users@glassfish.java.net

Re: glassfish w/ mod_jk and ssl

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Fri, 26 Feb 2010 18:45:54 -0800

glassfish_at_javadesktop.org wrote:
> Hello Jan,
>
> The misconfiguration with the workernames are a copy+paste error.
>

No problem! :)
> I have already done something in similar effect. I configured the apache with ssl, put the certificate, and then forwarded that to a worker that connects to glassfish to a non-secure mod_jk listener.
>
>

Great! So when you do that, all is working for you, that is, you no longer
get any ERR_SSL_PROTOCOL_ERROR?

> But now the apache is doing all the ssl work?
>

Yes.

> I also could not identifiy the cons/pros of letting apache do the ssl or doing it with glassfish.
>

Letting the webserver (in this case, Apache) do all the SSL work
would be a more typical configuration, because typically, you would let the
webserver serve any static content and have it proxy only requests
for dynamic resources to the application server backend.
And it simplifies your configuration on the backend because a single,
non-secure mod_jk listener will be sufficient.

> Also I noticed that secureCookie="true" causes everytime you refresh the page you get a new jsession_id. switching from http to https will protect the cookie, but not the otherway around. But when set to false, it will work. (https->http, http->https) I guess thats not the most securest way, but...
>

Right. See my related blog at
http://blogs.sun.com/jluehe/entry/how_to_downshift_from_https
and this comment in the Comments section at the bottom:

<quote>
But it's important to remind people that mixing protocols is almost as
bad as just using HTTP, if your session cookie goes over the wire
unencrypted it can be stolen by anyone snooping and they can easily
impersonate your session.
</quote>

Thanks!

Jan

> Best Regards
> [Message sent by forum member 'cambazz' (cambazz_at_gmail.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=389035
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>