digerata
09-22-2008, 05:59 AM
Here is my second, much more difficult problem. Our application is laid out like so:
INSSL -> HALB -> Apache/Tomcat
Our certificate is installed on the INSSL appliance. Everything works great when accessing the application using https://. The problem is when we turn on checks in the application that ensure it runs over HTTPS. We have some rules that ensure if a user comes in over http://, the connection is switched to https://. These are:
- Specific urls are run as only https... (/login, etc)
- If a user is on a free plan, they are forced back to http for any other urls
- If a user is on a paying plan, and they have chosen to use https, they are forced on to https.
The problem here is that both Apache and Tomcat never see the https request because INSSL decrypts and sends it out over port 80. I was surprised to even see that request URLs actually are always http:// on Tomcat regardless of whether the request was http:// or https://.
This type of problem is solved in a very Apache/Tomcat specific way in the past. Two virtual hosts are setup on Apache, one for SSL one for non SSL. Matching connectors are setup in Tomcat, one for SSL, one for nonSSL. The SSL connector is marked as secure and that allows the application to see it as secure (even though it actually was decrypted by Apache).
Of course, that won't work in this case because Apache is never seeing the SSL requests.
I've hit a wall on this one. Any ideas?
INSSL -> HALB -> Apache/Tomcat
Our certificate is installed on the INSSL appliance. Everything works great when accessing the application using https://. The problem is when we turn on checks in the application that ensure it runs over HTTPS. We have some rules that ensure if a user comes in over http://, the connection is switched to https://. These are:
- Specific urls are run as only https... (/login, etc)
- If a user is on a free plan, they are forced back to http for any other urls
- If a user is on a paying plan, and they have chosen to use https, they are forced on to https.
The problem here is that both Apache and Tomcat never see the https request because INSSL decrypts and sends it out over port 80. I was surprised to even see that request URLs actually are always http:// on Tomcat regardless of whether the request was http:// or https://.
This type of problem is solved in a very Apache/Tomcat specific way in the past. Two virtual hosts are setup on Apache, one for SSL one for non SSL. Matching connectors are setup in Tomcat, one for SSL, one for nonSSL. The SSL connector is marked as secure and that allows the application to see it as secure (even though it actually was decrypted by Apache).
Of course, that won't work in this case because Apache is never seeing the SSL requests.
I've hit a wall on this one. Any ideas?