-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Bob,
On 12/18/12 8:48 PM, Bob Myers wrote: > Some particular apps require HTTPS, so we use (in the web.xml for > that webapp) > > <transport-guarantee>confidential</transport-guarantee> > > Then if the app is accessed by HTTP (Apache port 80), and is > routed (AJP) to the insecure Tomcat app on 8009, it is redirected > to port 443 (redirectPort=443) for HTTPS instead, and Apache passes > 443/HTTPS traffic to Tomcat port 8019. Tomcat handles this well > with the Connectors using redirectPort and the > secure=true/scheme=https parameters. > > What do you mean, why bother? I mean that AJP propagates SSL information from the reverse proxy, so there is no need to have separate AJP connectors: a single connector will handle both HTTPS and HTTP connections via Apache httpd. The AJP connector sets the appropriate flags in the request, etc. so that your application can see if the (original) request is secure or not. (Of course, unless you have made arrangements for secure AJP communication, all AJP communication is insecure regardless of the original protocol used between the client and the reverse proxy). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDTQ3QACgkQ9CaO5/Lv0PDoHgCfbE0eAfDzczXZohIHdE1T+XRT rioAn0QK9PdfMrqEtVRilytYV1+NmEuK =hcgJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
