This is the same Tomcat as the one installed when setting up Shrine, ideally version 9.0.52.
Tomcat should accept requests on port 8009, but only from localhost, and redirect to the SSL port 6443. Port 8009 and 6443 should not be reachable from outside the localhost.
Configure port 6443 – set your own keystore :
<Connector port="6443" protocol="org.apache.coyote.http11.Http11NioProtocol"maxThreads="150" SSLEnabled="true" scheme="https" secure="true"><SSLHostConfig clientAuth="none" sslProtocol="TLS" sslEnabledProtocols="TLSv1.3,TLSv1.2"honorCipherOrder="true" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"><Certificate certificateKeystoreFile="/opt/shrine/shrine.keystore"certificateKeystorePassword="changeit"certificateKeyAlias="*.catalyst.harvard.edu" /></SSLHostConfig></Connector>
Configure the AJP connector. Note the allowedRequestAttributesPattern=".*" attribute. That is needed for the AJP connection to pass the attributes from the "attribute-map.xml" file (see above) to the ServletRequest object as request attributes, and of the correct name (as opposed to request headers). See also shibboleth2.xml on the same topic.
<Connector protocol="org.apache.coyote.ajp.AjpNio2Protocol"proxyName="shrine-sso-node01"enableLookups="true"address="0.0.0.0"allowedRequestAttributesPattern=".*"port="8009"secretRequired="false"redirectPort="6443" />
Overview
Content Tools