We use network appliances that sit above Apache Web Server and takes care of all SSL encryption/decryption.
This ensures all border<->client communication is secured whilst traffic within our estate is purely http/ajp. The level of security in our virtual circuits and inter-segment firewalls ensures we can limit traffic to what source/destinations should be involved, as well as provide a quality of service. This configuration also removes away any potential overheads on Web Server / App Server associated with SSL processing. -----Original Message----- From: jkv [mailto:j.kumara...@gmail.com] Sent: 25 November 2009 10:28 To: users@tomcat.apache.org Subject: Re: Tomcat Https loadbalancing?? Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client -> getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: > > Hey > > Yes if you want httpd to load balance https requests you do need it to > handle the https connection - and hence it needs the keys, certs etc > > Sadly the ajp protocol is in fact insecure > if you have the httpd and tomcat on separate boxes you do have a > security issue > as the connection is transporting data in the clear. > > I would imagine that with mod_proxy you could load balance https requests > so that the https request goes to httpd then its load balanced between > https requests to > multiple tomcats. What you'll loose over the ajp protocol i'm sure > someone will let us know > > Hope this helps > > D > > > On 25/11/09 09:18, jkv wrote: >> Hello, >> >> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of >> requests has grown up and we have decided to do go for clustering and >> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk >> loadbalacing. My certificate resides in Tomcat. >> >> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, >> should I configure Apache to handle HTTPS and tell it about my >> certificate >> details? >> >> While loadbalancing I understand that http/https request to Apache is >> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? >> should I >> enable SSL in tomcat to handle this request? >> >> Should I have two copies of my certificate files if Apache and Tomcat >> reside >> on two different physical machines(Horizontal Clustering)? >> >> I searched the forums and they are too advanced for my question. I am >> really >> new to clustering and load balancing and any help is deeply appreciated. >> Thanks in advance. >> >> Regards >> jkv >> > > -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510458.h tml Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Connaught plc is a FTSE 250 company. We are the UK's leading provider of integrated services operating in the compliance, social housing and public sector markets. Please visit our website to see a full list of Connaught's Registered Companies www.connaught.plc.uk/group/aboutconnaught/registeredcompanies Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this message. Connaught plc, Head Office 01392 444546 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
