tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arunkumar Janarthanan <arunkumar.webad...@gmail.com>
Subject Re: Secure AJP load balancing problem
Date Thu, 03 Jan 2013 15:24:50 GMT
Thanks Mark, I am working on parallely setting up another environment with
Tomcat 6.x, however to clear an urgent audit I need to show the Apache
connector uses secure protocol to exchange the data between Apache and
tomcat. Both these servers are in DMZ and on different servers.

Hello Chris,

Thanks for your valuable advice, here is how my configuration looks like.

*Apache conf:*

ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
balancer://lb1/$1

*Balancer Conf:*

<Proxy balancer://lb1>
    BalancerMember https://tomcat02.us.rdigest.com:8443
    BalancerMember https://tomcat02.us.rdigest.com:8543
    ProxySet stickysession=JSESSIONID
    ProxySet nofailover=Off
</Proxy>

*Tomcat conf:*

Tomcat1:

    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
    />

Tomcat2:

    <Connector port="8543" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
    />


Thanks again for your assistance extended.

Regards,
Arun Janarthanan

On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Arun,
>
> On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
> > I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
> > tried my balancer members to use HTTPS port
>
> So you are trying to use HTTPS over AJP? Did you mean APR?
>
> Please post your <Connectors> from server.xml and your relevant httpd
> configuration (e.g. ProxyPass). It would also be helpful if you were
> to describe any <transport-guarantee> that you may have in your web
> application(s).
>
> > and finds the JSP pages doing ok for some reason the struts /
> > action servlets would not accept secure protocol instead it
> > redirects infinitely with the Tomcat server hostname and non-ssl
> > port.
>
> Try a protocol trace using something like Mozilla Firefox's "web
> console" or similar tools for other web browsers. This will show you
> the request as sent by the browser and the response as seen by the
> browser: it should show the pattern you describe above with more detail.
>
> > Anybody had similar experience try configuring secure connectors on
> > such environment ?
>
> FWIW, I use stunnel to secure the back-channel between httpd and
> Tomcat (using an AJP connector). While I haven't actually
> performance-tested the two configurations against each other, my
> rationale for this configuration was to reduce the number of SSL
> handshakes that occur between httpd and Tomcat. Also, I've always used
> AJP to tunneling AJP made more sense for us than switching-over to
> HTTPS reverse-proxying.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDk/TMACgkQ9CaO5/Lv0PAidwCgguSezH47shnxzVXOBF564rFm
> piIAnAy/8p0uTsF5Uxh2ViGVT7PFwgPY
> =sm58
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message