tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@pivotal.io>
Subject Re: SSL acceleration
Date Tue, 04 Nov 2014 17:02:50 GMT
On Tue, Nov 4, 2014 at 11:47 AM, Anthony Bonafide <bonafideanthony@gmail.com
> wrote:

> Hello All,
>
> I am using a third party load balancer which accepts HTTPS connections,
> decrypts them and sends the unencrypted connection to Tomcat(SSL
> Acceleration). I am currently using tomcat 5 and I am in the process of
> upgrading to Tomcat 7. I am having an issue setting up Tomcat7 to accept
> the connections from my load balancer. In tomcat 5 I have the 2 connectors
> set up as so with everything working:
>
> <Connector port="8080" maxHttpHeaderSize="8192" maxPostSize="512000"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" redirectPort="8443" acceptCount="100"
>                connectionTimeout="20000" disableUploadTimeout="true" />
>
> <Connector port="8081" maxHttpHeaderSize="8192" maxPostSize="512000"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" redirectPort="8444" acceptCount="100"
>                connectionTimeout="20000" scheme="https" proxyPort="443"
> disableUploadTimeout="true" />
>
>
> The load balancer sends unencrypted HTTPS traffic to Tomcat via port 8081.
> This is setup is n place now with the current setup so the client does not
> have HTTPS changed to HTTP during a session, do to tomcat thinking the
> HTTPS connection is unencrypted and it should be changed to HTTP. There is
> no keystore or certs used by tomcat, all certs are placed on the load
> balancer.
>
> During setup of Tomcat 7 I copied the previous connector setup, resolving
> the following URLS I get the following responses respectively(I get the
> same results with my currenttly working Tomcat5 setup):
>
> https://localhost:8081/ - Secure connection fails
> http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that everything
> works.
>
> My settings for tomcat 7 are:
>
>  <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
>
>
>    <Connector port="8081" protocol="HTTP/1.1"
>                maxThreads="150" SSLEnabled="false" scheme="https"
> secure="true"
>                clientAuth="false" sslProtocol="TLS" proxyPort="443"/>
>
>
> I was wondering if there is a way to setup Tomcat 7 to accept the
> unencrypted request(SSL Acceleration) from the load balancer, process the
> request and send back a response without changing the scheme to HTTP?
>
> Also as expected my load balancer is not able to establish a connection
> with Tomcat7 over HTTPS port 8081.
>
> Any advice would be greatly appreciated.
>

If your load balancer is terminating SSL and properly setting
"X-Forwarded-*" headers you can probably get away with one connector for
HTTP traffic and the RemoveIpValve.  The valve will use the X-Forwarded-*
headers to modify the request object so that your apps can see if the
request came in over SSL.

   http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve

Dan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message