tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: mod_proxy SSL protocol support for balancermember
Date Fri, 07 Dec 2012 16:09:24 GMT

on this list, the rule is to not "top post".
Post your answer below the original message, or below the question to which it refers.
This way, one can follow the conversation logically.

> ----- Original Message -----
> From: Arunkumar Janarthanan <>
> To: Tomcat Users List <>
> Cc: 
> Sent: Friday, December 7, 2012 5:49 PM
> Subject: mod_proxy SSL protocol support for balancermember
> Hi,
> I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
> credit card data processing, now that the communication between Apache and
> Tomcat through proxy balancing uses AJP protocol for the communication and
> data tranfer.
> I was wondering if there is a way we can use HTTPS protocol in Apache
> balancer member after enabling SSL on tomcat engine.
> I did enable https on balancer configuration which doesn't work for me got
> a 500 error without any appropriate error message on Apache logs.
Vladimir Girnet wrote:
 > Here is my working configuration - httpd proxy (also on RHEL 5)
 > ----------------------
 >   SSLProxyEngine On
 >   <Proxy balancer://tomcat_cluster>
 >     BalancerMember
 >     BalancerMember
 >   </Proxy>
 >   # Pass requests to balancer
 >   ProxyPass / balancer://tomcat_cluster/
 >   ProxyPassReverse / balancer://tomcat_cluster/
 > ---------------------
 > --

Yes, but this is not using the AJP protocol.
The AJP protocol does not support SSL (so using mod_proxy_AJP will not work, and mod_jk 
If you really need AJP, there are possibilities using SSL tunnels etc. Search the list 
archives for those.

But maybe a question first : the usual setup with a front-end load-balancer is to use 
HTTPS between the client browser and the front-end, but "terminate" HTTPS at the 
front-end, and make a normal connection from the front-end to the back-end tomcats, which

tend to be in the same local network as the front-end anyway.
Having a first encryption-decryption and then a second encryption-decryption again 
introduces a significant overhead.
So, do you have a specific reason for which you want to do this ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message