tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: SSL acceleration
Date Tue, 04 Nov 2014 18:35:24 GMT
Hash: SHA256


On 11/4/14 12:02 PM, Daniel Mikusa wrote:
> On Tue, Nov 4, 2014 at 11:47 AM, Anthony Bonafide
> <
>> wrote:
>> Hello All,
>> I am using a third party load balancer which accepts HTTPS
>> connections, decrypts them and sends the unencrypted connection
>> to Tomcat(SSL Acceleration). I am currently using tomcat 5 and I
>> am in the process of upgrading to Tomcat 7. I am having an issue
>> setting up Tomcat7 to accept the connections from my load
>> balancer. In tomcat 5 I have the 2 connectors set up as so with
>> everything working:
>> <Connector port="8080" maxHttpHeaderSize="8192"
>> maxPostSize="512000" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
>> acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>> <Connector port="8081" maxHttpHeaderSize="8192"
>> maxPostSize="512000" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8444"
>> acceptCount="100" connectionTimeout="20000" scheme="https"
>> proxyPort="443" disableUploadTimeout="true" />
>> The load balancer sends unencrypted HTTPS traffic to Tomcat via
>> port 8081. This is setup is n place now with the current setup so
>> the client does not have HTTPS changed to HTTP during a session,
>> do to tomcat thinking the HTTPS connection is unencrypted and it
>> should be changed to HTTP. There is no keystore or certs used by
>> tomcat, all certs are placed on the load balancer.
>> During setup of Tomcat 7 I copied the previous connector setup,
>> resolving the following URLS I get the following responses
>> respectively(I get the same results with my currenttly working
>> Tomcat5 setup):
>> https://localhost:8081/ - Secure connection fails 
>> http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that
>> everything works.
>> My settings for tomcat 7 are:
>> <Connector port="8080" protocol="HTTP/1.1" 
>> connectionTimeout="20000" redirectPort="8443" />
>> <Connector port="8081" protocol="HTTP/1.1" maxThreads="150"
>> SSLEnabled="false" scheme="https" secure="true" 
>> clientAuth="false" sslProtocol="TLS" proxyPort="443"/>
>> I was wondering if there is a way to setup Tomcat 7 to accept
>> the unencrypted request(SSL Acceleration) from the load balancer,
>> process the request and send back a response without changing the
>> scheme to HTTP?
>> Also as expected my load balancer is not able to establish a
>> connection with Tomcat7 over HTTPS port 8081.
>> Any advice would be greatly appreciated.
> If your load balancer is terminating SSL and properly setting 
> "X-Forwarded-*" headers you can probably get away with one
> connector for HTTP traffic and the RemoveIpValve.  The valve will
> use the X-Forwarded-* headers to modify the request object so that
> your apps can see if the request came in over SSL.


thing you need to do is to set scheme="https" /and/
secure="true" on the <Connector>, otherwise Tomcat will try to
redirect until it gets a connection on a "secure" connector.

FYI the "redirectPort" configuration looks a little insane to me. I
think you want redirectPort="443" in all cases.

- -chris
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message