You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jkv <j....@gmail.com> on 2009/11/25 10:18:07 UTC
Tomcat Https loadbalancing??
Hello,
We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
requests has grown up and we have decided to do go for clustering and
loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
loadbalacing. My certificate resides in Tomcat.
In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
should I configure Apache to handle HTTPS and tell it about my certificate
details?
While loadbalancing I understand that http/https request to Apache is
converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
enable SSL in tomcat to handle this request?
Should I have two copies of my certificate files if Apache and Tomcat reside
on two different physical machines(Horizontal Clustering)?
I searched the forums and they are too advanced for my question. I am really
new to clustering and load balancing and any help is deeply appreciated.
Thanks in advance.
Regards
jkv
--
View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 10:18, jkv wrote:
>
> Thanks Peter,
>
> That really helps me a lot.
>
> I got one small doubt in the last point that you said.
>
> In this environment, you only want your "public" certificate on httpd.
> Tomcat will not be doing anything that uses it, so don't put a copy
> on those machines.
>
> this means that I will not enable SSL in my tomcat.. I will comment
> <!--<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> ....> -->
>
> tag totally from server.xml file in tomcat and have just one connetor
> element i.e.,
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
>
> I think I will have to remove the redirectPort="443" attribute also?? as its
> been handled for me by Apache.
The redirectPort setting should stay, but HTTPD will still handle the
connection. (If you remove the setting it'll probably just default to
a 443 anyway.)
It is used by Tomcat when a web.xml contains a <transport-guarantee> is
set to CONFIDENTIAL, to redirect & upgrade the connection.
p
> Thanks for the reply, that really helped a lot and we can also conclude we
> cannot have a secure horizontal loadbalancing with Apache and Tomcat!
>
> Regards
> JKV
>
>
> Peter Crowther wrote:
>>
>> 2009/11/25 jkv<j....@gmail.com>:
>>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>>> requests has grown up and we have decided to do go for clustering and
>>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>>> loadbalacing. My certificate resides in Tomcat.
>>>
>>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>>> should I configure Apache to handle HTTPS and tell it about my
>>> certificate
>>> details?
>>
>> Yes. Apache has to terminate the SSL connection when you're load
>> balancing.
>>
>>> While loadbalancing I understand that http/https request to Apache is
>>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>>> should I
>>> enable SSL in tomcat to handle this request?
>>
>> The AJP protocol is not secure. It is only used between httpd and
>> Tomcat. You should perform some suitable threat modelling of your
>> system. If you think the threat from an attacker being able to sniff
>> packets on the path between httpd and Tomcat is sufficiently low,
>> leave it unencrypted. If you think the threat is too high, encrypt it
>> using some kind of secure tunnel between httpd and Tomcat, such as a
>> VPN connection.
>>
>> My guess is that if someone's able to sniff packets on the link
>> between httpd and Tomcat, you already have a big security issue.
>>
>>> Should I have two copies of my certificate files if Apache and Tomcat
>>> reside
>>> on two different physical machines(Horizontal Clustering)?
>>
>> In this environment, you only want your "public" certificate on httpd.
>> Tomcat will not be doing anything that uses it, so don't put a copy
>> on those machines.
>>
>> Hope this helps,
>>
>> - Peter
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Rainer Jung <ra...@kippdata.de>.
Some of this is also explained in
http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html
On 03.12.2009 15:40, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David,
>
> On 12/3/2009 8:42 AM, David Cassidy wrote:
>> It would be interesting if you are running on non-standard ports (ie
>> not 80 and 443 ) to see what happens....
>
> I do that, and it works just fine.
>
> AJP doesn't use the proxyPort stuff because the HTTP port isn't being
> changed. All that is necessary if you are using mod_proxy_http because
> the HTTP port often changes between Apache httpd (listening on port 80
> to the outside world) and Tomcat (listening to, say, 8080 only to the
> internal network). In this case, Tomcat is convinced that the real port
> number being used is 8080 and would return URLs to the client using
> :8080 appended to them. Without using proxyName and proxyPort, Tomcat
> might return bad URLs to the user. The 'secure' attribute is necessary,
> here, if you are terminating SSL somewhere else but still consider the
> (non-encrypted) HTTP connection going to Tomcat to be secure.
>
> The AJP connector does in fact have proxyName and proxyPort attributes
> available, but I believe they are either superfluous, or auto-filled by
> the incoming HTTP request, anyway.
>
> In both cases, the default redirectPort is 443.
>
> I think if you are using HTTP connectors, your claim is true: to support
> both "secure" and "non-secure" channels where both channels are actually
> non-secure HTTP, you'll need two<Connectors>: one with secure=true and
> one with secure=false (or unspecified, and it defaults to false).
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksXzfYACgkQ9CaO5/Lv0PAGYwCgkwzr/s+M50PG1qnXDECwcZdq
> HK8An0chpHBpxTMpi5awXScqpAtR5OHk
> =GWlN
> -----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
On 12/3/2009 8:42 AM, David Cassidy wrote:
> It would be interesting if you are running on non-standard ports (ie
> not 80 and 443 ) to see what happens....
I do that, and it works just fine.
AJP doesn't use the proxyPort stuff because the HTTP port isn't being
changed. All that is necessary if you are using mod_proxy_http because
the HTTP port often changes between Apache httpd (listening on port 80
to the outside world) and Tomcat (listening to, say, 8080 only to the
internal network). In this case, Tomcat is convinced that the real port
number being used is 8080 and would return URLs to the client using
:8080 appended to them. Without using proxyName and proxyPort, Tomcat
might return bad URLs to the user. The 'secure' attribute is necessary,
here, if you are terminating SSL somewhere else but still consider the
(non-encrypted) HTTP connection going to Tomcat to be secure.
The AJP connector does in fact have proxyName and proxyPort attributes
available, but I believe they are either superfluous, or auto-filled by
the incoming HTTP request, anyway.
In both cases, the default redirectPort is 443.
I think if you are using HTTP connectors, your claim is true: to support
both "secure" and "non-secure" channels where both channels are actually
non-secure HTTP, you'll need two <Connectors>: one with secure=true and
one with secure=false (or unspecified, and it defaults to false).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksXzfYACgkQ9CaO5/Lv0PAGYwCgkwzr/s+M50PG1qnXDECwcZdq
HK8An0chpHBpxTMpi5awXScqpAtR5OHk
=GWlN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by David Cassidy <da...@twocats.co.uk>.
It would be interesting if you are running on non-standard ports (ie not
80 and 443 )
to see what happens....
D
On 03/12/09 13:40, David Cassidy wrote:
> Chris,
>
> You're right - nice one.
> I'd always put in the extra properties into my connector config
> the proxyport , redirect port whether it was secure or not.
> but it works as you described if you don't tell it all the extra
> settings.
>
> Nice thanks
>
> D
>
> On 02/12/09 21:29, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> David,
>>
>> On 11/25/2009 6:06 AM, David Cassidy wrote:
>>> If you want your tomcat to ever know that its getting a secure request
>>> you'll need 2 ajp connectors - one as the default is "not secure"
>>> the other needs to say "i'm secure" otherwise when you do a
>>> transport-guarantee in your web.xml
>>> your client will be in an infinite loop
>>> as tomcat never sees a "secure" request....
>> I call BS on this one: the AJP protocol can indicate whether a
>> particular request is secure or not: the use of two AJP connectors is
>> certainly not required.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl
>> o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+
>> =kMRn
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
Re: Tomcat Https loadbalancing??
Posted by David Cassidy <da...@twocats.co.uk>.
Chris,
You're right - nice one.
I'd always put in the extra properties into my connector config
the proxyport , redirect port whether it was secure or not.
but it works as you described if you don't tell it all the extra settings.
Nice thanks
D
On 02/12/09 21:29, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David,
>
> On 11/25/2009 6:06 AM, David Cassidy wrote:
>
>> If you want your tomcat to ever know that its getting a secure request
>> you'll need 2 ajp connectors - one as the default is "not secure"
>> the other needs to say "i'm secure" otherwise when you do a
>> transport-guarantee in your web.xml
>> your client will be in an infinite loop
>> as tomcat never sees a "secure" request....
>>
> I call BS on this one: the AJP protocol can indicate whether a
> particular request is secure or not: the use of two AJP connectors is
> certainly not required.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl
> o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+
> =kMRn
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Https loadbalancing??
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
On 11/25/2009 6:06 AM, David Cassidy wrote:
> If you want your tomcat to ever know that its getting a secure request
> you'll need 2 ajp connectors - one as the default is "not secure"
> the other needs to say "i'm secure" otherwise when you do a
> transport-guarantee in your web.xml
> your client will be in an infinite loop
> as tomcat never sees a "secure" request....
I call BS on this one: the AJP protocol can indicate whether a
particular request is secure or not: the use of two AJP connectors is
certainly not required.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl
o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+
=kMRn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by David Cassidy <da...@twocats.co.uk>.
On 25/11/09 10:36, Peter Crowther wrote:
> 2009/11/25 jkv<j....@gmail.com>:
>
>> I got one small doubt in the last point that you said.
>>
>> In this environment, you only want your "public" certificate on httpd.
>> Tomcat will not be doing anything that uses it, so don't put a copy
>> on those machines.
>>
>> this means that I will not enable SSL in my tomcat.. I will comment
>> <!--<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> ....> -->
>>
>> tag totally from server.xml file in tomcat and have just one connetor
>> element i.e.,
>>
>> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
>>
> Certainly you only need the AJP connector, as Tomcat will never be
> handling http or https requests.
>
>
If you want your tomcat to ever know that its getting a secure request
you'll need 2 ajp connectors - one as the default is "not secure"
the other needs to say "i'm secure" otherwise when you do a
transport-guarantee in your web.xml
your client will be in an infinite loop
as tomcat never sees a "secure" request....
>> Thanks for the reply, that really helped a lot and we can also conclude we
>> cannot have a secure horizontal loadbalancing with Apache and Tomcat!
>>
> Depends what you mean by "secure", as the level of security is
> relative, not absolute. There are more moving parts to secure, but
> it's possible to secure all of them to a reasonable standard.
>
> No system is *ever* 100% secure from attack, even if it's 100 metres
> underground, powered by its own generator, no network,
> Faraday-shielded, has a division of armed guards protecting its bunker
> and has self-destruct systems built in. It just depends how much the
> attacker wants your data, and therefore what resource (s)he is willing
> to commit to acquiring them.
>
> - Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Peter Crowther <pe...@melandra.com>.
2009/11/25 jkv <j....@gmail.com>:
> I got one small doubt in the last point that you said.
>
> In this environment, you only want your "public" certificate on httpd.
> Tomcat will not be doing anything that uses it, so don't put a copy
> on those machines.
>
> this means that I will not enable SSL in my tomcat.. I will comment
> <!-- <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> ....> -->
>
> tag totally from server.xml file in tomcat and have just one connetor
> element i.e.,
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
Certainly you only need the AJP connector, as Tomcat will never be
handling http or https requests.
> Thanks for the reply, that really helped a lot and we can also conclude we
> cannot have a secure horizontal loadbalancing with Apache and Tomcat!
Depends what you mean by "secure", as the level of security is
relative, not absolute. There are more moving parts to secure, but
it's possible to secure all of them to a reasonable standard.
No system is *ever* 100% secure from attack, even if it's 100 metres
underground, powered by its own generator, no network,
Faraday-shielded, has a division of armed guards protecting its bunker
and has self-destruct systems built in. It just depends how much the
attacker wants your data, and therefore what resource (s)he is willing
to commit to acquiring them.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by jkv <j....@gmail.com>.
Thanks Peter,
That really helps me a lot.
I got one small doubt in the last point that you said.
In this environment, you only want your "public" certificate on httpd.
Tomcat will not be doing anything that uses it, so don't put a copy
on those machines.
this means that I will not enable SSL in my tomcat.. I will comment
<!-- <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
....> -->
tag totally from server.xml file in tomcat and have just one connetor
element i.e.,
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
I think I will have to remove the redirectPort="443" attribute also?? as its
been handled for me by Apache.
Thanks for the reply, that really helped a lot and we can also conclude we
cannot have a secure horizontal loadbalancing with Apache and Tomcat!
Regards
JKV
Peter Crowther wrote:
>
> 2009/11/25 jkv <j....@gmail.com>:
>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>> requests has grown up and we have decided to do go for clustering and
>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>> loadbalacing. My certificate resides in Tomcat.
>>
>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>> should I configure Apache to handle HTTPS and tell it about my
>> certificate
>> details?
>
> Yes. Apache has to terminate the SSL connection when you're load
> balancing.
>
>> While loadbalancing I understand that http/https request to Apache is
>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>> should I
>> enable SSL in tomcat to handle this request?
>
> The AJP protocol is not secure. It is only used between httpd and
> Tomcat. You should perform some suitable threat modelling of your
> system. If you think the threat from an attacker being able to sniff
> packets on the path between httpd and Tomcat is sufficiently low,
> leave it unencrypted. If you think the threat is too high, encrypt it
> using some kind of secure tunnel between httpd and Tomcat, such as a
> VPN connection.
>
> My guess is that if someone's able to sniff packets on the link
> between httpd and Tomcat, you already have a big security issue.
>
>> Should I have two copies of my certificate files if Apache and Tomcat
>> reside
>> on two different physical machines(Horizontal Clustering)?
>
> In this environment, you only want your "public" certificate on httpd.
> Tomcat will not be doing anything that uses it, so don't put a copy
> on those machines.
>
> Hope this helps,
>
> - Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510331.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Peter Crowther <pe...@melandra.com>.
2009/11/25 jkv <j....@gmail.com>:
> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
> requests has grown up and we have decided to do go for clustering and
> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
> loadbalacing. My certificate resides in Tomcat.
>
> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
> should I configure Apache to handle HTTPS and tell it about my certificate
> details?
Yes. Apache has to terminate the SSL connection when you're load balancing.
> While loadbalancing I understand that http/https request to Apache is
> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
> enable SSL in tomcat to handle this request?
The AJP protocol is not secure. It is only used between httpd and
Tomcat. You should perform some suitable threat modelling of your
system. If you think the threat from an attacker being able to sniff
packets on the path between httpd and Tomcat is sufficiently low,
leave it unencrypted. If you think the threat is too high, encrypt it
using some kind of secure tunnel between httpd and Tomcat, such as a
VPN connection.
My guess is that if someone's able to sniff packets on the link
between httpd and Tomcat, you already have a big security issue.
> Should I have two copies of my certificate files if Apache and Tomcat reside
> on two different physical machines(Horizontal Clustering)?
In this environment, you only want your "public" certificate on httpd.
Tomcat will not be doing anything that uses it, so don't put a copy
on those machines.
Hope this helps,
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by André Warnier <aw...@ice-sa.com>.
jkv wrote:
> Hello,
>
> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
> requests has grown up and we have decided to do go for clustering and
> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
> loadbalacing. My certificate resides in Tomcat.
>
> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
> should I configure Apache to handle HTTPS and tell it about my certificate
> details?
>
> While loadbalancing I understand that http/https request to Apache is
> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
> enable SSL in tomcat to handle this request?
>
> Should I have two copies of my certificate files if Apache and Tomcat reside
> on two different physical machines(Horizontal Clustering)?
>
> I searched the forums and they are too advanced for my question. I am really
> new to clustering and load balancing and any help is deeply appreciated.
> Thanks in advance.
>
SSL has a cost, in terms of encrypting/decrypting all communications, in
terms of bandwidth, in terms of setup complexity, and in terms of
maintenance complexity.
So it should be used when necessary, and not otherwise.
If you are using Apache httpd anyway as a front-end, you probably need
HTTPS between the clients and Apache, because that link goes over
non-secure connections.
The question is, is the connection between Apache and Tomcat secure ?
That is to some extent a relative and/or subjective judgement.
If that connection goes over the Internet also, then it is not secure.
If it goes only over an internal network, then you have to decide if
that network, for practical purposes, can be termed as secure.
If both Apache and Tomcat are on the same host, then it is already as
secure as it can be.
Thus if you decide that the Apache/Tomcat connections are secure,
simplify your life and optimise the efficiency by keeping things simple,
and handle all SSL stuff at the Apache level.
(I believe that in technical terms, this is called "terminate SSL at the
Apache level".)
The AJP protocol itself is not secure, in the sense that it does not, by
itself, encrypt the data it exchanges. It can however, as far as I know,
be configured to run over an SSL connection, if needed.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Cyrille Le Clerc <cl...@xebia.fr>.
Hello David,
> Nice if you've got that sort of money.
I will go further, I feel the price of the famous hardware load
balancers is completely excessive in comparison with the other
components we use on production.
It is very common to see on production small servers (cheap dual x86
processors, cheap Linux, free JVM, free Tomcat/JBoss/Jetty, free
SpringFramework, free Hibernate, ...) and in front of them hardware
load balancers that cost more than 50 K USD.
I feel open source will come to load balancers as it came to operating
systems, application servers or database servers. Products like HA
Proxy are very appealing for inexpensive load balancing, they will fit
many production requirements.
I found interesting docs about inexpensive load balancing :
- "Making applications scalable with Load Balancing" by Willy Tarreau,
the father of HA Proxy
http://1wt.eu/articles/2006_lb/
- loadbalancing.org FAQ : a provocative opinion
http://www.loadbalancing.org/
> it is quite cool because you can off-load the https part
Look at Willy Tarreau's "Making applications scalable with Load
Balancing", he offloads SSL for almost free with a neat architecture.
> Personally i prefer mod_proxy_ajp with the balancing as well.
I am preparing a blog post on "AJP versus HTTP" :-) My preference goes
to HTTP because it has always been enough for my needs, even on high
volume web sites, it is standard, network admins knows this protocol,
all the network device can speak it, I can troubleshoot it with telnet
and curl, ... :-)
Cyrille
--
Cyrille Le Clerc
cleclerc@xebia.fr
http://blog.xebia.fr
On Wed, Nov 25, 2009 at 12:09 PM, David Cassidy <da...@twocats.co.uk> wrote:
> Cyrille,
>
> Nice if you've got that sort of money.
> it is quite cool because you can off-load the https part
> so some custom hardware - again cool if you've got the money
>
> Personally i prefer mod_proxy_ajp with the balancing as well.
>
> D
>
> On 25/11/09 10:57, Cyrille Le Clerc wrote:
>>
>> Hello,
>>
>> As Ronald said, we made some drawings on a detailed document
>> "Tomcat, SSL, secure communications and X-Forwarded-Proto" (1) that
>> explains solutions to handle HTTPS at the Tomcat, Apache Httpd and
>> Load Balancer layers. The document is written in french but the google
>> translation is quite good (2).
>>
>> My preference is to use a level 7 load balancer in front of Apache
>> httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat
>> servers. Of course, this topology is not always the best one but is
>> very often relevant.
>>
>> Hope this helps,
>>
>> Cyrille
>>
>> --
>> Cyrille Le Clerc
>> cleclerc@xebia.fr
>> http://blog.xebia.fr
>>
>> (1)
>> http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/
>> (2)
>> http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2F&sl=fr&tl=en
>>
>> On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop
>> <ro...@base.nl> wrote:
>>
>>>
>>> Always make a drawing.
>>>
>>> client -> https -> tcp-loadbalancer -> still same https connection->
>>> multiple tomcats
>>>
>>> client -> https -> http-loadbalancer (Apache, proxy) -> new
>>> ajp/http(s)
>>> connection-> multiple tomcats
>>>
>>> Normally the loadbalancer and tomcats are in the same private network. It
>>> is
>>> your choice if that is secure enough. In the end the data is unencrypted
>>> in
>>> the database I guess, so normally you trust your own network.
>>>
>>> Ronald.
>>>
>>>
>>> Op woensdag, 25 november 2009 10:18 schreef jkv<j....@gmail.com>:
>>>
>>>>
>>>> Hello,
>>>>
>>>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>>>> requests has grown up and we have decided to do go for clustering and
>>>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>>>> loadbalacing. My certificate resides in Tomcat.
>>>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>>>> should I configure Apache to handle HTTPS and tell it about my
>>>> certificate
>>>> details?
>>>> While loadbalancing I understand that http/https request to Apache is
>>>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>>>> should
>>>> I
>>>> enable SSL in tomcat to handle this request?
>>>> Should I have two copies of my certificate files if Apache and Tomcat
>>>> reside
>>>> on two different physical machines(Horizontal Clustering)?
>>>>
>>>> I searched the forums and they are too advanced for my question. I am
>>>> really
>>>> new to clustering and load balancing and any help is deeply appreciated.
>>>> Thanks in advance.
>>>>
>>>> Regards
>>>> jkv
>>>> --
>>>> View this message in context:
>>>>
>>>> http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html
>>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by David Cassidy <da...@twocats.co.uk>.
Cyrille,
Nice if you've got that sort of money.
it is quite cool because you can off-load the https part
so some custom hardware - again cool if you've got the money
Personally i prefer mod_proxy_ajp with the balancing as well.
D
On 25/11/09 10:57, Cyrille Le Clerc wrote:
> Hello,
>
> As Ronald said, we made some drawings on a detailed document
> "Tomcat, SSL, secure communications and X-Forwarded-Proto" (1) that
> explains solutions to handle HTTPS at the Tomcat, Apache Httpd and
> Load Balancer layers. The document is written in french but the google
> translation is quite good (2).
>
> My preference is to use a level 7 load balancer in front of Apache
> httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat
> servers. Of course, this topology is not always the best one but is
> very often relevant.
>
> Hope this helps,
>
> Cyrille
>
> --
> Cyrille Le Clerc
> cleclerc@xebia.fr
> http://blog.xebia.fr
>
> (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/
> (2) http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2F&sl=fr&tl=en
>
> On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop
> <ro...@base.nl> wrote:
>
>> Always make a drawing.
>>
>> client -> https -> tcp-loadbalancer -> still same https connection->
>> multiple tomcats
>>
>> client -> https -> http-loadbalancer (Apache, proxy) -> new ajp/http(s)
>> connection-> multiple tomcats
>>
>> Normally the loadbalancer and tomcats are in the same private network. It is
>> your choice if that is secure enough. In the end the data is unencrypted in
>> the database I guess, so normally you trust your own network.
>>
>> Ronald.
>>
>>
>> Op woensdag, 25 november 2009 10:18 schreef jkv<j....@gmail.com>:
>>
>>>
>>> Hello,
>>>
>>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>>> requests has grown up and we have decided to do go for clustering and
>>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>>> loadbalacing. My certificate resides in Tomcat.
>>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>>> should I configure Apache to handle HTTPS and tell it about my certificate
>>> details?
>>> While loadbalancing I understand that http/https request to Apache is
>>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should
>>> I
>>> enable SSL in tomcat to handle this request?
>>> Should I have two copies of my certificate files if Apache and Tomcat
>>> reside
>>> on two different physical machines(Horizontal Clustering)?
>>>
>>> I searched the forums and they are too advanced for my question. I am
>>> really
>>> new to clustering and load balancing and any help is deeply appreciated.
>>> Thanks in advance.
>>>
>>> Regards
>>> jkv
>>> --
>>> View this message in context:
>>> http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html
>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>>
>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Https loadbalancing??
Posted by Cyrille Le Clerc <cl...@xebia.fr>.
Hello,
As Ronald said, we made some drawings on a detailed document
"Tomcat, SSL, secure communications and X-Forwarded-Proto" (1) that
explains solutions to handle HTTPS at the Tomcat, Apache Httpd and
Load Balancer layers. The document is written in french but the google
translation is quite good (2).
My preference is to use a level 7 load balancer in front of Apache
httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat
servers. Of course, this topology is not always the best one but is
very often relevant.
Hope this helps,
Cyrille
--
Cyrille Le Clerc
cleclerc@xebia.fr
http://blog.xebia.fr
(1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/
(2) http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2F&sl=fr&tl=en
On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop
<ro...@base.nl> wrote:
> Always make a drawing.
>
> client -> https -> tcp-loadbalancer -> still same https connection->
> multiple tomcats
>
> client -> https -> http-loadbalancer (Apache, proxy) -> new ajp/http(s)
> connection-> multiple tomcats
>
> Normally the loadbalancer and tomcats are in the same private network. It is
> your choice if that is secure enough. In the end the data is unencrypted in
> the database I guess, so normally you trust your own network.
>
> Ronald.
>
>
> Op woensdag, 25 november 2009 10:18 schreef jkv <j....@gmail.com>:
>>
>>
>> Hello,
>>
>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>> requests has grown up and we have decided to do go for clustering and
>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>> loadbalacing. My certificate resides in Tomcat.
>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>> should I configure Apache to handle HTTPS and tell it about my certificate
>> details?
>> While loadbalancing I understand that http/https request to Apache is
>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should
>> I
>> enable SSL in tomcat to handle this request?
>> Should I have two copies of my certificate files if Apache and Tomcat
>> reside
>> on two different physical machines(Horizontal Clustering)?
>>
>> I searched the forums and they are too advanced for my question. I am
>> really
>> new to clustering and load balancing and any help is deeply appreciated.
>> Thanks in advance.
>>
>> Regards
>> jkv
>> --
>> View this message in context:
>> http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Ronald Klop <ro...@base.nl>.
Always make a drawing.
client -> https -> tcp-loadbalancer -> still same https connection-> multiple tomcats
client -> https -> http-loadbalancer (Apache, proxy) -> new ajp/http(s) connection-> multiple tomcats
Normally the loadbalancer and tomcats are in the same private network. It is your choice if that is secure enough. In the end the data is unencrypted in the database I guess, so normally you trust your own network.
Ronald.
Op woensdag, 25 november 2009 10:18 schreef jkv <j....@gmail.com>:
>
>
>
> Hello,
>
> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
> requests has grown up and we have decided to do go for clustering and
> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
> loadbalacing. My certificate resides in Tomcat.
>
> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
> should I configure Apache to handle HTTPS and tell it about my certificate
> details?
>
> While loadbalancing I understand that http/https request to Apache is
> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
> enable SSL in tomcat to handle this request?
>
> Should I have two copies of my certificate files if Apache and Tomcat reside
> on two different physical machines(Horizontal Clustering)?
>
> I searched the forums and they are too advanced for my question. I am really
> new to clustering and load balancing and any help is deeply appreciated.
> Thanks in advance.
>
> Regards
> jkv
> --
> View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
RE: Tomcat Https loadbalancing??
Posted by Darren Kukulka <Da...@connaught.plc.uk>.
We use network appliances that sit above Apache Web Server and takes
care of all SSL encryption/decryption.
This ensures all border<->client communication is secured whilst traffic
within our estate is purely http/ajp. The level of security in our
virtual circuits and inter-segment firewalls ensures we can limit
traffic to what source/destinations should be involved, as well as
provide a quality of service.
This configuration also removes away any potential overheads on Web
Server / App Server associated with SSL processing.
-----Original Message-----
From: jkv [mailto:j.kumaravel@gmail.com]
Sent: 25 November 2009 10:28
To: users@tomcat.apache.org
Subject: Re: Tomcat Https loadbalancing??
Thanks David,
I would imagine that with mod_proxy you could load balance https
requests
so that the https request goes to httpd then its load balanced between
https requests to
multiple tomcats. What you'll loose over the ajp protocol i'm sure
someone will let us know
That sounds good but when https request hits Apache the certificate will
be
issued by the server to the client, now when this is again sent as https
request to tomcat, which will again try issuing a certificate (I guess
as
this is a protocol standard), I dont know whether will this affect the
client -> getting two certificates for a single https request??
Has any body done this before???
David Cassidy wrote:
>
> Hey
>
> Yes if you want httpd to load balance https requests you do need it to
> handle the https connection - and hence it needs the keys, certs etc
>
> Sadly the ajp protocol is in fact insecure
> if you have the httpd and tomcat on separate boxes you do have a
> security issue
> as the connection is transporting data in the clear.
>
> I would imagine that with mod_proxy you could load balance https
requests
> so that the https request goes to httpd then its load balanced between
> https requests to
> multiple tomcats. What you'll loose over the ajp protocol i'm sure
> someone will let us know
>
> Hope this helps
>
> D
>
>
> On 25/11/09 09:18, jkv wrote:
>> Hello,
>>
>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number
of
>> requests has grown up and we have decided to do go for clustering and
>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>> loadbalacing. My certificate resides in Tomcat.
>>
>> In order to loadbalance HTTPS request using Apache and
mod_proxy/mod_jk,
>> should I configure Apache to handle HTTPS and tell it about my
>> certificate
>> details?
>>
>> While loadbalancing I understand that http/https request to Apache is
>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>> should I
>> enable SSL in tomcat to handle this request?
>>
>> Should I have two copies of my certificate files if Apache and Tomcat
>> reside
>> on two different physical machines(Horizontal Clustering)?
>>
>> I searched the forums and they are too advanced for my question. I am
>> really
>> new to clustering and load balancing and any help is deeply
appreciated.
>> Thanks in advance.
>>
>> Regards
>> jkv
>>
>
>
--
View this message in context:
http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510458.h
tml
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Connaught plc is a FTSE 250 company. We are the UK's leading provider of integrated services operating in the compliance, social housing and public sector markets.
Please visit our website to see a full list of Connaught's Registered Companies www.connaught.plc.uk/group/aboutconnaught/registeredcompanies
Disclaimer:
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this message. Connaught plc, Head Office 01392 444546
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 11:03, David Cassidy wrote:
> Pid,
>
> there is no need to have a commercial grade cert between your httpd and
> tomcat
> as thats in essence a private comms channel between your 2 servers the
> client won't know / see / care
>
> Use a self sign - as long as httpd has your cert all should be well
That's not what I meant. I was, perhaps imprecisely, referring to the
need for multiple licenses if the OP did decide to pass SSL through to
Tomcat.
p
> D
>
> On 25/11/09 10:32, Pid wrote:
>> On 25/11/2009 10:28, jkv wrote:
>>>
>>> Thanks David,
>>>
>>> I would imagine that with mod_proxy you could load balance https
>>> requests
>>> so that the https request goes to httpd then its load balanced between
>>> https requests to
>>> multiple tomcats. What you'll loose over the ajp protocol i'm sure
>>> someone will let us know
>>>
>>> That sounds good but when https request hits Apache the certificate
>>> will be
>>> issued by the server to the client, now when this is again sent as https
>>> request to tomcat, which will again try issuing a certificate (I
>>> guess as
>>> this is a protocol standard), I dont know whether will this affect the
>>> client -> getting two certificates for a single https request??
>>>
>>> Has any body done this before???
>>>
>>>
>>>
>>> David Cassidy wrote:
>>>>
>>>> Hey
>>>>
>>>> Yes if you want httpd to load balance https requests you do need it to
>>>> handle the https connection - and hence it needs the keys, certs etc
>>>>
>>>> Sadly the ajp protocol is in fact insecure
>>>> if you have the httpd and tomcat on separate boxes you do have a
>>>> security issue
>>>> as the connection is transporting data in the clear.
>>>>
>>>> I would imagine that with mod_proxy you could load balance https
>>>> requests
>>>> so that the https request goes to httpd then its load balanced between
>>>> https requests to
>>>> multiple tomcats. What you'll loose over the ajp protocol i'm sure
>>>> someone will let us know
>>
>> Note: you'll probably need more cert licenses, if they're commercial
>> ones, if you're deploying the cert on multiple Tomcats rather than on
>> one HTTPD.
>>
>>
>> p
>>
>>
>>>> On 25/11/09 09:18, jkv wrote:
>>>>> Hello,
>>>>>
>>>>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>>>>> requests has grown up and we have decided to do go for clustering and
>>>>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>>>>> loadbalacing. My certificate resides in Tomcat.
>>>>>
>>>>> In order to loadbalance HTTPS request using Apache and
>>>>> mod_proxy/mod_jk,
>>>>> should I configure Apache to handle HTTPS and tell it about my
>>>>> certificate
>>>>> details?
>>>>>
>>>>> While loadbalancing I understand that http/https request to Apache is
>>>>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>>>>> should I
>>>>> enable SSL in tomcat to handle this request?
>>>>>
>>>>> Should I have two copies of my certificate files if Apache and Tomcat
>>>>> reside
>>>>> on two different physical machines(Horizontal Clustering)?
>>>>>
>>>>> I searched the forums and they are too advanced for my question. I am
>>>>> really
>>>>> new to clustering and load balancing and any help is deeply
>>>>> appreciated.
>>>>> Thanks in advance.
>>>>>
>>>>> Regards
>>>>> jkv
>>>>>
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by David Cassidy <da...@twocats.co.uk>.
Pid,
there is no need to have a commercial grade cert between your httpd and
tomcat
as thats in essence a private comms channel between your 2 servers the
client won't know / see / care
Use a self sign - as long as httpd has your cert all should be well
D
On 25/11/09 10:32, Pid wrote:
> On 25/11/2009 10:28, jkv wrote:
>>
>> Thanks David,
>>
>> I would imagine that with mod_proxy you could load balance https
>> requests
>> so that the https request goes to httpd then its load balanced between
>> https requests to
>> multiple tomcats. What you'll loose over the ajp protocol i'm sure
>> someone will let us know
>>
>> That sounds good but when https request hits Apache the certificate
>> will be
>> issued by the server to the client, now when this is again sent as https
>> request to tomcat, which will again try issuing a certificate (I
>> guess as
>> this is a protocol standard), I dont know whether will this affect the
>> client -> getting two certificates for a single https request??
>>
>> Has any body done this before???
>>
>>
>>
>> David Cassidy wrote:
>>>
>>> Hey
>>>
>>> Yes if you want httpd to load balance https requests you do need it to
>>> handle the https connection - and hence it needs the keys, certs etc
>>>
>>> Sadly the ajp protocol is in fact insecure
>>> if you have the httpd and tomcat on separate boxes you do have a
>>> security issue
>>> as the connection is transporting data in the clear.
>>>
>>> I would imagine that with mod_proxy you could load balance https
>>> requests
>>> so that the https request goes to httpd then its load balanced between
>>> https requests to
>>> multiple tomcats. What you'll loose over the ajp protocol i'm sure
>>> someone will let us know
>
> Note: you'll probably need more cert licenses, if they're commercial
> ones, if you're deploying the cert on multiple Tomcats rather than on
> one HTTPD.
>
>
> p
>
>
>>> On 25/11/09 09:18, jkv wrote:
>>>> Hello,
>>>>
>>>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>>>> requests has grown up and we have decided to do go for clustering and
>>>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>>>> loadbalacing. My certificate resides in Tomcat.
>>>>
>>>> In order to loadbalance HTTPS request using Apache and
>>>> mod_proxy/mod_jk,
>>>> should I configure Apache to handle HTTPS and tell it about my
>>>> certificate
>>>> details?
>>>>
>>>> While loadbalancing I understand that http/https request to Apache is
>>>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>>>> should I
>>>> enable SSL in tomcat to handle this request?
>>>>
>>>> Should I have two copies of my certificate files if Apache and Tomcat
>>>> reside
>>>> on two different physical machines(Horizontal Clustering)?
>>>>
>>>> I searched the forums and they are too advanced for my question. I am
>>>> really
>>>> new to clustering and load balancing and any help is deeply
>>>> appreciated.
>>>> Thanks in advance.
>>>>
>>>> Regards
>>>> jkv
>>>>
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Tomcat Https loadbalancing??
Posted by Pid <pi...@pidster.com>.
On 25/11/2009 10:28, jkv wrote:
>
> Thanks David,
>
> I would imagine that with mod_proxy you could load balance https requests
> so that the https request goes to httpd then its load balanced between
> https requests to
> multiple tomcats. What you'll loose over the ajp protocol i'm sure
> someone will let us know
>
> That sounds good but when https request hits Apache the certificate will be
> issued by the server to the client, now when this is again sent as https
> request to tomcat, which will again try issuing a certificate (I guess as
> this is a protocol standard), I dont know whether will this affect the
> client -> getting two certificates for a single https request??
>
> Has any body done this before???
>
>
>
> David Cassidy wrote:
>>
>> Hey
>>
>> Yes if you want httpd to load balance https requests you do need it to
>> handle the https connection - and hence it needs the keys, certs etc
>>
>> Sadly the ajp protocol is in fact insecure
>> if you have the httpd and tomcat on separate boxes you do have a
>> security issue
>> as the connection is transporting data in the clear.
>>
>> I would imagine that with mod_proxy you could load balance https requests
>> so that the https request goes to httpd then its load balanced between
>> https requests to
>> multiple tomcats. What you'll loose over the ajp protocol i'm sure
>> someone will let us know
Note: you'll probably need more cert licenses, if they're commercial
ones, if you're deploying the cert on multiple Tomcats rather than on
one HTTPD.
p
>> On 25/11/09 09:18, jkv wrote:
>>> Hello,
>>>
>>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>>> requests has grown up and we have decided to do go for clustering and
>>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>>> loadbalacing. My certificate resides in Tomcat.
>>>
>>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>>> should I configure Apache to handle HTTPS and tell it about my
>>> certificate
>>> details?
>>>
>>> While loadbalancing I understand that http/https request to Apache is
>>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>>> should I
>>> enable SSL in tomcat to handle this request?
>>>
>>> Should I have two copies of my certificate files if Apache and Tomcat
>>> reside
>>> on two different physical machines(Horizontal Clustering)?
>>>
>>> I searched the forums and they are too advanced for my question. I am
>>> really
>>> new to clustering and load balancing and any help is deeply appreciated.
>>> Thanks in advance.
>>>
>>> Regards
>>> jkv
>>>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by jkv <j....@gmail.com>.
Thanks David,
I would imagine that with mod_proxy you could load balance https requests
so that the https request goes to httpd then its load balanced between
https requests to
multiple tomcats. What you'll loose over the ajp protocol i'm sure
someone will let us know
That sounds good but when https request hits Apache the certificate will be
issued by the server to the client, now when this is again sent as https
request to tomcat, which will again try issuing a certificate (I guess as
this is a protocol standard), I dont know whether will this affect the
client -> getting two certificates for a single https request??
Has any body done this before???
David Cassidy wrote:
>
> Hey
>
> Yes if you want httpd to load balance https requests you do need it to
> handle the https connection - and hence it needs the keys, certs etc
>
> Sadly the ajp protocol is in fact insecure
> if you have the httpd and tomcat on separate boxes you do have a
> security issue
> as the connection is transporting data in the clear.
>
> I would imagine that with mod_proxy you could load balance https requests
> so that the https request goes to httpd then its load balanced between
> https requests to
> multiple tomcats. What you'll loose over the ajp protocol i'm sure
> someone will let us know
>
> Hope this helps
>
> D
>
>
> On 25/11/09 09:18, jkv wrote:
>> Hello,
>>
>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>> requests has grown up and we have decided to do go for clustering and
>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>> loadbalacing. My certificate resides in Tomcat.
>>
>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>> should I configure Apache to handle HTTPS and tell it about my
>> certificate
>> details?
>>
>> While loadbalancing I understand that http/https request to Apache is
>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>> should I
>> enable SSL in tomcat to handle this request?
>>
>> Should I have two copies of my certificate files if Apache and Tomcat
>> reside
>> on two different physical machines(Horizontal Clustering)?
>>
>> I searched the forums and they are too advanced for my question. I am
>> really
>> new to clustering and load balancing and any help is deeply appreciated.
>> Thanks in advance.
>>
>> Regards
>> jkv
>>
>
>
--
View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510458.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Posted by David Cassidy <da...@twocats.co.uk>.
Hey
Yes if you want httpd to load balance https requests you do need it to
handle the https connection - and hence it needs the keys, certs etc
Sadly the ajp protocol is in fact insecure
if you have the httpd and tomcat on separate boxes you do have a
security issue
as the connection is transporting data in the clear.
I would imagine that with mod_proxy you could load balance https requests
so that the https request goes to httpd then its load balanced between
https requests to
multiple tomcats. What you'll loose over the ajp protocol i'm sure
someone will let us know
Hope this helps
D
On 25/11/09 09:18, jkv wrote:
> Hello,
>
> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
> requests has grown up and we have decided to do go for clustering and
> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
> loadbalacing. My certificate resides in Tomcat.
>
> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
> should I configure Apache to handle HTTPS and tell it about my certificate
> details?
>
> While loadbalancing I understand that http/https request to Apache is
> converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
> enable SSL in tomcat to handle this request?
>
> Should I have two copies of my certificate files if Apache and Tomcat reside
> on two different physical machines(Horizontal Clustering)?
>
> I searched the forums and they are too advanced for my question. I am really
> new to clustering and load balancing and any help is deeply appreciated.
> Thanks in advance.
>
> Regards
> jkv
>