-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jesse,
On 12/11/14 2:42 PM, Jesse Barnum wrote: > I should have mentioned in my original post - IIS receives both > HTTP as well as HTTPS requests. Both types of requests are proxied > to a single HTTP connector in Tomcat. > > Is the only option to create two separate HTTP connectors on two > different ports, set the secure attribute to true on one of them, > and then configure ARR to send to HTTPS requests to the secure > one? That's exactly what we do in our load-balanced setups: a separate port for each. Note that if you use an <Executor>, there is very little overhead to maintaining two separate connectors, one for each port: they can both share a thread pool (which is what Tomcat calls an <Executor>). > It seems like there should be a simpler solution. Could we instead > configure ARR to include some header that Tomcat would recognize? When using mod_jk from Apache httpd and the AJP13 protocol, this information is transmitted in the way you describe (the SSL information is transmitted to Tomcat in a format that is not easy to forge -- like it would be if it were part of an HTTP header). I've never used the ISAPI redirector, but I think mod_jk supports IIS and might be able to provide this information in a similar way. Reading the Tomcat IIS reference, it doesn't say anything about SSL, so I'm not entirely sure. Hope that helps, - -chris > >> On Dec 11, 2014, at 2:18 PM, Mark Thomas <ma...@apache.org> >> wrote: >> >> On 11/12/2014 19:12, Jesse Barnum wrote: >>> I have IIS 7 running with an SSL certificate. It receives >>> HTTPS requests, and using ARR, it proxies them over HTTP to >>> Tomcat. This works fine. >>> >>> The problem is that when we call >>> HttpServletRequest.isSecure(), it returns false. This makes >>> sense, since the request to tomcat is HTTP, but it’s not >>> correct from the user’s standpoint, who is using HTTPS. >>> >>> Is there a recommended way to configure ARR with Tomcat so >>> that the original HTTPS protocol can be recognized by Tomcat? >> >> Set the secure attribute on the connector to "true" but make >> sure you only proxy requests originally received over HTTPS to >> it. >> >> Mark > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUihDEAAoJEBzwKT+lPKRY9C0P/1h6MKBx7AN64/0APisjKeya NaeM2Ekvbb7vH+gDcWBcWxkWKu6DKZuIz7/8GIv/obq1UwoOCTlgcjRJNrQU6CEi DS6ZQoq5eGvW/X8oXUQdbj0a8LKxdWcZnqxCL8mwm2KzAAQbnfgsAhv+zeI26PnV w1fOCKKRmYsrnox5Vsomat2SbR1E1oXspmv2RhfcgxelCvhc24n4nt6T6N7mwOqP rbYF43lxLCIVzMMTYEnrBLIw1S25bLBbOrBkbwWQQiy8IqmyBasyGvGtdKtxHVvw ADjwR+Jjx0kxUkcN2Z9s1NTyE9YaUK2VyCqFcek61feyVgcY3RvVHfd3N7RHwW+S Ns0GGZPFUjgwYNURjJJ2WzMKAEusD0wvvz0qGLh/KfOVLru8hr6mciEHiR3Obwhm cykK7hQRf94dA5vykr3SUwplU4pOAqQJPQiWrMVwkJMUyg0IgjXmDwL2xOEIRPmZ dfU+KIcREQZKkSGhRGwCQ5edNWgi44cFKXnyhSM9qcWA9T4pB9it85sOEbCALBuw GVurHspeO43bRIfELLRQpxnfUPk+LFC/ELyPQ6Auem/vGBu19WqbWYdc6KTXxd7I FKMWutL/zSBN+s1vgbiMEmX25s6S0B+Dn6gra7duEGXK3ZKDQIAxKqUMBoX6WsZd 56zH63Y21oDdf68s5sYZ =aAun -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
