Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 35A1C11D4E for ; Fri, 1 Aug 2014 15:30:43 +0000 (UTC) Received: (qmail 92495 invoked by uid 500); 1 Aug 2014 15:30:39 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 92418 invoked by uid 500); 1 Aug 2014 15:30:39 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 92407 invoked by uid 99); 1 Aug 2014 15:30:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Aug 2014 15:30:39 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of dmikusa@pivotal.io designates 209.85.212.179 as permitted sender) Received: from [209.85.212.179] (HELO mail-wi0-f179.google.com) (209.85.212.179) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Aug 2014 15:30:36 +0000 Received: by mail-wi0-f179.google.com with SMTP id f8so1552455wiw.0 for ; Fri, 01 Aug 2014 08:30:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=l72Jfgy9E73R09WusgcuoiHrM/bvmhxedtQ9XM7776Q=; b=aOFOIS452U/WlQME86uvnZt4NF41lIiMEu9k0q87vaxMz7VjETgASUc1DxyNamqGrW MO0Aofl2o179TdjlPyyS3Gkk08VAzHlFYVWTMCMqPSdGcEHn/XB1b8TAN8IlnplETaas MiPQ4igsV3hflk5dgPeGMymLcb5PxjqOm77WDmttvQaOODUAYq8csiMWhLbq9TiVhus1 A+XTms/q8LhI50SF1A6m2MDpG6wdFzVjSP88lEA8vM4GfM+nZLlTfTY1ren2NXEWEVZx oBMdkkHoEcsLqhpqlIezhsMuTA4VY4TcKJGtstIh/FVXftGDANVP9/o9Iq0oyRLOaJCU 44ag== X-Gm-Message-State: ALoCoQmlNBZZANLCTcjq9oTgj4MmJ+OSDqdYrASRV+AbOTqwl9eAMHdiQDYF2AOX/73JC9tZ+Brq MIME-Version: 1.0 X-Received: by 10.180.20.40 with SMTP id k8mr8107519wie.54.1406907008298; Fri, 01 Aug 2014 08:30:08 -0700 (PDT) Received: by 10.216.227.135 with HTTP; Fri, 1 Aug 2014 08:30:08 -0700 (PDT) In-Reply-To: References: Date: Fri, 1 Aug 2014 11:30:08 -0400 Message-ID: Subject: Re: SSL redirect problems From: Daniel Mikusa To: Tomcat Users List Content-Type: multipart/alternative; boundary=bcaec53d57af7646db04ff9310ef X-Virus-Checked: Checked by ClamAV on apache.org --bcaec53d57af7646db04ff9310ef Content-Type: text/plain; charset=UTF-8 On Fri, Aug 1, 2014 at 11:13 AM, John Smith wrote: > TC 7.0.54 / RHEL 6 > > I have two physical servers, each running an instance of TC. The servers > are behind a hardware loadbalancer. IPTables is routing request on 80 to > 8080. This seems unnecessary. If you have a hardware load balancer in front of Tomcat, it is the only thing that would ever talk to Tomcat. Thus if you just configure it to go to port 8080 you don't need the iptables rule. I can't imagine it's hurting anything, but just thought I'd mention it. > Tomcat runs under a non-root user. All good. > > I needed to protect an area of our webapp under SSL. Went ahead and > installed the cert on each server. I can go directly to each server by IP > under SSL and get the cert (with the expected IP doesn't match FQDN > warning). > You probably want the SSL certificate installed on your hardware load balancer. End client's browsers are going to connect to the hardware load balancer, not Tomcat. Thus you'd want the certificate there so your end users can benefit from it. Ex: browser -> HTTPS -> load balancer -> HTTP or HTTPS -> Tomcat If you put an SSL certificate on your Tomcat servers, that would allow you to secure the connection between your load balancer and Tomcat. Depending on your network and security requirements this may or may not be necessary. I'd say most people don't do this because terminating SSL on the load balancer is sufficient. It just depends on your requirements though. > But when I go through the loadbalancer I can't access anything under port > 8443. I redirected 443 to 8443 on each TC server using IPTables, but still > no luck. > > Is there anything I'm missing? The load balancer is almost certainly listening on port 80 and 443. To test, you'd want to connect to the load balancer on one of those ports. The load balancer would then connect to one of your backend nodes and proxy the request on your behalf. Your browser will not connect directly to the backend nodes (see my point above about not needing the iptables rule), unless you specifically point it to the ip address of one of the backend nodes. > I understand I can install the cert on the > loadbalancer instead, or use httpd as a proxy, but I'd rather just leave it > the way it is if there's any other option. > I think you'd want it on the load balancer. Possibly with additional certs on your backend nodes, if you want HTTPS communication between the load balancer and the Tomcat nodes. Dan --bcaec53d57af7646db04ff9310ef--