You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Anthony Bonafide <bo...@gmail.com> on 2014/11/04 17:47:39 UTC
SSL acceleration
Hello All,
I am using a third party load balancer which accepts HTTPS connections,
decrypts them and sends the unencrypted connection to Tomcat(SSL
Acceleration). I am currently using tomcat 5 and I am in the process of
upgrading to Tomcat 7. I am having an issue setting up Tomcat7 to accept
the connections from my load balancer. In tomcat 5 I have the 2 connectors
set up as so with everything working:
<Connector port="8080" maxHttpHeaderSize="8192" maxPostSize="512000"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8081" maxHttpHeaderSize="8192" maxPostSize="512000"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8444" acceptCount="100"
connectionTimeout="20000" scheme="https" proxyPort="443"
disableUploadTimeout="true" />
The load balancer sends unencrypted HTTPS traffic to Tomcat via port 8081.
This is setup is n place now with the current setup so the client does not
have HTTPS changed to HTTP during a session, do to tomcat thinking the
HTTPS connection is unencrypted and it should be changed to HTTP. There is
no keystore or certs used by tomcat, all certs are placed on the load
balancer.
During setup of Tomcat 7 I copied the previous connector setup, resolving
the following URLS I get the following responses respectively(I get the
same results with my currenttly working Tomcat5 setup):
https://localhost:8081/ - Secure connection fails
http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that everything
works.
My settings for tomcat 7 are:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8081" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="false" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS" proxyPort="443"/>
I was wondering if there is a way to setup Tomcat 7 to accept the
unencrypted request(SSL Acceleration) from the load balancer, process the
request and send back a response without changing the scheme to HTTP?
Also as expected my load balancer is not able to establish a connection
with Tomcat7 over HTTPS port 8081.
Any advice would be greatly appreciated.
Thank you,
Anthony Bonafide
Re: SSL acceleration
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel,
On 11/4/14 12:02 PM, Daniel Mikusa wrote:
> On Tue, Nov 4, 2014 at 11:47 AM, Anthony Bonafide
> <bonafideanthony@gmail.com
>> wrote:
>
>> Hello All,
>>
>> I am using a third party load balancer which accepts HTTPS
>> connections, decrypts them and sends the unencrypted connection
>> to Tomcat(SSL Acceleration). I am currently using tomcat 5 and I
>> am in the process of upgrading to Tomcat 7. I am having an issue
>> setting up Tomcat7 to accept the connections from my load
>> balancer. In tomcat 5 I have the 2 connectors set up as so with
>> everything working:
>>
>> <Connector port="8080" maxHttpHeaderSize="8192"
>> maxPostSize="512000" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8443"
>> acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>>
>> <Connector port="8081" maxHttpHeaderSize="8192"
>> maxPostSize="512000" maxThreads="150" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" redirectPort="8444"
>> acceptCount="100" connectionTimeout="20000" scheme="https"
>> proxyPort="443" disableUploadTimeout="true" />
>>
>>
>> The load balancer sends unencrypted HTTPS traffic to Tomcat via
>> port 8081. This is setup is n place now with the current setup so
>> the client does not have HTTPS changed to HTTP during a session,
>> do to tomcat thinking the HTTPS connection is unencrypted and it
>> should be changed to HTTP. There is no keystore or certs used by
>> tomcat, all certs are placed on the load balancer.
>>
>> During setup of Tomcat 7 I copied the previous connector setup,
>> resolving the following URLS I get the following responses
>> respectively(I get the same results with my currenttly working
>> Tomcat5 setup):
>>
>> https://localhost:8081/ - Secure connection fails
>> http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that
>> everything works.
>>
>> My settings for tomcat 7 are:
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000" redirectPort="8443" />
>>
>>
>> <Connector port="8081" protocol="HTTP/1.1" maxThreads="150"
>> SSLEnabled="false" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS" proxyPort="443"/>
>>
>>
>> I was wondering if there is a way to setup Tomcat 7 to accept
>> the unencrypted request(SSL Acceleration) from the load balancer,
>> process the request and send back a response without changing the
>> scheme to HTTP?
>>
>> Also as expected my load balancer is not able to establish a
>> connection with Tomcat7 over HTTPS port 8081.
>>
>> Any advice would be greatly appreciated.
>>
>
> If your load balancer is terminating SSL and properly setting
> "X-Forwarded-*" headers you can probably get away with one
> connector for HTTP traffic and the RemoveIpValve. The valve will
> use the X-Forwarded-* headers to modify the request object so that
> your apps can see if the request came in over SSL.
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve
+1
Another
>
thing you need to do is to set scheme="https" /and/
secure="true" on the <Connector>, otherwise Tomcat will try to
redirect until it gets a connection on a "secure" connector.
FYI the "redirectPort" configuration looks a little insane to me. I
think you want redirectPort="443" in all cases.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUWRxsAAoJEBzwKT+lPKRYdXoP/0+J0IVuYnMibaMqxczQ0Pjz
dZNYJU+p0a/T//huAMwBhCGk7JMlW0bOcVxQA1RxxZ1E6vbNscikO1A1p0IuOaSe
YSyVUHTxGnW+DQO7Gd+85UIm3QHlbK21UlLH3NIPoGYQVS6ldZkGqChLMAgO4hfV
IOlb2dl/+Vd3OzG5EsFHn9LASnJH4N1QsWqWAM4KnLopeMhmS+pVcQJ8WOcE5cHR
TDLlc3XcaWcdhSch8cynv2498TfmqO+4yEhVHKHscY2tn6BHiuHcQW+hljIlxcF0
Ru9sV6CWftA6iaLKAIp+A4kHRVDoqhkVRokUpDEcv14T9V0QhoVBByqz/ez98UQZ
SWh6DaUqr7wz3Gg2+uLbjDtfcLyVdcKahbC6tHeatuS/0lHXfAjRhpeeNeurFlYV
VaYfKuapf15TywoRU+DM/GgWzJHz5NdqgimtwTuqNI3zLsSIjOzuCB16Sh3Z6M60
KHqGvuSXKn2zy3YxJY2GVLPcu9Iq6omPRTMHU864SbJiUYjlGv4OwBymjWoRDFZX
Z8c3r7cqt3/1fpMJygdsYQZhSDFQGm+zp0tTpNBD+/xKPIJNezpWl0AJRuNyciZr
EXlRttpO+bN5PaXCkxKGg3VO0GIPk/Yhm8DhWFZmrvUsjIwbLHKWythxcVcBEjnz
dZKnPvqnGGpz/TEgibve
=uX/w
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL acceleration
Posted by Daniel Mikusa <dm...@pivotal.io>.
On Tue, Nov 4, 2014 at 11:47 AM, Anthony Bonafide <bonafideanthony@gmail.com
> wrote:
> Hello All,
>
> I am using a third party load balancer which accepts HTTPS connections,
> decrypts them and sends the unencrypted connection to Tomcat(SSL
> Acceleration). I am currently using tomcat 5 and I am in the process of
> upgrading to Tomcat 7. I am having an issue setting up Tomcat7 to accept
> the connections from my load balancer. In tomcat 5 I have the 2 connectors
> set up as so with everything working:
>
> <Connector port="8080" maxHttpHeaderSize="8192" maxPostSize="512000"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" redirectPort="8443" acceptCount="100"
> connectionTimeout="20000" disableUploadTimeout="true" />
>
> <Connector port="8081" maxHttpHeaderSize="8192" maxPostSize="512000"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" redirectPort="8444" acceptCount="100"
> connectionTimeout="20000" scheme="https" proxyPort="443"
> disableUploadTimeout="true" />
>
>
> The load balancer sends unencrypted HTTPS traffic to Tomcat via port 8081.
> This is setup is n place now with the current setup so the client does not
> have HTTPS changed to HTTP during a session, do to tomcat thinking the
> HTTPS connection is unencrypted and it should be changed to HTTP. There is
> no keystore or certs used by tomcat, all certs are placed on the load
> balancer.
>
> During setup of Tomcat 7 I copied the previous connector setup, resolving
> the following URLS I get the following responses respectively(I get the
> same results with my currenttly working Tomcat5 setup):
>
> https://localhost:8081/ - Secure connection fails
> http://localhost:8081/ - Apache Tomcat 7.0.56 page showing that everything
> works.
>
> My settings for tomcat 7 are:
>
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
>
>
> <Connector port="8081" protocol="HTTP/1.1"
> maxThreads="150" SSLEnabled="false" scheme="https"
> secure="true"
> clientAuth="false" sslProtocol="TLS" proxyPort="443"/>
>
>
> I was wondering if there is a way to setup Tomcat 7 to accept the
> unencrypted request(SSL Acceleration) from the load balancer, process the
> request and send back a response without changing the scheme to HTTP?
>
> Also as expected my load balancer is not able to establish a connection
> with Tomcat7 over HTTPS port 8081.
>
> Any advice would be greatly appreciated.
>
If your load balancer is terminating SSL and properly setting
"X-Forwarded-*" headers you can probably get away with one connector for
HTTP traffic and the RemoveIpValve. The valve will use the X-Forwarded-*
headers to modify the request object so that your apps can see if the
request came in over SSL.
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve
Dan