tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <>
Subject Re: SSL redirect problems
Date Fri, 01 Aug 2014 15:30:08 GMT
On Fri, Aug 1, 2014 at 11:13 AM, John Smith <> wrote:

> TC 7.0.54 / RHEL 6
> I have two physical servers, each running an instance of TC. The servers
> are behind a hardware loadbalancer. IPTables is routing request on 80 to
> 8080.

This seems unnecessary.  If you have a hardware load balancer in front of
Tomcat, it is the only thing that would ever talk to Tomcat.  Thus if you
just configure it to go to port 8080 you don't need the iptables rule.  I
can't imagine it's hurting anything, but just thought I'd mention it.

> Tomcat runs under a non-root user. All good.
> I needed to protect an area of our webapp under SSL. Went ahead and
> installed the cert on each server. I can go directly to each server by IP
> under SSL and get the cert (with the expected IP doesn't match FQDN
> warning).

You probably want the SSL certificate installed on your hardware load
balancer.  End client's browsers are going to connect to the hardware load
balancer, not Tomcat.  Thus you'd want the certificate there so your end
users can benefit from it.

Ex:  browser -> HTTPS -> load balancer -> HTTP or HTTPS -> Tomcat

If you put an SSL certificate on your Tomcat servers, that would allow you
to secure the connection between your load balancer and Tomcat.  Depending
on your network and security requirements this may or may not be necessary.
 I'd say most people don't do this because terminating SSL on the load
balancer is sufficient.  It just depends on your requirements though.

> But when I go through the loadbalancer I can't access anything under port
> 8443. I redirected 443 to 8443 on each TC server using IPTables, but still
> no luck.
> Is there anything I'm missing?

The load balancer is almost certainly listening on port 80 and 443.  To
test, you'd want to connect to the load balancer on one of those ports.
 The load balancer would then connect to one of your backend nodes and
proxy the request on your behalf.  Your browser will not connect directly
to the backend nodes (see my point above about not needing the iptables
rule), unless you specifically point it to the ip address of one of the
backend nodes.

> I understand I can install the cert on the
> loadbalancer instead, or use httpd as a proxy, but I'd rather just leave it
> the way it is if there's any other option.

I think you'd want it on the load balancer.  Possibly with additional certs
on your backend nodes, if you want HTTPS communication between the load
balancer and the Tomcat nodes.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message