SSL, mod_proxy_ajp and AJP connectors query

Thu, 22 Jul 2010 10:32:04 -0700 

Hi,

I'm using RHEL5.5 (Up-to-date)
Apache httpd-2.2.3 (from RHEL) with mod_proxy/mod_proxy_ajp
Tomcat 6.0.28 (binary distribution from apache).
Tomcat native libs (1.1.20, compiled)

I have a question regarding AJP connectors and SSL

Our application is being SSL offloaded at the HTTPD server end so communication 
with Tomcat doesn't need to be encrypted.

I have two virtual hosts configured in Apache HTTPD (one for :80, one for :443) 
with the application being proxied 
in both virtual hosts.

My question is, in the Tomcat server.xml, do I require _two_ AJP connectors as 
follows:

(executor omitted for simplicity)

    <!-- AJP connector pair (HTTP and fake HTTPS), proxied -->
    <Connector executor="tomcatThreadPool"
               enableLookups="false"
               port="8009" protocol="org.apache.coyote.ajp.AjpAprProtocol" 
               redirectPort="8010" 
               proxyPort="80" />

    <Connector executor="tomcatThreadPool"
               enableLookups="false"
               port="8010" protocol="org.apache.coyote.ajp.AjpAprProtocol" 
               scheme="https" secure="true" 
               proxyPort="443" />

Or can I proxy both HTTP and HTTPS requests to the same AJP connector and have 
Tomcat correctly recognise when its
SSL and return the correct port to the application so URLs are constructed 
properly?  If I do this, are there any
special configuration needed in the SSL vhost?

Essentially I'm wondering if I can do this:

<VirtualHost _default_:80>
        <!-- ... snip ... -->
        ProxyPass        /examples/ ajp://tomcat:8009/examples/
        ProxyPassReverse /examples/ ajp://tomcat:8009/examples/
</VirtualHost>

<VirtualHost _default_:443>
        SSLEngine on
        <!-- ... snipped ssl config ... -->

        ProxyPass        /examples/ ajp://tomcat:8009/examples/
        ProxyPassReverse /examples/ ajp://tomcat:8009/examples/
        <!-- Note the AJP port above is the same as the one in the port 80 
vhost -->
</VirtualHost>

Rather than this:

Port 80 vhost identical to above
Port 443 vhost as follows
<VirtualHost _default_:443>
        SSLEngine on
        <!-- ... snipped ssl config ... -->

        ProxyPass        /examples/ ajp://tomcat:8010/examples/
        ProxyPassReverse /examples/ ajp://tomcat:8010/examples/
        <!-- Note the AJP port is different to that in the port 80 vhost -->
</VirtualHost>

Any advice appreciated,

Thanks,

Best Regards,

Brett Delle Grazie


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Reply via email to