> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Thursday, June 18, 2015 8:59 AM > To: Tomcat Users List > Subject: Re: Settings when SSL terminates on the front-end > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jeffrey, > > On 6/17/15 2:08 PM, Jeffrey Janner wrote: > > I’ve been deploying letting Tomcat do it all when it came to > > connectors and SSL, with the app forcing everything to SSL in the > > <security-constraints> section. Now I’m setting up a haproxy > > front-end that will both terminate the SSL and take care of the > > redirect from HTTP to HTTPS for me and tomcat only running a > > standard HTTP port on 8080. > > > > So my question is, Is it still important for the app to know that > > it operating “secure”, and if so, what settings are a must? > > I would say that Tomcat knowing that it's in "secure" mode is > important. If for no other reason than the URLs your webapp generates > ought to be sensitive to the protocol being used. > > > Here is the old setup: > > > > SERVER.XML: > > > > <Service name="Catalina"> > > > > <Connector address="${IP_ADDRESS}" port="80" > > maxHttpHeaderSize="8192" > > > > maxThreads="50" enableLookups="false" redirectPort="443" > > acceptCount="100" > > > > connectionTimeout="20000" disableUploadTimeout="true" > > compression="on" > > > > > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv, > text/javascript,text/rtf,text/richtext" > > > > /> > > > > <Connector address="${IP_ADDRESS}" port="443" > > maxHttpHeaderSize="8192" > > > > maxThreads="150" enableLookups="false" acceptCount="100" > > > > connectionTimeout="20000" disableUploadTimeout="true" > > compression="on" > > > > > > compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv, > text/javascript,text/rtf,text/richtext" > > > > scheme="https" secure="true" SSLEnabled="true" > > If you are still going to connect haproxy -> Tomcat using port 443, > then this configuration should still work. Tomcat will be in "secure" > mode, but you won't have access to the original SSL information, at > least not directly in the usual ways. > > > Here is the new setup: > > > > SERVER.XML: > > > > <Service name="Catalina"> > > > > <Connector port="${tomcatPort}" protocol="HTTP/1.1" > > > > connectionTimeout="20000" > > > > redirectPort="8443" /> > > You should probably set protocol="https" and secure="true". You don't > need redirectPort if this is the connector that handles incoming > connections from haproxy. >
Thanks for the commentary Chris. Just one thing, the proxy <--> tomcat connection is expected to be http (8080), not https. From paying attention over the years, I think I'm supposed to set secure="true" on the one and only http connector in the current setup. That is what I am looking for verification. Jeff
