Re: Forcing HTTPS on login page.

We've tried that. Unfortunately, it puts the Apache/Tomcat a looping re-direct.
There's something amiss with how the Tomcat proxying port is working through
Apache that I can't quite get my head around.

d.

Yale CAS mailing list <cas-c5E7yoNEsvRIM2btvs0Z1A@xxxxxxxxxxxxxxxx> writes:
>Derek,
>
>Why don't you use Apache to handle the redirect (i.e. use a RewriteRule)?  It
>is probably easier.  On the port 80 configuration just say if its /login
>redirect to the https version of /login
>
>-Scott
>
>On 12/15/06, Derek Ethier <[ 
>mailto:derek.ethier-X3BpFj9gBI33fQ9qLvQP4Q@xxxxxxxxxxxxxxxx
>]derek.ethier-X3BpFj9gBI33fQ9qLvQP4Q@xxxxxxxxxxxxxxxx> wrote:
>
>I've been struggling with this for a few days and I'm not any closer to a
>solution. I am currently serving up CAS through Tomcat using mod_jk and Apache
>2.
>
>Everything appears to be configured properly, and the re-direct will work
>(with 
>the settings below) however, it uses the server name as the re-direct URL and
>not the hostname specified in both the virtual host settings, the defaultHost
>settings, or the workers.properties file.
>
>So, here's the setup: 
>Two virtual hosts, one for 80 and 443. Both have the ServerName value set to
>the correct URL. The hosts themselves are set to <url>:80 and <url>:443.
>Both have the following AJP settings:
>JkMount /* ajp13 
>
>Only the port 80 host has the following:
>JkAutoAlias /opt/apache-tomcat-5.5.20/webapps
>Include /opt/apache-tomcat-5.5.20/conf/jk/mod_jk.conf-auto
>
>The workers.properties has the same host specified:
>worker.list=ajp13
>worker.ajp13.port=8009
>worker.ajp13.host=<url>
>worker.ajp13.type=ajp13
>
>The server.xml file has the following connectors:
>    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> 
>    <Connector port="8080" maxHttpHeaderSize="8192"
>               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>               enableLookups="false" redirectPort="8443" acceptCount="100" 
>               connectionTimeout="20000" disableUploadTimeout="true" />
>
>    <Connector port="8443" maxHttpHeaderSize="8192"
>               maxThreads="150" minSpareThreads="25" maxSpareThreads="75" 
>               enableLookups="false" disableUploadTimeout="true"
>               acceptCount="100" scheme="https" secure="true"
>               clientAuth="false" sslProtocol="TLS" /> 
>
>    <!-- Define an AJP 1.3 Connector on port 8009 -->
>    <Connector port="8009"
>               enableLookups="false" redirectPort="443" protocol="AJP/1.3" /> 
>
>In the web.xml in /cas/WEB-INF I have the following:
>        <security-constraint>
>                <web-resource-collection>
>                        <web-resource-name>Automatic SLL
>Forwarding</web-resource-name> 
>                        <url-pattern>/*</url-pattern>
>                </web-resource-collection>
>                <user-data-constraint>
>                  <transport-guarantee>
>                        CONFIDENTIAL
>                  </transport-guarantee>
>                </user-data-constraint>
>        </security-constraint>
>
>Now, the redirect works but as I said, it doesn't use the <url> as specified
>in 
>the workers.properties and virtual host ServerName. It uses the actual server
>name which is not the proxied address to the WAN (so it doesn't work
>externally). Something tells me that I may be taking a much longer route than 
>necessary to ensure that all traffic to the /cas/login URL is over HTTPS (I'd
>prefer a re-direct than an all out block). So, anyone have any ideas or
>suggestions? Sorry for the length of the email.
>
>d.
>
>_______________________________________________
>Yale CAS mailing list
>[ mailto:cas-c5E7yoNEsvRIM2btvs0Z1A@xxxxxxxxxxxxxxxx 
>]cas-c5E7yoNEsvRIM2btvs0Z1A@xxxxxxxxxxxxxxxx
>[ http://tp.its.yale.edu/mailman/listinfo/cas
>]http://tp.its.yale.edu/mailman/listinfo/cas 
>
>
>_______________________________________________
>Yale CAS mailing list
>cas-c5E7yoNEsvRIM2btvs0Z1A@xxxxxxxxxxxxxxxx
>http://tp.its.yale.edu/mailman/listinfo/cas