3 Replies Latest reply on Jun 26, 2006 9:51 AM by Tim

    AJP, Apache, Tomcat SSL question

    Scott Jones Newbie

      I was doing research on AJP to get an apache server in our DMZ talking to JBoss/Tomcat in our internal network. We have had this going but need it over SSL.

      I came across an interesting item when reading about AJP 1.3 protocol

      ?According to email from Gal Shachor to the jakarta-dev mailing list, the original goals of JK (and thus ajp13) were to extend mod_jserv and ajp12 by (I am only including the goals which relate to communication between the web server and the servlet container):

      · Increasing performance (speed, specifically).

      · Adding support for SSL, so that isSecure() and getScheme() will function correctly within the servlet container. The client certificates and cipher suite will be available to servlets as request attributes. ?


      I then looked at the jbossweb.sar\server.xml file
      <!-- A AJP 1.3 Connector on port 8009 -->
       <Connector port="8009" address="${jboss.bind.address}"
       emptySessionPath="true" enableLookups="false" redirectPort="8443"
       protocol="AJP/1.3"/>
      
       <!-- SSL/TLS Connector configuration using the admin devl guide keystore
       <Connector port="8443" address="${jboss.bind.address}"
       maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
       emptySessionPath="true"
       scheme="https" secure="true" clientAuth="false"
       keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
       keystorePass="rmi+ssl" sslProtocol = "TLS" />
       -->


      So is ModJK, AJP 1.3 protocol utilzing SSL out of the box?
      Any help would be great.

      Scott

        • 2. Re: AJP, Apache, Tomcat SSL question
          Jimmy Wilson Apprentice

           

          "acxsjones" wrote:
          Any help?


          Given this verbage on the Tomcat AJP connector configuration site for the aforementioned attribute, I would guess that this redirect just allows for conversion to HTTPS. I have used the same security constraint to require the redirect of HTTP traffic to HTTPS.

          If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.


          So, to answer your question, the redirect attribute has nothing to do with AJP per se. Given that, I would assume that there is no AJP+SSL "out of the box".

          • 3. Re: AJP, Apache, Tomcat SSL question
            Tim Newbie

            Hi,

            I am looking to set up my application so that Apache handles the SSL and Tomcat uses AJP to comunicate the data. I need away for requests to HTTP to be redirected to HTTPS to stop the user from accidentally using an insecure pipe. Did you find any helpfull links when you looked into your problem?

            Many thanks,
            Tim