将SSL处理从Tomcat移到Apache?
[英]Moving ssl handling from Tomcat to Apache?
问题描述
In the organisation I work for we are unable to use Tomcat for SSL, since they have a policy of fronting all authentication by managed Apache instances. 
在我工作的组织中,我们无法将Tomcat用于SSL,因为它们的策略是通过托管Apache实例进行所有身份验证。 In this scenario, mod_ssl is used, in conjunction with mod_jk, with the 'REMOTE_USER' being set to 'SSL_CLIENT_S_DN_CN', per http://httpd.apache.org/docs/trunk/mod/mod_ssl.html . 在这种情况下,根据http://httpd.apache.org/docs/trunk/mod/mod_ssl.html ,将mod_ssl与mod_jk结合使用,并且将'REMOTE_USER'设置为'SSL_CLIENT_S_DN_CN'。
The web application I am dealing (Alfresco) with was designed with the expectation of SSL on the Tomcat container, with a role mapping happening in Tomcat, but I am not sure how to make it work using mod_ssl instead. 我正在处理的Web应用程序(Alfresco)的设计符合Tomcat容器上SSL的期望,并且角色映射发生在Tomcat中,但是我不确定如何使用mod_ssl使其起作用。
From the web.xml , the settings that I am dealing with are: 在web.xml中 ,我正在处理的设置是:
<security-constraint>
<web-resource-collection>
<web-resource-name>SOLR</web-resource-name>
<url-pattern>/wcs/api/solr/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>repoclient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Repository</realm-name>
</login-config>
<security-role>
<role-name>repoclient</role-name>
</security-role>
Any advice would be appreciated. 任何意见,将不胜感激。 I have looked around to see if there are any tips on how to deal with this, but I haven't had much luck. 我环顾四周,看看是否有任何技巧可以解决这个问题,但是我运气不高。
1 个解决方案
解决方案1
1 2015-03-01 15:49:05
It is no problem to use apache with mod_jk or mod_proxy_ajp as a terminating SSL endpoint. 将Apache与mod_jk或mod_proxy_ajp一起用作终止SSL端点是没有问题的。 Alfresco's tomcat has SSL configured to secure communication between the alfresco repository and the Solr search engine, so you shouldn't touch the tomcat config for 8080 or 8443 not to break the communication for Solr (the ssl certificate is used for authentication - so don't touch it as long you know what you're doing). Alfresco的tomcat已配置SSL,以确保alfresco存储库和Solr搜索引擎之间的通信安全,因此,您不应触摸8080或8443的tomcat配置,以免中断Solr的通信(ssl证书用于身份验证-所以不要只要您知道自己在做什么就可以触摸它)。
In tomcat's server.xml add or comment in a ajp connector instead. 在tomcat的server.xml中,在ajp连接器中添加或注释。 eg 例如
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="1.2.3.4" protocol="AJP/1.3" redirectPort="8443" scheme="https" proxyPort="443" secure="true" URIEncoding="UTF-8" maxThreads="500" maxSavePostSize="-1" />
Additionally it is best practice to add a parameter address="localhost" for the 8080 and 8443 conectors to hide the port from outside the server. 此外,最佳实践是为8080和8443连接器添加参数address =“ localhost”,以隐藏服务器外部的端口。
Here you find how to configure the apache proxy: https://serverfault.com/questions/472491/how-to-set-up-alfresco-share-behind-apache-reverse-proxy 在这里,您可以找到如何配置apache代理: https : //serverfault.com/questions/472491/how-to-set-up-alfresco-share-behind-apache-reverse-proxy
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.