mod_proxy SSL protocol support for balancermember

[Arunkumar Janarthanan <ar...@gmail.com>]

Hi,

I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
credit card data processing, now that the communication between Apache and
Tomcat through proxy balancing uses AJP protocol for the communication and
data tranfer.

I was wondering if there is a way we can use HTTPS protocol in Apache
balancer member after enabling SSL on tomcat engine.

I did enable https on balancer configuration which doesn't work for me got
a 500 error without any appropriate error message on Apache logs.

Please advice.

Thanks,
Arun Janarthanan

Re: mod_proxy SSL protocol support for balancermember

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Arun,

On 12/7/12 11:34 AM, Arunkumar Janarthanan wrote:
> Thanks for the response Gentlemen, I am not really particular about
> the AJP for secure communication as long as I can use https that
> should work for me, the reason for specific secure communication
> between Apache and Tomcat is the PCI compliance enforcing us not to
> have any other protocol other than https.

I didn't realize that PCI required HTTPS for all communications
(actually, I have a hard time believing that, since not all CC
communications even use HTTP... like over a dial-up device).

But, if you must use HTTPS, then you've going to have to abandon AJP.

The configuration posted by Vladimir is pretty much the simplest thing
you could possibly do. If you want to use a self-signed certificate
from httpd->Tomcat, you may have to make arrangements for httpd to
trust that certificate.

If you want to forward the original SSL information back to Tomcat,
you're going to have to read about the various configuration
environment variables for mod_proxy_http and set them appropriately.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDCIlwACgkQ9CaO5/Lv0PCkhQCfXLyIyyiqlsSVoy3hl/avezBG
YigAoJOOoMTtr9GCpVbNghYqPWuXWbIf
=CcH7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: mod_proxy SSL protocol support for balancermember

[Arunkumar Janarthanan <ar...@gmail.com>]

Thanks for the response Gentlemen, I am not really particular about the AJP
for secure communication as long as I can use https that should work for
me, the reason for specific secure communication between Apache and Tomcat
is the PCI compliance enforcing us not to have any other protocol other
than https.

Please let me know if you have any questions.

Thanks,
Arun Janarthanan

On Fri, Dec 7, 2012 at 11:09 AM, André Warnier <aw...@ice-sa.com> wrote:

> Vladimir,
>
> on this list, the rule is to not "top post".
> Post your answer below the original message, or below the question to
> which it refers.
> This way, one can follow the conversation logically.
>
>
>
>>
>> ----- Original Message -----
>> From: Arunkumar Janarthanan <ar...@gmail.com>
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> Cc: Sent: Friday, December 7, 2012 5:49 PM
>> Subject: mod_proxy SSL protocol support for balancermember
>>
>> Hi,
>>
>> I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
>> credit card data processing, now that the communication between Apache and
>> Tomcat through proxy balancing uses AJP protocol for the communication and
>> data tranfer.
>>
>> I was wondering if there is a way we can use HTTPS protocol in Apache
>> balancer member after enabling SSL on tomcat engine.
>>
>> I did enable https on balancer configuration which doesn't work for me got
>> a 500 error without any appropriate error message on Apache logs.
>>
>>  Vladimir Girnet wrote:
> > Here is my working configuration - httpd proxy (also on RHEL 5)
> > ----------------------
> >   SSLProxyEngine On
> >   <Proxy balancer://tomcat_cluster>
> >     BalancerMember https://10.10.10.11:8443
> >     BalancerMember https://10.10.10.12:8443
> >   </Proxy>
> >
> >
> >   # Pass requests to balancer
> >   ProxyPass / balancer://tomcat_cluster/
> >   ProxyPassReverse / balancer://tomcat_cluster/
> > ---------------------
> >
> > --
>
> Yes, but this is not using the AJP protocol.
> The AJP protocol does not support SSL (so using mod_proxy_AJP will not
> work, and mod_jk neither)
> If you really need AJP, there are possibilities using SSL tunnels etc.
> Search the list archives for those.
>
> But maybe a question first : the usual setup with a front-end
> load-balancer is to use HTTPS between the client browser and the front-end,
> but "terminate" HTTPS at the front-end, and make a normal connection from
> the front-end to the back-end tomcats, which tend to be in the same local
> network as the front-end anyway.
> Having a first encryption-decryption and then a second
> encryption-decryption again introduces a significant overhead.
> So, do you have a specific reason for which you want to do this ?
>
>
>
>
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: mod_proxy SSL protocol support for balancermember

[André Warnier <aw...@ice-sa.com>]

Vladimir,

on this list, the rule is to not "top post".
Post your answer below the original message, or below the question to which it refers.
This way, one can follow the conversation logically.

> 
> 
> ----- Original Message -----
> From: Arunkumar Janarthanan <ar...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: 
> Sent: Friday, December 7, 2012 5:49 PM
> Subject: mod_proxy SSL protocol support for balancermember
> 
> Hi,
> 
> I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
> credit card data processing, now that the communication between Apache and
> Tomcat through proxy balancing uses AJP protocol for the communication and
> data tranfer.
> 
> I was wondering if there is a way we can use HTTPS protocol in Apache
> balancer member after enabling SSL on tomcat engine.
> 
> I did enable https on balancer configuration which doesn't work for me got
> a 500 error without any appropriate error message on Apache logs.
> 
Vladimir Girnet wrote:
 > Here is my working configuration - httpd proxy (also on RHEL 5)
 > ----------------------
 >   SSLProxyEngine On
 >   <Proxy balancer://tomcat_cluster>
 >     BalancerMember https://10.10.10.11:8443
 >     BalancerMember https://10.10.10.12:8443
 >   </Proxy>
 >
 >
 >   # Pass requests to balancer
 >   ProxyPass / balancer://tomcat_cluster/
 >   ProxyPassReverse / balancer://tomcat_cluster/
 > ---------------------
 >
 > --

Yes, but this is not using the AJP protocol.
The AJP protocol does not support SSL (so using mod_proxy_AJP will not work, and mod_jk 
neither)
If you really need AJP, there are possibilities using SSL tunnels etc. Search the list 
archives for those.

But maybe a question first : the usual setup with a front-end load-balancer is to use 
HTTPS between the client browser and the front-end, but "terminate" HTTPS at the 
front-end, and make a normal connection from the front-end to the back-end tomcats, which 
tend to be in the same local network as the front-end anyway.
Having a first encryption-decryption and then a second encryption-decryption again 
introduces a significant overhead.
So, do you have a specific reason for which you want to do this ?





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: mod_proxy SSL protocol support for balancermember

[Vladimir Girnet <vg...@yahoo.com>]

Here is my working configuration - httpd proxy (also on RHEL 5)
----------------------
  SSLProxyEngine On
  <Proxy balancer://tomcat_cluster>
    BalancerMember https://10.10.10.11:8443 
    BalancerMember https://10.10.10.12:8443 
  </Proxy>


  # Pass requests to balancer
  ProxyPass / balancer://tomcat_cluster/
  ProxyPassReverse / balancer://tomcat_cluster/
---------------------

--
Vladimir Girnet



----- Original Message -----
From: Arunkumar Janarthanan <ar...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Cc: 
Sent: Friday, December 7, 2012 5:49 PM
Subject: mod_proxy SSL protocol support for balancermember

Hi,

I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
credit card data processing, now that the communication between Apache and
Tomcat through proxy balancing uses AJP protocol for the communication and
data tranfer.

I was wondering if there is a way we can use HTTPS protocol in Apache
balancer member after enabling SSL on tomcat engine.

I did enable https on balancer configuration which doesn't work for me got
a 500 error without any appropriate error message on Apache logs.

Please advice.

Thanks,
Arun Janarthanan


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: mod_proxy SSL protocol support for balancermember

[Martin Gainty <mg...@hotmail.com>]

did you setJKLogLevel debug in httpd.conf? http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html
install the debug version of redirector (instead of release) quiesce TCbounce Apachereboot TC
Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
 > Date: Fri, 7 Dec 2012 10:49:43 -0500
> Subject: mod_proxy SSL protocol support for balancermember
> From: arunkumar.webadmin@gmail.com
> To: users@tomcat.apache.org
> 
> Hi,
> 
> I am using Apache 2.2.22 version on RHEL5 and there are instances runs for
> credit card data processing, now that the communication between Apache and
> Tomcat through proxy balancing uses AJP protocol for the communication and
> data tranfer.
> 
> I was wondering if there is a way we can use HTTPS protocol in Apache
> balancer member after enabling SSL on tomcat engine.
> 
> I did enable https on balancer configuration which doesn't work for me got
> a 500 error without any appropriate error message on Apache logs.
> 
> Please advice.
> 
> Thanks,
> Arun Janarthanan