, > Martin > ______________________________________________ > Porfavor..no altere ni interrumptir esta communicacion..Gracias > > > > From: joan....@gmail.com > > Date: Fri, 28 Sep 2012 13:20:05 +0200 > > Subject: Security issue regarding JSESSIONID cookie > > To: users@tomcat.apache.org > > > > Hi, > > > > I have a security issue (hijack session) with JSESSIONID cookie, > > > > here is the problem: > > > > I am using an architecture with an Apache2 server in front of Tomcat, I > > have configured the SSL in both sides Apache(ssl_module) and > > Tomcat(Conectors JSSE), > > > > 1) I tried using a connectio via AJP protocol to connect between Apache2 > > and Tomcat using the following configuration on the server.xml: > > > > APACHE(httpd) > > via HTTP/HTTPS > > <VirtualHost *:80> > > ProxyPass / http://localhost:8080/ <http://educaixahost:8080/> > > ProxyPassReverse / http://localhost:8080/ <http://educaixahost:8080/> > > </VirtualHost> > > > > via AJP > > <VirtualHost *:80> > > ProxyPass / ajp://localhost:8009/ <http://educaixahost:8080/> > > ProxyPassReverse / ajp://localhost:8009/ <http://educaixahost:8080/> > > </VirtualHost> > > > > <VirtualHost *:443> > > ServerAdmin ad...@mail.com > > ServerName localhost:443 > > SSLProxyEngine on > > SSLEngine on > > SSLCertificateFile "c:/usr/SSL/name.crt" > > SSLCertificateKeyFile "c:/usr/SSL/name.key" > > ProxyPass / https://localhost:8443/ > > ProxyPassReverse / https://localhost:8443/ > > </VirtualHost> > > > > Tomcat (server.xml) > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > protocol="HTTP/1.1" redirectPort="8443" secure="true"/> > > <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" > > redirectPort="8443" scheme="https" secure="true"/> > > > > Results for this solution: > > I still can get the JSESSIONID cookie > > > > 2) I tried using the HTTP/S protocol to connect between Apache2 and > > tomcat using the following configurationl: > > > > Apache: > > Same configuration > > > > Tomcat (server.xml): > > > > <Connector URIEncoding="UTF-8" connectionTimeout="20000" port="8080" > > protocol="HTTP/1.1" redirectPort="8443"/> > > > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > > maxThreads="150" scheme="https" secure="true" > > keystoreFile="path/name.keystore" keystorePass="password" > > clientAuth="false" sslProtocol="TLS" /> > > > > I also added this on the web.xml: > > > > <session-config> > > <session-timeout>30</session-timeout> > > <tracking-mode>SSL</tracking-mode> > > </session-config> > > > > Results for this solution: > > > > The JSESSIONID cookie disappears OK > > Everything works OK if I access directly to the tomcat and bypass the > > apache, (localhost:8443), I can login into the web page and keep the > > seesion in every link inside the app > > > > but, when try to access trought the Apache in https in port 443 , ( > > https://localhost:443 <https://localhost/>), I can login the first time > but > > when I try to access somewhere else in the app I lose the user session > and > > the app log me out, I checked over the logs and there are no error > neither > > in apache nor tomcat > > > > So, Is this solution implementable under this architecture? > > Am I missing some configurations? > > > > Thanks and regards, > > Joan Morales >
