用httpd和tomcat实现SSL的问题

Question

In our live env, we have tomcat behind apache. we recently purchased an SSL certificate and installed it on apache.

i want to secure all the communication with https.

What happens is https://{HOST}/{WEBAPP} returns a login page. But after successful login the URL in the browser shows http link again. So next requests are back to http. How do i ensure that all requsts are on https always.

mod_proxy & mod_jk are used in apache config. also following is present in the config:

ProxyPass / http://{localhost}:12004/
ProxyPassReverse / http://{localhost}:12004/
ProxyPreserveHost On

i read lots of articles and questions but none seem to make sense to me for this problem. May be it is due to my little understanding about this config.

please help.

Answer 1

Providing the every request that httpd sends to Tomcat has been received by httpd over SSL then you need to make some adjustments to the HTTP connector in Tomcat. You'll need to set the following attributes:

scheme="https" secure="true" SSLEnabled="false"

The last one isn't strictly necessary but it is better to be explicit. It is worth repeating that this only works if a) all the requests are received via httpd and b) all requests proxied to Tomcat are received via https.

You will need something like the re-write configuration in Sibin Grasic's answer in your http virtual host to redirect the Tomcat traffic to https. Then in your https virtual host you can add you mod_proxy directives.