-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel,
On 11/4/14 12:02 PM, Daniel Mikusa wrote: > On Tue, Nov 4, 2014 at 11:47 AM, Anthony Bonafide > <bonafideanth...@gmail.com >> wrote: > >> Hello All, >> >> I am using a third party load balancer which accepts HTTPS >> connections, decrypts them and sends the unencrypted connection >> to Tomcat(SSL Acceleration). I am currently using tomcat 5 and I >> am in the process of upgrading to Tomcat 7. I am having an issue >> setting up Tomcat7 to accept the connections from my load >> balancer. In tomcat 5 I have the 2 connectors set up as so with >> everything working: >> >> <Connector port="8080" maxHttpHeaderSize="8192" >> maxPostSize="512000" maxThreads="150" minSpareThreads="25" >> maxSpareThreads="75" enableLookups="false" redirectPort="8443" >> acceptCount="100" connectionTimeout="20000" >> disableUploadTimeout="true" /> >> >> <Connector port="8081" maxHttpHeaderSize="8192" >> maxPostSize="512000" maxThreads="150" minSpareThreads="25" >> maxSpareThreads="75" enableLookups="false" redirectPort="8444" >> acceptCount="100" connectionTimeout="20000" scheme="https" >> proxyPort="443" disableUploadTimeout="true" /> >> >> >> The load balancer sends unencrypted HTTPS traffic to Tomcat via >> port 8081. This is setup is n place now with the current setup so >> the client does not have HTTPS changed to HTTP during a session, >> do to tomcat thinking the HTTPS connection is unencrypted and it >> should be changed to HTTP. There is no keystore or certs used by >> tomcat, all certs are placed on the load balancer. >> >> During setup of Tomcat 7 I copied the previous connector setup, >> resolving the following URLS I get the following responses >> respectively(I get the same results with my currenttly working >> Tomcat5 setup): >> >> https://localhost:8081/ - Secure connection fails >> http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that >> everything works. >> >> My settings for tomcat 7 are: >> >> <Connector port="8080" protocol="HTTP/1.1" >> connectionTimeout="20000" redirectPort="8443" /> >> >> >> <Connector port="8081" protocol="HTTP/1.1" maxThreads="150" >> SSLEnabled="false" scheme="https" secure="true" >> clientAuth="false" sslProtocol="TLS" proxyPort="443"/> >> >> >> I was wondering if there is a way to setup Tomcat 7 to accept >> the unencrypted request(SSL Acceleration) from the load balancer, >> process the request and send back a response without changing the >> scheme to HTTP? >> >> Also as expected my load balancer is not able to establish a >> connection with Tomcat7 over HTTPS port 8081. >> >> Any advice would be greatly appreciated. >> > > If your load balancer is terminating SSL and properly setting > "X-Forwarded-*" headers you can probably get away with one > connector for HTTP traffic and the RemoveIpValve. The valve will > use the X-Forwarded-* headers to modify the request object so that > your apps can see if the request came in over SSL. > > http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve +1 Another > thing you need to do is to set scheme="https" /and/ secure="true" on the <Connector>, otherwise Tomcat will try to redirect until it gets a connection on a "secure" connector. FYI the "redirectPort" configuration looks a little insane to me. I think you want redirectPort="443" in all cases. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUWRxsAAoJEBzwKT+lPKRYdXoP/0+J0IVuYnMibaMqxczQ0Pjz dZNYJU+p0a/T//huAMwBhCGk7JMlW0bOcVxQA1RxxZ1E6vbNscikO1A1p0IuOaSe YSyVUHTxGnW+DQO7Gd+85UIm3QHlbK21UlLH3NIPoGYQVS6ldZkGqChLMAgO4hfV IOlb2dl/+Vd3OzG5EsFHn9LASnJH4N1QsWqWAM4KnLopeMhmS+pVcQJ8WOcE5cHR TDLlc3XcaWcdhSch8cynv2498TfmqO+4yEhVHKHscY2tn6BHiuHcQW+hljIlxcF0 Ru9sV6CWftA6iaLKAIp+A4kHRVDoqhkVRokUpDEcv14T9V0QhoVBByqz/ez98UQZ SWh6DaUqr7wz3Gg2+uLbjDtfcLyVdcKahbC6tHeatuS/0lHXfAjRhpeeNeurFlYV VaYfKuapf15TywoRU+DM/GgWzJHz5NdqgimtwTuqNI3zLsSIjOzuCB16Sh3Z6M60 KHqGvuSXKn2zy3YxJY2GVLPcu9Iq6omPRTMHU864SbJiUYjlGv4OwBymjWoRDFZX Z8c3r7cqt3/1fpMJygdsYQZhSDFQGm+zp0tTpNBD+/xKPIJNezpWl0AJRuNyciZr EXlRttpO+bN5PaXCkxKGg3VO0GIPk/Yhm8DhWFZmrvUsjIwbLHKWythxcVcBEjnz dZKnPvqnGGpz/TEgibve =uX/w -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
