Hi Gregory,
the descriptions below work (at least) for TC 5.0/5.5/6.0.
Gregory Gerard schrieb:
I've got an F5 load balancer running version 9.3 of the software.
I've got several Tomcat installations behind it.
The F5 does all SSL and clear traffic as a reverse proxy, rewriting
headers as needed for cookies and whatnot.
I have one connector on 8080 for the clear traffic.
My problem: I tried to add another connector on 8081 setting secure to
true so that the HttpServletRequest would say, yup, this is a secure
connection and tell the 8080 connector 8081 is the secure address it
should use when trying to upshift to higher security.
Don't use "secure", use scheme="https" instead. See
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
When I did this and started Tomcat up, it whined about not being able to
open up my keystore.
I want all my SSL to offloaded and keep the keys out of each machine and
centrally managed. I *just* want to get the servlets to believe the
connection is secure. This is analogous to HTTPd doing the SSL offload
with the mod_jk connector.
Also, the header X-Forwarded-For is set by the F5 and I'd like the
Connector to also give out this IP instead of the load balancer's.
I assume you are talking about the access log?
For common log format, but using the client IP, you take the pattern:
%{X-Forwarded-For}i %l %u %t "%r" %s %b
See:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Caution: X-Forwarded-For can contain multiple IP addresses, if the
request passed through multiple proxies and they are configured to add
IPs, not to overwrite. Keep this in mind when doing analysis on the field.
Any ideas short of recompiling Tomcat with a modified connector? Anyone
else faced this problem?
There should be no need for code changes :)
thanks,
greg
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
