tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Tomcat Https loadbalancing??
Date Wed, 25 Nov 2009 12:41:15 GMT
jkv wrote:
> Hello,
> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
> requests has grown up and we have decided to do go for clustering and
> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
> loadbalacing. My certificate resides in Tomcat. 
> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
> should I configure Apache to handle HTTPS and tell it about my certificate
> details? 
> While loadbalancing I understand that http/https request to Apache is
> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
> enable SSL in tomcat to handle this request? 
> Should I have two copies of my certificate files if Apache and Tomcat reside
> on two different physical machines(Horizontal Clustering)?
> I searched the forums and they are too advanced for my question. I am really
> new to clustering and load balancing and any help is deeply appreciated.
> Thanks in advance.
SSL has a cost, in terms of encrypting/decrypting all communications, in 
terms of bandwidth,  in terms of setup complexity, and in terms of 
maintenance complexity.
So it should be used when necessary, and not otherwise.

If you are using Apache httpd anyway as a front-end, you probably need 
HTTPS between the clients and Apache, because that link goes over 
non-secure connections.

The question is, is the connection between Apache and Tomcat secure ?
That is to some extent a relative and/or subjective judgement.
If that connection goes over the Internet also, then it is not secure.
If it goes only over an internal network, then you have to decide if 
that network, for practical purposes, can be termed as secure.
If both Apache and Tomcat are on the same host, then it is already as 
secure as it can be.
Thus if you decide that the Apache/Tomcat connections are secure, 
simplify your life and optimise the efficiency by keeping things simple, 
and handle all SSL stuff at the Apache level.
(I believe that in technical terms, this is called "terminate SSL at the 
Apache level".)

The AJP protocol itself is not secure, in the sense that it does not, by 
itself, encrypt the data it exchanges. It can however, as far as I know, 
be configured to run over an SSL connection, if needed.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message