You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Arunkumar Janarthanan <ar...@gmail.com> on 2013/01/02 22:45:10 UTC
Secure AJP load balancing problem
Hello,
I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have tried my
balancer members to use HTTPS port and finds the JSP pages doing ok for
some reason the struts / action servlets would not accept secure protocol
instead it redirects infinitely with the Tomcat server hostname and non-ssl
port.
Anybody had similar experience try configuring secure connectors on such
environment ?
Many thanks in advance for the help.
Regards,
Arun J
Re: Secure AJP load balancing problem
Posted by Mark Thomas <ma...@apache.org>.
On 02/01/2013 21:45, Arunkumar Janarthanan wrote:
> Hello,
>
> I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443,
Time to upgrade. 5.5.x is no longer supported.
> I have tried my
> balancer members to use HTTPS port and finds the JSP pages doing ok for
> some reason the struts / action servlets would not accept secure protocol
> instead it redirects infinitely with the Tomcat server hostname and non-ssl
> port.
>
> Anybody had similar experience try configuring secure connectors on such
> environment ?
That sounds like a configuration issue. You need to provide your
connector configuration and reverse proxy configuration.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secure AJP load balancing problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Arun,
On 1/3/13 10:24 AM, Arunkumar Janarthanan wrote:
> *Apache conf:*
>
> ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
> balancer://lb1/$1
Why are you intentionally removing the jsessionid from being forwarded
to the worker? I think you want "balancer://lb1/$1$2 when
";jsessionid" is present. You will probably need to re-think the whole
regular expression, because I think what you have is insufficient.
> *Balancer Conf:*
>
> <Proxy balancer://lb1> BalancerMember
> https://tomcat02.us.rdigest.com:8443 BalancerMember
> https://tomcat02.us.rdigest.com:8543 ProxySet
> stickysession=JSESSIONID ProxySet nofailover=Off </Proxy>
You are missing jvm_route attributes on your BalancerMember
directives. Without that attribtue, mod_proxy_ajp has no idea where to
send your requests that should have sticky sessions.
Do you have correct jvmRoute attributes in your <Engine> configuration
in Tomcat?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDnSx4ACgkQ9CaO5/Lv0PBehgCeNXKvmWC70DsMK9oVoDpp6OgM
QM4An1VEQY7r9zj7+1myNXuYiyc2m87i
=H4HU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Secure AJP load balancing problem
Posted by Pid <pi...@pidster.com>.
On 03/01/2013 21:52, Igor Cicimov wrote:
> On 04/01/2013 2:25 AM, "Arunkumar Janarthanan" <ar...@gmail.com>
> wrote:
>>
>> Thanks Mark, I am working on parallely setting up another environment with
>> Tomcat 6.x, however to clear an urgent audit I need to show the Apache
>> connector uses secure protocol to exchange the data between Apache and
>> tomcat. Both these servers are in DMZ and on different servers.
>>
>> Hello Chris,
>>
>> Thanks for your valuable advice, here is how my configuration looks like.
>>
>> *Apache conf:*
>>
>> ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
>> balancer://lb1/$1
>>
>> *Balancer Conf:*
>>
>> <Proxy balancer://lb1>
>> BalancerMember https://tomcat02.us.rdigest.com:8443
>> BalancerMember https://tomcat02.us.rdigest.com:8543
>> ProxySet stickysession=JSESSIONID
>> ProxySet nofailover=Off
>> </Proxy>
>>
>
> Since you have sticky sessions dont you need to set up the jvmRoute in the
> tomcat connectors?
The jvmRoute attribute is set on the Engine element, not the Connectors.
p
>> *Tomcat conf:*
>>
>> Tomcat1:
>>
>> <Connector port="8443" maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS"
>> />
>>
>> Tomcat2:
>>
>> <Connector port="8543" maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS"
>> />
>>
>>
>> Thanks again for your assistance extended.
>>
>> Regards,
>> Arun Janarthanan
>>
>> On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz <
>> chris@christopherschultz.net> wrote:
>>
> Arun,
>
> On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
>>>>> I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
>>>>> tried my balancer members to use HTTPS port
>
> So you are trying to use HTTPS over AJP? Did you mean APR?
>
> Please post your <Connectors> from server.xml and your relevant httpd
> configuration (e.g. ProxyPass). It would also be helpful if you were
> to describe any <transport-guarantee> that you may have in your web
> application(s).
>
>>>>> and finds the JSP pages doing ok for some reason the struts /
>>>>> action servlets would not accept secure protocol instead it
>>>>> redirects infinitely with the Tomcat server hostname and non-ssl
>>>>> port.
>
> Try a protocol trace using something like Mozilla Firefox's "web
> console" or similar tools for other web browsers. This will show you
> the request as sent by the browser and the response as seen by the
> browser: it should show the pattern you describe above with more detail.
>
>>>>> Anybody had similar experience try configuring secure connectors on
>>>>> such environment ?
>
> FWIW, I use stunnel to secure the back-channel between httpd and
> Tomcat (using an AJP connector). While I haven't actually
> performance-tested the two configurations against each other, my
> rationale for this configuration was to reduce the number of SSL
> handshakes that occur between httpd and Tomcat. Also, I've always used
> AJP to tunneling AJP made more sense for us than switching-over to
> HTTPS reverse-proxying.
>
> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>
--
[key:62590808]
Re: Secure AJP load balancing problem
Posted by Igor Cicimov <ic...@gmail.com>.
On 04/01/2013 2:25 AM, "Arunkumar Janarthanan" <ar...@gmail.com>
wrote:
>
> Thanks Mark, I am working on parallely setting up another environment with
> Tomcat 6.x, however to clear an urgent audit I need to show the Apache
> connector uses secure protocol to exchange the data between Apache and
> tomcat. Both these servers are in DMZ and on different servers.
>
> Hello Chris,
>
> Thanks for your valuable advice, here is how my configuration looks like.
>
> *Apache conf:*
>
> ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
> balancer://lb1/$1
>
> *Balancer Conf:*
>
> <Proxy balancer://lb1>
> BalancerMember https://tomcat02.us.rdigest.com:8443
> BalancerMember https://tomcat02.us.rdigest.com:8543
> ProxySet stickysession=JSESSIONID
> ProxySet nofailover=Off
> </Proxy>
>
Since you have sticky sessions dont you need to set up the jvmRoute in the
tomcat connectors?
> *Tomcat conf:*
>
> Tomcat1:
>
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> />
>
> Tomcat2:
>
> <Connector port="8543" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> />
>
>
> Thanks again for your assistance extended.
>
> Regards,
> Arun Janarthanan
>
> On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Arun,
> >
> > On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
> > > I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
> > > tried my balancer members to use HTTPS port
> >
> > So you are trying to use HTTPS over AJP? Did you mean APR?
> >
> > Please post your <Connectors> from server.xml and your relevant httpd
> > configuration (e.g. ProxyPass). It would also be helpful if you were
> > to describe any <transport-guarantee> that you may have in your web
> > application(s).
> >
> > > and finds the JSP pages doing ok for some reason the struts /
> > > action servlets would not accept secure protocol instead it
> > > redirects infinitely with the Tomcat server hostname and non-ssl
> > > port.
> >
> > Try a protocol trace using something like Mozilla Firefox's "web
> > console" or similar tools for other web browsers. This will show you
> > the request as sent by the browser and the response as seen by the
> > browser: it should show the pattern you describe above with more detail.
> >
> > > Anybody had similar experience try configuring secure connectors on
> > > such environment ?
> >
> > FWIW, I use stunnel to secure the back-channel between httpd and
> > Tomcat (using an AJP connector). While I haven't actually
> > performance-tested the two configurations against each other, my
> > rationale for this configuration was to reduce the number of SSL
> > handshakes that occur between httpd and Tomcat. Also, I've always used
> > AJP to tunneling AJP made more sense for us than switching-over to
> > HTTPS reverse-proxying.
> >
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with undefined - http://www.enigmail.net/
> >
> > iEYEAREIAAYFAlDk/TMACgkQ9CaO5/Lv0PAidwCgguSezH47shnxzVXOBF564rFm
> > piIAnAy/8p0uTsF5Uxh2ViGVT7PFwgPY
> > =sm58
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
Re: Secure AJP load balancing problem
Posted by Arunkumar Janarthanan <ar...@gmail.com>.
Thanks Mark, I am working on parallely setting up another environment with
Tomcat 6.x, however to clear an urgent audit I need to show the Apache
connector uses secure protocol to exchange the data between Apache and
tomcat. Both these servers are in DMZ and on different servers.
Hello Chris,
Thanks for your valuable advice, here is how my configuration looks like.
*Apache conf:*
ProxyPassMatch ^/(.*\.jsp|.*\.do)(;jsessionid=.*)?$
balancer://lb1/$1
*Balancer Conf:*
<Proxy balancer://lb1>
BalancerMember https://tomcat02.us.rdigest.com:8443
BalancerMember https://tomcat02.us.rdigest.com:8543
ProxySet stickysession=JSESSIONID
ProxySet nofailover=Off
</Proxy>
*Tomcat conf:*
Tomcat1:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
/>
Tomcat2:
<Connector port="8543" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
/>
Thanks again for your assistance extended.
Regards,
Arun Janarthanan
On Wed, Jan 2, 2013 at 10:38 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Arun,
>
> On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
> > I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
> > tried my balancer members to use HTTPS port
>
> So you are trying to use HTTPS over AJP? Did you mean APR?
>
> Please post your <Connectors> from server.xml and your relevant httpd
> configuration (e.g. ProxyPass). It would also be helpful if you were
> to describe any <transport-guarantee> that you may have in your web
> application(s).
>
> > and finds the JSP pages doing ok for some reason the struts /
> > action servlets would not accept secure protocol instead it
> > redirects infinitely with the Tomcat server hostname and non-ssl
> > port.
>
> Try a protocol trace using something like Mozilla Firefox's "web
> console" or similar tools for other web browsers. This will show you
> the request as sent by the browser and the response as seen by the
> browser: it should show the pattern you describe above with more detail.
>
> > Anybody had similar experience try configuring secure connectors on
> > such environment ?
>
> FWIW, I use stunnel to secure the back-channel between httpd and
> Tomcat (using an AJP connector). While I haven't actually
> performance-tested the two configurations against each other, my
> rationale for this configuration was to reduce the number of SSL
> handshakes that occur between httpd and Tomcat. Also, I've always used
> AJP to tunneling AJP made more sense for us than switching-over to
> HTTPS reverse-proxying.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDk/TMACgkQ9CaO5/Lv0PAidwCgguSezH47shnxzVXOBF564rFm
> piIAnAy/8p0uTsF5Uxh2ViGVT7PFwgPY
> =sm58
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Secure AJP load balancing problem
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Arun,
On 1/2/13 4:45 PM, Arunkumar Janarthanan wrote:
> I have Apache 2.2.22 and Tomcat 5.5 running on SSL 8443, I have
> tried my balancer members to use HTTPS port
So you are trying to use HTTPS over AJP? Did you mean APR?
Please post your <Connectors> from server.xml and your relevant httpd
configuration (e.g. ProxyPass). It would also be helpful if you were
to describe any <transport-guarantee> that you may have in your web
application(s).
> and finds the JSP pages doing ok for some reason the struts /
> action servlets would not accept secure protocol instead it
> redirects infinitely with the Tomcat server hostname and non-ssl
> port.
Try a protocol trace using something like Mozilla Firefox's "web
console" or similar tools for other web browsers. This will show you
the request as sent by the browser and the response as seen by the
browser: it should show the pattern you describe above with more detail.
> Anybody had similar experience try configuring secure connectors on
> such environment ?
FWIW, I use stunnel to secure the back-channel between httpd and
Tomcat (using an AJP connector). While I haven't actually
performance-tested the two configurations against each other, my
rationale for this configuration was to reduce the number of SSL
handshakes that occur between httpd and Tomcat. Also, I've always used
AJP to tunneling AJP made more sense for us than switching-over to
HTTPS reverse-proxying.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDk/TMACgkQ9CaO5/Lv0PAidwCgguSezH47shnxzVXOBF564rFm
piIAnAy/8p0uTsF5Uxh2ViGVT7PFwgPY
=sm58
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org