Does the IIS isapi_redirect.dll support encrypting AJP13 traffic? We are setting up IIS 7.5 talking to GlassFish 3.1.2.2 using the 1.2.37 isapi_redirect.dll. We have everything working with HTTPS/SSL coming into IIS and passing through to GlassFish using unencrypted AJP13, but want to also encrypt the traffic between IIS and GlassFish. There is GlassFish documentation for enabling SSL between Apache and GlassFish using mod_jk, and it involves setting some mod_jk settings (in addition to some settings in GlassFish to enable SSL on that end). I’ve made the changes to GlassFish to enable SSL on the passthrough port, but can’t find any settings for isapi_redirect that would indicate using SSL. The GlassFish documentation for using SSL with mod_jk involved some settings like “JkExtractSSL On” and “JkHTTPSIndicator HTTPS”, but there is nothing like that available for the isapi_redirect configuration. I can access the site fine using the built-in GlassFish HTTPS/SSL port 8181, but I’m getting a 502 error when trying to do the IIS passthrough to the SSL-enabled AJP13 port in GlassFish. Following is what I’m seeing in the isapi_redirect log file:
[Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (732): About to shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (803): shutting down the read side of socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] [Thu May 30 17:51:44.219 2013] [224:1172] [debug] jk_shutdown_socket::jk_connect.c (814): Shutdown socket 1300 [127.0.0.1:61402 -> 127.0.0.1:8009] and read 0 lingering bytes in 0 sec. [Thu May 30 17:51:44.219 2013] [224:1172] [info] ajp_connection_tcp_get_message::jk_ajp_common.c (1259): (worker1) can't receive the response header message from tomcat, tomcat (127.0.0.1:8009) has forced a connection close for socket 1300 [Thu May 30 17:51:44.219 2013] [224:1172] [error] ajp_get_reply::jk_ajp_common.c (2126): (worker1) Tomcat is down or refused connection. No response has been sent to the client (yet) Is encrypting the AJP13 traffic possible with isapi_redirect.dll and I just don’t have something configured properly, or am I trying to do something that isn’t supported natively? I saw some old posts about needing to use other methods to encrypt the traffic, like VPNs or IPSEC, but they also indicated that something was in the works to support this natively. Thanks, Jonathan ________________________________ This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Exelis Inc. The recipient should check this e-mail and any attachments for the presence of viruses. Exelis Inc. accepts no liability for any damage caused by any virus transmitted by this e-mail.
