tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: Secure AJP load balancing problem
Date Thu, 03 Jan 2013 21:52:01 GMT
On 04/01/2013 2:25 AM, "Arunkumar Janarthanan" <arunkumar.webadmin@gmail.com>
wrote:
>
> Thanks Mark, I am working on parallely setting up another environment with
> Tomcat 6.x, however to clear an urgent audit I need to show the Apache
> connector uses secure protocol to exchange the data between Apache and
> tomcat. Both these servers are in DMZ and on different servers.
>
> Hello Chris,
>
> Thanks for your valuable advice, here is how my configuration looks like.
>
> *Apache conf:*
>
> ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
> balancer://lb1/$1
>
> *Balancer Conf:*
>
> <Proxy balancer://lb1>
>     BalancerMember https://tomcat02.us.rdigest.com:8443
>     BalancerMember https://tomcat02.us.rdigest.com:8543
>     ProxySet stickysession=JSESSIONID
>     ProxySet nofailover=Off
> </Proxy>
>

Since you have sticky sessions dont you need to set up the jvmRoute in the
tomcat connectors?

> *Tomcat conf:*
>
> Tomcat1:
>
>     <Connector port="8443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>     />
>
> Tomcat2:
>
>     <Connector port="8543" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>     />
>
>
> Thanks again for your assistance extended.
>
> Regards,
> Arun Janarthanan
>
> On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Arun,
> >
> > On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
> > > I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
> > > tried my balancer members to use HTTPS port
> >
> > So you are trying to use HTTPS over AJP? Did you mean APR?
> >
> > Please post your <Connectors> from server.xml and your relevant httpd
> > configuration (e.g. ProxyPass). It would also be helpful if you were
> > to describe any <transport-guarantee> that you may have in your web
> > application(s).
> >
> > > and finds the JSP pages doing ok for some reason the struts /
> > > action servlets would not accept secure protocol instead it
> > > redirects infinitely with the Tomcat server hostname and non-ssl
> > > port.
> >
> > Try a protocol trace using something like Mozilla Firefox's "web
> > console" or similar tools for other web browsers. This will show you
> > the request as sent by the browser and the response as seen by the
> > browser: it should show the pattern you describe above with more detail.
> >
> > > Anybody had similar experience try configuring secure connectors on
> > > such environment ?
> >
> > FWIW, I use stunnel to secure the back-channel between httpd and
> > Tomcat (using an AJP connector). While I haven't actually
> > performance-tested the two configurations against each other, my
> > rationale for this configuration was to reduce the number of SSL
> > handshakes that occur between httpd and Tomcat. Also, I've always used
> > AJP to tunneling AJP made more sense for us than switching-over to
> > HTTPS reverse-proxying.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with undefined - http://www.enigmail.net/
> >
> > iEYEAREIAAYFAlDk/TMACgkQ9CaO5/Lv0PAidwCgguSezH47shnxzVXOBF564rFm
> > piIAnAy/8p0uTsF5Uxh2ViGVT7PFwgPY
> > =sm58
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message