tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SSL acceleration
Date Tue, 04 Nov 2014 18:35:24 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 11/4/14 12:02 PM, Daniel Mikusa wrote:
> On Tue, Nov 4, 2014 at 11:47 AM, Anthony Bonafide
> <bonafideanthony@gmail.com
>> wrote:
> 
>> Hello All,
>> 
>> I am using a third party load balancer which accepts HTTPS
>> connections, decrypts them and sends the unencrypted connection
>> to Tomcat(SSL Acceleration). I am currently using tomcat 5 and I
>> am in the process of upgrading to Tomcat 7. I am having an issue
>> setting up Tomcat7 to accept the connections from my load
>> balancer. In tomcat 5 I have the 2 connectors set up as so with
>> everything working:
>> 
>> <Connector port="8080" maxHttpHeaderSize="8192"
>> maxPostSize="512000" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
>> acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>> 
>> <Connector port="8081" maxHttpHeaderSize="8192"
>> maxPostSize="512000" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8444"
>> acceptCount="100" connectionTimeout="20000" scheme="https"
>> proxyPort="443" disableUploadTimeout="true" />
>> 
>> 
>> The load balancer sends unencrypted HTTPS traffic to Tomcat via
>> port 8081. This is setup is n place now with the current setup so
>> the client does not have HTTPS changed to HTTP during a session,
>> do to tomcat thinking the HTTPS connection is unencrypted and it
>> should be changed to HTTP. There is no keystore or certs used by
>> tomcat, all certs are placed on the load balancer.
>> 
>> During setup of Tomcat 7 I copied the previous connector setup,
>> resolving the following URLS I get the following responses
>> respectively(I get the same results with my currenttly working
>> Tomcat5 setup):
>> 
>> https://localhost:8081/ - Secure connection fails 
>> http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that
>> everything works.
>> 
>> My settings for tomcat 7 are:
>> 
>> <Connector port="8080" protocol="HTTP/1.1" 
>> connectionTimeout="20000" redirectPort="8443" />
>> 
>> 
>> <Connector port="8081" protocol="HTTP/1.1" maxThreads="150"
>> SSLEnabled="false" scheme="https" secure="true" 
>> clientAuth="false" sslProtocol="TLS" proxyPort="443"/>
>> 
>> 
>> I was wondering if there is a way to setup Tomcat 7 to accept
>> the unencrypted request(SSL Acceleration) from the load balancer,
>> process the request and send back a response without changing the
>> scheme to HTTP?
>> 
>> Also as expected my load balancer is not able to establish a
>> connection with Tomcat7 over HTTPS port 8081.
>> 
>> Any advice would be greatly appreciated.
>> 
> 
> If your load balancer is terminating SSL and properly setting 
> "X-Forwarded-*" headers you can probably get away with one
> connector for HTTP traffic and the RemoveIpValve.  The valve will
> use the X-Forwarded-* headers to modify the request object so that
> your apps can see if the request came in over SSL.
> 
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve

+1

Another
> 
thing you need to do is to set scheme="https" /and/
secure="true" on the <Connector>, otherwise Tomcat will try to
redirect until it gets a connection on a "secure" connector.

FYI the "redirectPort" configuration looks a little insane to me. I
think you want redirectPort="443" in all cases.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUWRxsAAoJEBzwKT+lPKRYdXoP/0+J0IVuYnMibaMqxczQ0Pjz
dZNYJU+p0a/T//huAMwBhCGk7JMlW0bOcVxQA1RxxZ1E6vbNscikO1A1p0IuOaSe
YSyVUHTxGnW+DQO7Gd+85UIm3QHlbK21UlLH3NIPoGYQVS6ldZkGqChLMAgO4hfV
IOlb2dl/+Vd3OzG5EsFHn9LASnJH4N1QsWqWAM4KnLopeMhmS+pVcQJ8WOcE5cHR
TDLlc3XcaWcdhSch8cynv2498TfmqO+4yEhVHKHscY2tn6BHiuHcQW+hljIlxcF0
Ru9sV6CWftA6iaLKAIp+A4kHRVDoqhkVRokUpDEcv14T9V0QhoVBByqz/ez98UQZ
SWh6DaUqr7wz3Gg2+uLbjDtfcLyVdcKahbC6tHeatuS/0lHXfAjRhpeeNeurFlYV
VaYfKuapf15TywoRU+DM/GgWzJHz5NdqgimtwTuqNI3zLsSIjOzuCB16Sh3Z6M60
KHqGvuSXKn2zy3YxJY2GVLPcu9Iq6omPRTMHU864SbJiUYjlGv4OwBymjWoRDFZX
Z8c3r7cqt3/1fpMJygdsYQZhSDFQGm+zp0tTpNBD+/xKPIJNezpWl0AJRuNyciZr
EXlRttpO+bN5PaXCkxKGg3VO0GIPk/Yhm8DhWFZmrvUsjIwbLHKWythxcVcBEjnz
dZKnPvqnGGpz/TEgibve
=uX/w
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message