[Building Sakai] Sakai and HTTPS (Possible Error in some tools)

Robert Cohen robert.cohen at anu.edu.au
Tue Jun 21 19:13:05 PDT 2011 

We had a similar issue.

We're using apache on the servers proxing to the tomcat by mod_proxy_ajp.

Our first fix for the problem was to terminate the SSL connection at the
balancer then have the balancer establish a new https connection to the
server. So the tomcat was still aware that it was a SSL connection it was
talking to.

But recently I found a different solution.
We're only using it on the test server at present, but it seems to work.

In the server.xml file, I set up a separate connector on port 8010 with
properties
secure="true" scheme="https" proxyPort="443"

The balancer is setup to strip the SSL and send connections that were SSL to
8443. The apache listening on 8443 proxies connections on that port to 8010.

The only thing that doesn't work quite correctly is that if the application
generates a redirect it still redirects to 8443. But the balancer is smart
enough to catch them and rewrite them back to https.
And I don't think sakai uses redirects in the normal course of operation.
Its only our custom front page that uses a redirect so its probably not an
issue for most people.




On 22/6/11 12:08 PM, "Branden Visser" <mrvisser at gmail.com> wrote:

> Hi Miguel,
> 
> Have you tried setting the proxyPort and proxyHost settings for the connector
> in your tomcat server.xml? It's an additional step you could try to cover more
> generated URLs. I remember hosting Sakai behind a secure proxy with those
> settings with success.
> 
> See this for more info:
> 
> http://tomcat.apache.org/tomcat-6.0-doc/proxy-howto.html#Apache_1.3_Proxy_Supp
> ort
> 
> Have a look at step #4 under Apache 1.3 Proxy Support.
> 
> Cheers,
> Branden
> 
> On Tue, Jun 21, 2011 at 10:05 AM, Miguel Carro Pellicer
> <farreri.sakai at gmail.com> wrote:
>>     
>>  I solved my problem with the function ³HTTP REDIRECT" , but now my balancer
>> redirects all http petitions to https.
>>  
>>  Did someone experienced the same problems? Regards, Miguel.
>>  
>>  El 21/06/2011 14:05, Miguel Carro Pellicer escribió:
>>>   I think it's our problem, not Sakai's problem....because we made petitions
>>> through https and our HW balancer redirects through http internally....so
>>> some Sakai servlets gets http instead of secure.
>>>  
>>>  Anyone can give a clue or an opinion? Thanks in advance. M
>>>  
>>>  El 21/06/2011 13:31, Miguel Carro Pellicer escribió:
>>>>   Hi subscribers.
>>>>  
>>>>  This morning we switched our test servers from http to https.
>>>>  
>>>>  The SSL negotiation is done in the HW balancer, so we deployed tomcat over
>>>> http port 80.
>>>>  
>>>>  I updated some sakai.properties( force.url.secure and
>>>> serverUrl=https://....)
>>>>  
>>>>  Now...Sakai works and i can Login, i can navigate through some tools but
>>>> other tools throws a timeout, for example i have a lot of problems in
>>>> site-manage and permissions-helper.
>>>>  
>>>>  Example:
>>>>  
>>>>  SITE-MANAGE:
>>>>  
>>>>  
>>>>  
>>>>  EDIT-SITE-INFORMATION WORKS
>>>>  EDIT-SITE-TOOLS WORKS
>>>>  ADDING-PARTICIPANTS TIMEOUT ERROR, REDIRECTS TO HTTP
>>>>  
>>>>  
>>>>  
>>>>  ¿Do you consider this a bug? Also happens with permissions in multiple
>>>> tools.
>>>>  
>>>>  Thanks in advance, Miguel.
>>>>  
>>>>  
>>>>  
>>>>  
>>>>  
>>>>   


=======================================
Robert Cohen
Information Technology Infrastructure
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
 
T: +61 2 6125 8389
F: +61 2 6125 7699
http://www.anu.edu.au
 
CRICOS Provider #00120C
=======================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20110622/12940cd1/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 17007 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20110622/12940cd1/attachment.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 9255 bytes
Desc: not available
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20110622/12940cd1/attachment-0001.png

More information about the sakai-dev mailing list