Re: mod_proxy SSL protocol support for balancermember

Fri, 07 Dec 2012 08:10:00 -0800 

Vladimir,

on this list, the rule is to not "top post".
Post your answer below the original message, or below the question to which it 
refers.
This way, one can follow the conversation logically.




----- Original Message -----
From: Arunkumar Janarthanan <arunkumar.webad...@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Cc: Sent: Friday, December 7, 2012 5:49 PM 
Subject: mod_proxy SSL protocol support for balancermember

Hi,

I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
credit card data processing, now that the communication between Apache and
Tomcat through proxy balancing uses AJP protocol for the communication and
data tranfer.

I was wondering if there is a way we can use HTTPS protocol in Apache
balancer member after enabling SSL on tomcat engine.

I did enable https on balancer configuration which doesn't work for me got
a 500 error without any appropriate error message on Apache logs.


Vladimir Girnet wrote:
> Here is my working configuration - httpd proxy (also on RHEL 5)
> ----------------------
>   SSLProxyEngine On
>   <Proxy balancer://tomcat_cluster>
>     BalancerMember https://10.10.10.11:8443
>     BalancerMember https://10.10.10.12:8443
>   </Proxy>
>
>
>   # Pass requests to balancer
>   ProxyPass / balancer://tomcat_cluster/
>   ProxyPassReverse / balancer://tomcat_cluster/
> ---------------------
>
> --

Yes, but this is not using the AJP protocol.
The AJP protocol does not support SSL (so using mod_proxy_AJP will not work, and mod_jk neither) If you really need AJP, there are possibilities using SSL tunnels etc. Search the list archives for those.
But maybe a question first : the usual setup with a front-end load-balancer is to use HTTPS between the client browser and the front-end, but "terminate" HTTPS at the front-end, and make a normal connection from the front-end to the back-end tomcats, which tend to be in the same local network as the front-end anyway. Having a first encryption-decryption and then a second encryption-decryption again introduces a significant overhead. 
So, do you have a specific reason for which you want to do this ?





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to