I have been looking everywhere but cannot find a clear solution for the following situation: We have a web application (Grails + Spring Security) that is running in tomcat, behind apache. Part of the application needs to run on https, so using Spring Security Channel Security, whenever you navigate to a part of the application that is secure, Spring will redirect you to https with a 302 status code. Now, tomcat is set up to know about the https and certificates, so it knows how to handle the ssl. In fact, when side-stepping apache by going directly to the url and port to hit tomcat directly, everything works 100%. The problem now comes in when putting apache in front of tomcat. The apache config that we have at the moment works fine for the non-secure parts of the application. We are using mod_jk to proxy apache and tomcat. However, as soon as you try to go to a secure part of the application, Spring will redirect you, it will hit the <pre class="prettyprint"><code><VirtualHost _default_:443> ... </VirtualHost> </code></pre> part of the apache config... and this is where the problem starts. From what I have read, it is possible for apache, via mod_jk, to pass off the ssl handling to tomcat. But we cannot seem to get the configuration for this correct. Since tomcat is already set up for the ssl, it knows where the certificates are, and Spring Security is set up, we would like tomcat to handle all the ssl, and apache merely to pawn it off to tomcat. Is this at all possible, or am I missing something? Does anyone have some clear instruction as to how to set this up? Any help will be greatly appreciated. We are using Apache 2.2 and tomat 7.0.27 Thanks

You can't just relay the SSL/TLS traffic to Tomcat from Apache. Either your SSL connection ends at Apache, and then you should reverse proxy the traffic to Tomcat (SSL is rarely useful in this case), or you make the clients connect to Tomcat directly and let it handle the SSL connection. I'm not sure where you've read that <code>mod_jk</code> can pass on the SSL connection itself to Tomcat. It would need to relay the socket directly, therefore bypassing the AJP protocol used by <code>mod_jk</code> (by the way <code>mod_proxy_ajp</code> is the new way, or even <code>mod_proxy_http</code>). I'm not sure why you would want Apache to be in front of Tomcat if you want Tomcat to handle the SSL requests anyway. If this has to do with port numbers or something, use a firewall rule to forward port 443 to the Tomcat port. In addition, be cautious about the way these automatic redirections from HTTP to HTTPS are done: they only happen after the initial HTTP request has been made.

Tomcat behind Apache and SSL

I have been looking everywhere but cannot find a clear solution for the following situation:

We have a web application (Grails + Spring Security) that is running in tomcat, behind apache. Part of the application needs to run on https, so using Spring Security Channel Security, whenever you navigate to a part of the application that is secure, Spring will redirect you to https with a 302 status code.

Now, tomcat is set up to know about the https and certificates, so it knows how to handle the ssl. In fact, when side-stepping apache by going directly to the url and port to hit tomcat directly, everything works 100%.

The problem now comes in when putting apache in front of tomcat. The apache config that we have at the moment works fine for the non-secure parts of the application. We are using mod_jk to proxy apache and tomcat.

However, as soon as you try to go to a secure part of the application, Spring will redirect you, it will hit the

<VirtualHost _default_:443> ... </VirtualHost>

part of the apache config... and this is where the problem starts.

From what I have read, it is possible for apache, via mod_jk, to pass off the ssl handling to tomcat. But we cannot seem to get the configuration for this correct. Since tomcat is already set up for the ssl, it knows where the certificates are, and Spring Security is set up, we would like tomcat to handle all the ssl, and apache merely to pawn it off to tomcat.

Is this at all possible, or am I missing something? Does anyone have some clear instruction as to how to set this up? Any help will be greatly appreciated.

We are using Apache 2.2 and tomat 7.0.27

Thanks

Does Tomcat use SSL?

If you're using Apache Tomcat, chances are that at least some of the data you're handling is sensitive, and SSL is an easy way to offer your users security. The good news is that Tomcat fully supports the SSL protocol.

Does Tomcat include HTTP server?

Apache Tomcat server: Apache Tomcat is a web container. It allows the users to run Servlet and JAVA Server Pages that are based on the web-applications. It can be used as the HTTP server.

You can't just relay the SSL/TLS traffic to Tomcat from Apache. Either your SSL connection ends at Apache, and then you should reverse proxy the traffic to Tomcat (SSL is rarely useful in this case), or you make the clients connect to Tomcat directly and let it handle the SSL connection.

I'm not sure where you've read that mod_jk can pass on the SSL connection itself to Tomcat. It would need to relay the socket directly, therefore bypassing the AJP protocol used by mod_jk (by the way mod_proxy_ajp is the new way, or even mod_proxy_http).

I'm not sure why you would want Apache to be in front of Tomcat if you want Tomcat to handle the SSL requests anyway. If this has to do with port numbers or something, use a firewall rule to forward port 443 to the Tomcat port.

In addition, be cautious about the way these automatic redirections from HTTP to HTTPS are done: they only happen after the initial HTTP request has been made.

Tomcat behind Apache and SSL

Tags:

ssl

apache

grails

tomcat

spring-security

Nico Huysamen

People also ask

1 Answers

Bruno

Recent Activity

Donate For Us

Tomcat behind Apache and SSL

Tags:

ssl

apache

grails

tomcat

spring-security

Nico Huysamen

People also ask

1 Answers

Bruno

Related questions

Recent Activity

Donate For Us