tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: Secure AJP load balancing problem
Date Fri, 04 Jan 2013 20:25:11 GMT
On 03/01/2013 21:52, Igor Cicimov wrote:
> On 04/01/2013 2:25 AM, "Arunkumar Janarthanan" <arunkumar.webadmin@gmail.com>
> wrote:
>>
>> Thanks Mark, I am working on parallely setting up another environment with
>> Tomcat 6.x, however to clear an urgent audit I need to show the Apache
>> connector uses secure protocol to exchange the data between Apache and
>> tomcat. Both these servers are in DMZ and on different servers.
>>
>> Hello Chris,
>>
>> Thanks for your valuable advice, here is how my configuration looks like.
>>
>> *Apache conf:*
>>
>> ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
>> balancer://lb1/$1
>>
>> *Balancer Conf:*
>>
>> <Proxy balancer://lb1>
>>     BalancerMember https://tomcat02.us.rdigest.com:8443
>>     BalancerMember https://tomcat02.us.rdigest.com:8543
>>     ProxySet stickysession=JSESSIONID
>>     ProxySet nofailover=Off
>> </Proxy>
>>
> 
> Since you have sticky sessions dont you need to set up the jvmRoute in the
> tomcat connectors?

The jvmRoute attribute is set on the Engine element, not the Connectors.


p


>> *Tomcat conf:*
>>
>> Tomcat1:
>>
>>     <Connector port="8443" maxHttpHeaderSize="8192"
>>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>                enableLookups="false" disableUploadTimeout="true"
>>                acceptCount="100" scheme="https" secure="true"
>>                clientAuth="false" sslProtocol="TLS"
>>     />
>>
>> Tomcat2:
>>
>>     <Connector port="8543" maxHttpHeaderSize="8192"
>>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>                enableLookups="false" disableUploadTimeout="true"
>>                acceptCount="100" scheme="https" secure="true"
>>                clientAuth="false" sslProtocol="TLS"
>>     />
>>
>>
>> Thanks again for your assistance extended.
>>
>> Regards,
>> Arun Janarthanan
>>
>> On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
> Arun,
> 
> On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
>>>>> I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
>>>>> tried my balancer members to use HTTPS port
> 
> So you are trying to use HTTPS over AJP? Did you mean APR?
> 
> Please post your <Connectors> from server.xml and your relevant httpd
> configuration (e.g. ProxyPass). It would also be helpful if you were
> to describe any <transport-guarantee> that you may have in your web
> application(s).
> 
>>>>> and finds the JSP pages doing ok for some reason the struts /
>>>>> action servlets would not accept secure protocol instead it
>>>>> redirects infinitely with the Tomcat server hostname and non-ssl
>>>>> port.
> 
> Try a protocol trace using something like Mozilla Firefox's "web
> console" or similar tools for other web browsers. This will show you
> the request as sent by the browser and the response as seen by the
> browser: it should show the pattern you describe above with more detail.
> 
>>>>> Anybody had similar experience try configuring secure connectors on
>>>>> such environment ?
> 
> FWIW, I use stunnel to secure the back-channel between httpd and
> Tomcat (using an AJP connector). While I haven't actually
> performance-tested the two configurations against each other, my
> rationale for this configuration was to reduce the number of SSL
> handshakes that occur between httpd and Tomcat. Also, I've always used
> AJP to tunneling AJP made more sense for us than switching-over to
> HTTPS reverse-proxying.
> 
> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
> 

-- 

[key:62590808]


Mime
View raw message