You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregory Gerard <gg...@ggerard.com> on 2008/01/05 22:09:52 UTC
Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
I've got an F5 load balancer running version 9.3 of the software.
I've got several Tomcat installations behind it.
The F5 does all SSL and clear traffic as a reverse proxy, rewriting
headers as needed for cookies and whatnot.
I have one connector on 8080 for the clear traffic.
My problem: I tried to add another connector on 8081 setting secure to
true so that the HttpServletRequest would say, yup, this is a secure
connection and tell the 8080 connector 8081 is the secure address it
should use when trying to upshift to higher security.
When I did this and started Tomcat up, it whined about not being able to
open up my keystore.
I want all my SSL to offloaded and keep the keys out of each machine and
centrally managed. I *just* want to get the servlets to believe the
connection is secure. This is analogous to HTTPd doing the SSL offload
with the mod_jk connector.
Also, the header X-Forwarded-For is set by the F5 and I'd like the
Connector to also give out this IP instead of the load balancer's.
Any ideas short of recompiling Tomcat with a modified connector? Anyone
else faced this problem?
thanks,
greg
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
In Tomcat 6.0.x you can do
<Connector
port="8081"
SSLEnabled="false"
secure="true"
scheme="https"
...>
In Tomcat 5.5.x you can write a Filter that creates a
HttpServletRequestWrapper, that returns true on isSecure, and https on
getScheme
or you can take a look at org.apache.catalina.valves.SSLValve, which
reads headers set by the server in front, most commonly apache httpd
Filip
Gregory Gerard wrote:
> I've got an F5 load balancer running version 9.3 of the software.
> I've got several Tomcat installations behind it.
>
> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
> headers as needed for cookies and whatnot.
>
> I have one connector on 8080 for the clear traffic.
>
> My problem: I tried to add another connector on 8081 setting secure to
> true so that the HttpServletRequest would say, yup, this is a secure
> connection and tell the 8080 connector 8081 is the secure address it
> should use when trying to upshift to higher security.
>
> When I did this and started Tomcat up, it whined about not being able
> to open up my keystore.
>
> I want all my SSL to offloaded and keep the keys out of each machine
> and centrally managed. I *just* want to get the servlets to believe
> the connection is secure. This is analogous to HTTPd doing the SSL
> offload with the mod_jk connector.
>
> Also, the header X-Forwarded-For is set by the F5 and I'd like the
> Connector to also give out this IP instead of the load balancer's.
>
> Any ideas short of recompiling Tomcat with a modified connector?
> Anyone else faced this problem?
>
> thanks,
> greg
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Posted by Peter Rossbach <pr...@objektpark.de>.
Hi,
use a quot at AccessLogValve pattern to a muliple value field.
"%{X-Forwarded-For}i" %l %u %t "%r" %s %b
Look the following definition: http://en.wikipedia.org/wiki/X-
Forwarded-For
First value is the client ip.
Peter
Am 05.01.2008 um 22:19 schrieb Rainer Jung:
> Hi Gregory,
>
> the descriptions below work (at least) for TC 5.0/5.5/6.0.
>
> Gregory Gerard schrieb:
>> I've got an F5 load balancer running version 9.3 of the software.
>> I've got several Tomcat installations behind it.
>> The F5 does all SSL and clear traffic as a reverse proxy,
>> rewriting headers as needed for cookies and whatnot.
>> I have one connector on 8080 for the clear traffic.
>> My problem: I tried to add another connector on 8081 setting
>> secure to true so that the HttpServletRequest would say, yup, this
>> is a secure connection and tell the 8080 connector 8081 is the
>> secure address it should use when trying to upshift to higher
>> security.
>
> Don't use "secure", use scheme="https" instead. See
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>
>> When I did this and started Tomcat up, it whined about not being
>> able to open up my keystore.
>> I want all my SSL to offloaded and keep the keys out of each
>> machine and centrally managed. I *just* want to get the servlets
>> to believe the connection is secure. This is analogous to HTTPd
>> doing the SSL offload with the mod_jk connector.
>> Also, the header X-Forwarded-For is set by the F5 and I'd like the
>> Connector to also give out this IP instead of the load balancer's.
>
> I assume you are talking about the access log?
>
> For common log format, but using the client IP, you take the pattern:
>
> %{X-Forwarded-For}i %l %u %t "%r" %s %b
>
> See:
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>
> Caution: X-Forwarded-For can contain multiple IP addresses, if the
> request passed through multiple proxies and they are configured to
> add IPs, not to overwrite. Keep this in mind when doing analysis on
> the field.
>
>> Any ideas short of recompiling Tomcat with a modified connector?
>> Anyone else faced this problem?
>
> There should be no need for code changes :)
>
>> thanks,
>> greg
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Rainer Jung wrote:
> Hi Gregory,
>
> the descriptions below work (at least) for TC 5.0/5.5/6.0.
>
> Gregory Gerard schrieb:
>> I've got an F5 load balancer running version 9.3 of the software.
>> I've got several Tomcat installations behind it.
>>
>> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
>> headers as needed for cookies and whatnot.
>>
>> I have one connector on 8080 for the clear traffic.
>>
>> My problem: I tried to add another connector on 8081 setting secure
>> to true so that the HttpServletRequest would say, yup, this is a
>> secure connection and tell the 8080 connector 8081 is the secure
>> address it should use when trying to upshift to higher security.
>
> Don't use "secure", use scheme="https" instead. See
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
on tomcat 6, use both secure="true" and scheme="https", just set
SSLEnabled="false"
>
>> When I did this and started Tomcat up, it whined about not being able
>> to open up my keystore.
>>
>> I want all my SSL to offloaded and keep the keys out of each machine
>> and centrally managed. I *just* want to get the servlets to believe
>> the connection is secure. This is analogous to HTTPd doing the SSL
>> offload with the mod_jk connector.
>>
>> Also, the header X-Forwarded-For is set by the F5 and I'd like the
>> Connector to also give out this IP instead of the load balancer's.
>
> I assume you are talking about the access log?
>
> For common log format, but using the client IP, you take the pattern:
>
> %{X-Forwarded-For}i %l %u %t "%r" %s %b
>
> See:
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>
> Caution: X-Forwarded-For can contain multiple IP addresses, if the
> request passed through multiple proxies and they are configured to add
> IPs, not to overwrite. Keep this in mind when doing analysis on the
> field.
Remember, that you can configure F5 to not modify the src address of
TCP, so that you get a true idea of where the connection is coming from.
Look through your F5 manuals.
Filip
>
>>
>> Any ideas short of recompiling Tomcat with a modified connector?
>> Anyone else faced this problem?
>
> There should be no need for code changes :)
>
>> thanks,
>> greg
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Rainer Jung <ra...@kippdata.de>.
Sorry didn't read your post carefully enough. The access log thing is
OK, but about the redirect:
>> I've got an F5 load balancer running version 9.3 of the software.
>> I've got several Tomcat installations behind it.
>>
>> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
>> headers as needed for cookies and whatnot.
>>
>> I have one connector on 8080 for the clear traffic.
>>
>> My problem: I tried to add another connector on 8081 setting secure to
>> true so that the HttpServletRequest would say, yup, this is a secure
>> connection and tell the 8080 connector 8081 is the secure address it
>> should use when trying to upshift to higher security.
Concerning redirects from http to https: what about attribute
redirectPort on the 8080 connector? But of course you need to set it to
a port, that's available on the F5.
>> I want all my SSL to offloaded and keep the keys out of each machine
>> and centrally managed. I *just* want to get the servlets to believe
>> the connection is secure. This is analogous to HTTPd doing the SSL
>> offload with the mod_jk connector.
Can you give your full connector 8081 configuration?
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
Gregory Gerard wrote:
> Thanks! I'll give that a whirl. So you're saying that my marking it as
> scheme='https' HttpServletRequest.isSecure() will respond with true?
>
> Good to know about the multiple IPs... Didn't know that was legal but
> makes sense.
>
> Logging would be fine (though I don't know how the access log would
> handle it when parsed) but I'm more trying to get
> HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most
> value (which I would make the assumption that it's the browser's
> address).
this is a configuration on the F5, read the manual for that.
Filip
>
> greg
>
> Rainer Jung wrote:
>> Hi Gregory,
>>
>> the descriptions below work (at least) for TC 5.0/5.5/6.0.
>>
>> Gregory Gerard schrieb:
>>> I've got an F5 load balancer running version 9.3 of the software.
>>> I've got several Tomcat installations behind it.
>>>
>>> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
>>> headers as needed for cookies and whatnot.
>>>
>>> I have one connector on 8080 for the clear traffic.
>>>
>>> My problem: I tried to add another connector on 8081 setting secure
>>> to true so that the HttpServletRequest would say, yup, this is a
>>> secure connection and tell the 8080 connector 8081 is the secure
>>> address it should use when trying to upshift to higher security.
>>
>> Don't use "secure", use scheme="https" instead. See
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>>
>>> When I did this and started Tomcat up, it whined about not being
>>> able to open up my keystore.
>>>
>>> I want all my SSL to offloaded and keep the keys out of each machine
>>> and centrally managed. I *just* want to get the servlets to believe
>>> the connection is secure. This is analogous to HTTPd doing the SSL
>>> offload with the mod_jk connector.
>>>
>>> Also, the header X-Forwarded-For is set by the F5 and I'd like the
>>> Connector to also give out this IP instead of the load balancer's.
>>
>> I assume you are talking about the access log?
>>
>> For common log format, but using the client IP, you take the pattern:
>>
>> %{X-Forwarded-For}i %l %u %t "%r" %s %b
>>
>> See:
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>>
>> Caution: X-Forwarded-For can contain multiple IP addresses, if the
>> request passed through multiple proxies and they are configured to
>> add IPs, not to overwrite. Keep this in mind when doing analysis on
>> the field.
>>
>>>
>>> Any ideas short of recompiling Tomcat with a modified connector?
>>> Anyone else faced this problem?
>>
>> There should be no need for code changes :)
>>
>>> thanks,
>>> greg
>>
>> Regards,
>>
>> Rainer
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Rainer Jung <ra...@kippdata.de>.
Gregory Gerard schrieb:
> Thanks! I'll give that a whirl. So you're saying that my marking it as
> scheme='https' HttpServletRequest.isSecure() will respond with true?
No, sorry, see my second post. The attribute scheme is used when a
self-referencing redirect gets constructed. That's a way of producing a
httpd redirect, although technically the reuqest is http.
secure should do what you want. Please post your connector configuration.
> Good to know about the multiple IPs... Didn't know that was legal but
> makes sense.
>
> Logging would be fine (though I don't know how the access log would
> handle it when parsed) but I'm more trying to get
> HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most
> value (which I would make the assumption that it's the browser's address).
No idea about the getRemote*.
Others?
mod_jk corrsponds with the AJP connector, and this connector fakes those
getRemote* from the info retrieved by mod_jk.
> greg
>
> Rainer Jung wrote:
>> Hi Gregory,
>>
>> the descriptions below work (at least) for TC 5.0/5.5/6.0.
>>
>> Gregory Gerard schrieb:
>>> I've got an F5 load balancer running version 9.3 of the software.
>>> I've got several Tomcat installations behind it.
>>>
>>> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
>>> headers as needed for cookies and whatnot.
>>>
>>> I have one connector on 8080 for the clear traffic.
>>>
>>> My problem: I tried to add another connector on 8081 setting secure
>>> to true so that the HttpServletRequest would say, yup, this is a
>>> secure connection and tell the 8080 connector 8081 is the secure
>>> address it should use when trying to upshift to higher security.
>>
>> Don't use "secure", use scheme="https" instead. See
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>>
>>> When I did this and started Tomcat up, it whined about not being able
>>> to open up my keystore.
>>>
>>> I want all my SSL to offloaded and keep the keys out of each machine
>>> and centrally managed. I *just* want to get the servlets to believe
>>> the connection is secure. This is analogous to HTTPd doing the SSL
>>> offload with the mod_jk connector.
>>>
>>> Also, the header X-Forwarded-For is set by the F5 and I'd like the
>>> Connector to also give out this IP instead of the load balancer's.
>>
>> I assume you are talking about the access log?
>>
>> For common log format, but using the client IP, you take the pattern:
>>
>> %{X-Forwarded-For}i %l %u %t "%r" %s %b
>>
>> See:
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>>
>> Caution: X-Forwarded-For can contain multiple IP addresses, if the
>> request passed through multiple proxies and they are configured to add
>> IPs, not to overwrite. Keep this in mind when doing analysis on the
>> field.
>>
>>>
>>> Any ideas short of recompiling Tomcat with a modified connector?
>>> Anyone else faced this problem?
>>
>> There should be no need for code changes :)
>>
>>> thanks,
>>> greg
>>
>> Regards,
>>
>> Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Gregory Gerard <gg...@ggerard.com>.
Thanks! I'll give that a whirl. So you're saying that my marking it as
scheme='https' HttpServletRequest.isSecure() will respond with true?
Good to know about the multiple IPs... Didn't know that was legal but
makes sense.
Logging would be fine (though I don't know how the access log would
handle it when parsed) but I'm more trying to get
HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most
value (which I would make the assumption that it's the browser's address).
greg
Rainer Jung wrote:
> Hi Gregory,
>
> the descriptions below work (at least) for TC 5.0/5.5/6.0.
>
> Gregory Gerard schrieb:
>> I've got an F5 load balancer running version 9.3 of the software.
>> I've got several Tomcat installations behind it.
>>
>> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
>> headers as needed for cookies and whatnot.
>>
>> I have one connector on 8080 for the clear traffic.
>>
>> My problem: I tried to add another connector on 8081 setting secure
>> to true so that the HttpServletRequest would say, yup, this is a
>> secure connection and tell the 8080 connector 8081 is the secure
>> address it should use when trying to upshift to higher security.
>
> Don't use "secure", use scheme="https" instead. See
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>
>> When I did this and started Tomcat up, it whined about not being able
>> to open up my keystore.
>>
>> I want all my SSL to offloaded and keep the keys out of each machine
>> and centrally managed. I *just* want to get the servlets to believe
>> the connection is secure. This is analogous to HTTPd doing the SSL
>> offload with the mod_jk connector.
>>
>> Also, the header X-Forwarded-For is set by the F5 and I'd like the
>> Connector to also give out this IP instead of the load balancer's.
>
> I assume you are talking about the access log?
>
> For common log format, but using the client IP, you take the pattern:
>
> %{X-Forwarded-For}i %l %u %t "%r" %s %b
>
> See:
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
>
> Caution: X-Forwarded-For can contain multiple IP addresses, if the
> request passed through multiple proxies and they are configured to add
> IPs, not to overwrite. Keep this in mind when doing analysis on the
> field.
>
>>
>> Any ideas short of recompiling Tomcat with a modified connector?
>> Anyone else faced this problem?
>
> There should be no need for code changes :)
>
>> thanks,
>> greg
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector
problem
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Gregory,
the descriptions below work (at least) for TC 5.0/5.5/6.0.
Gregory Gerard schrieb:
> I've got an F5 load balancer running version 9.3 of the software.
> I've got several Tomcat installations behind it.
>
> The F5 does all SSL and clear traffic as a reverse proxy, rewriting
> headers as needed for cookies and whatnot.
>
> I have one connector on 8080 for the clear traffic.
>
> My problem: I tried to add another connector on 8081 setting secure to
> true so that the HttpServletRequest would say, yup, this is a secure
> connection and tell the 8080 connector 8081 is the secure address it
> should use when trying to upshift to higher security.
Don't use "secure", use scheme="https" instead. See
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> When I did this and started Tomcat up, it whined about not being able to
> open up my keystore.
>
> I want all my SSL to offloaded and keep the keys out of each machine and
> centrally managed. I *just* want to get the servlets to believe the
> connection is secure. This is analogous to HTTPd doing the SSL offload
> with the mod_jk connector.
>
> Also, the header X-Forwarded-For is set by the F5 and I'd like the
> Connector to also give out this IP instead of the load balancer's.
I assume you are talking about the access log?
For common log format, but using the client IP, you take the pattern:
%{X-Forwarded-For}i %l %u %t "%r" %s %b
See:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Caution: X-Forwarded-For can contain multiple IP addresses, if the
request passed through multiple proxies and they are configured to add
IPs, not to overwrite. Keep this in mind when doing analysis on the field.
>
> Any ideas short of recompiling Tomcat with a modified connector? Anyone
> else faced this problem?
There should be no need for code changes :)
> thanks,
> greg
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org