-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Al,

On 5/27/12 2:43 PM, al so wrote:
> I've used standalone Tomcat to serve as web server+SSL+web
> container in the past.
> 
> Now, I am trying to front Tomcat with apache reverse proxy+SSL.
> 
> 1. Is it not redundant to configure the SSL in the Tomcat as well
> when the fronting reverse proxy is already configured to handle
> SSL. I see lot of posts on the internet which configure SSL at both
> Tomcat and Reverse proxy. Am I missing something?

The real question is whether or not you need to protect the
communication between httpd and Tomcat. If you are on a trusted
network, then you probably don't need any kind of SSL between the two,
and it would be redundant to configure Tomcat to handle SSL and have
the proxy re-negotiate an SSL connection with it.

On the other hand, if you are communicating across an untrusted
network, then you probably do want to encrypt the communication. One
way of doing that is by using something like mod_proxy_http and just
making sure that you use an https:// URL for the backend. If you want
to use AJP, you'll have to tunnel it yourself using stunnel, ssh, a
VPN which provides similar behavior, or some similar external tool
because AJP itself does not support any kind of encryption.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/E46wACgkQ9CaO5/Lv0PD3VQCdES7sfLOQxNzouCuqOIFfq6NU
fdMAmwd8RebyOoB+ESkPzvlsUJFWBpUT
=KJ3O
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to