Re: Tomcat Https loadbalancing??
Chris, You're right - nice one. I'd always put in the extra properties into my connector config the proxyport , redirect port whether it was secure or not. but it works as you described if you don't tell it all the extra settings. Nice thanks D On 02/12/09 21:29, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 11/25/2009 6:06 AM, David Cassidy wrote: If you want your tomcat to ever know that its getting a secure request you'll need 2 ajp connectors - one as the default is not secure the other needs to say i'm secure otherwise when you do a transport-guarantee in your web.xml your client will be in an infinite loop as tomcat never sees a secure request I call BS on this one: the AJP protocol can indicate whether a particular request is secure or not: the use of two AJP connectors is certainly not required. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+ =kMRn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
It would be interesting if you are running on non-standard ports (ie not 80 and 443 ) to see what happens D On 03/12/09 13:40, David Cassidy wrote: Chris, You're right - nice one. I'd always put in the extra properties into my connector config the proxyport , redirect port whether it was secure or not. but it works as you described if you don't tell it all the extra settings. Nice thanks D On 02/12/09 21:29, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 11/25/2009 6:06 AM, David Cassidy wrote: If you want your tomcat to ever know that its getting a secure request you'll need 2 ajp connectors - one as the default is not secure the other needs to say i'm secure otherwise when you do a transport-guarantee in your web.xml your client will be in an infinite loop as tomcat never sees a secure request I call BS on this one: the AJP protocol can indicate whether a particular request is secure or not: the use of two AJP connectors is certainly not required. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+ =kMRn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 12/3/2009 8:42 AM, David Cassidy wrote: It would be interesting if you are running on non-standard ports (ie not 80 and 443 ) to see what happens I do that, and it works just fine. AJP doesn't use the proxyPort stuff because the HTTP port isn't being changed. All that is necessary if you are using mod_proxy_http because the HTTP port often changes between Apache httpd (listening on port 80 to the outside world) and Tomcat (listening to, say, 8080 only to the internal network). In this case, Tomcat is convinced that the real port number being used is 8080 and would return URLs to the client using :8080 appended to them. Without using proxyName and proxyPort, Tomcat might return bad URLs to the user. The 'secure' attribute is necessary, here, if you are terminating SSL somewhere else but still consider the (non-encrypted) HTTP connection going to Tomcat to be secure. The AJP connector does in fact have proxyName and proxyPort attributes available, but I believe they are either superfluous, or auto-filled by the incoming HTTP request, anyway. In both cases, the default redirectPort is 443. I think if you are using HTTP connectors, your claim is true: to support both secure and non-secure channels where both channels are actually non-secure HTTP, you'll need two Connectors: one with secure=true and one with secure=false (or unspecified, and it defaults to false). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksXzfYACgkQ9CaO5/Lv0PAGYwCgkwzr/s+M50PG1qnXDECwcZdq HK8An0chpHBpxTMpi5awXScqpAtR5OHk =GWlN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Some of this is also explained in http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html On 03.12.2009 15:40, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 12/3/2009 8:42 AM, David Cassidy wrote: It would be interesting if you are running on non-standard ports (ie not 80 and 443 ) to see what happens I do that, and it works just fine. AJP doesn't use the proxyPort stuff because the HTTP port isn't being changed. All that is necessary if you are using mod_proxy_http because the HTTP port often changes between Apache httpd (listening on port 80 to the outside world) and Tomcat (listening to, say, 8080 only to the internal network). In this case, Tomcat is convinced that the real port number being used is 8080 and would return URLs to the client using :8080 appended to them. Without using proxyName and proxyPort, Tomcat might return bad URLs to the user. The 'secure' attribute is necessary, here, if you are terminating SSL somewhere else but still consider the (non-encrypted) HTTP connection going to Tomcat to be secure. The AJP connector does in fact have proxyName and proxyPort attributes available, but I believe they are either superfluous, or auto-filled by the incoming HTTP request, anyway. In both cases, the default redirectPort is 443. I think if you are using HTTP connectors, your claim is true: to support both secure and non-secure channels where both channels are actually non-secure HTTP, you'll need twoConnectors: one with secure=true and one with secure=false (or unspecified, and it defaults to false). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksXzfYACgkQ9CaO5/Lv0PAGYwCgkwzr/s+M50PG1qnXDECwcZdq HK8An0chpHBpxTMpi5awXScqpAtR5OHk =GWlN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, On 11/25/2009 6:06 AM, David Cassidy wrote: If you want your tomcat to ever know that its getting a secure request you'll need 2 ajp connectors - one as the default is not secure the other needs to say i'm secure otherwise when you do a transport-guarantee in your web.xml your client will be in an infinite loop as tomcat never sees a secure request I call BS on this one: the AJP protocol can indicate whether a particular request is secure or not: the use of two AJP connectors is certainly not required. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksW3EsACgkQ9CaO5/Lv0PAN9wCfdXpMwAdvSiQRaWe0ptpDwogl o9AAoI4p/4P+4jKHS6lqlPpBoZmdXwo+ =kMRn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Hope this helps D On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv
Re: Tomcat Https loadbalancing??
2009/11/25 jkv j.kumara...@gmail.com: We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? Yes. Apache has to terminate the SSL connection when you're load balancing. While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? The AJP protocol is not secure. It is only used between httpd and Tomcat. You should perform some suitable threat modelling of your system. If you think the threat from an attacker being able to sniff packets on the path between httpd and Tomcat is sufficiently low, leave it unencrypted. If you think the threat is too high, encrypt it using some kind of secure tunnel between httpd and Tomcat, such as a VPN connection. My guess is that if someone's able to sniff packets on the link between httpd and Tomcat, you already have a big security issue. Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. Hope this helps, - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Thanks Peter, That really helps me a lot. I got one small doubt in the last point that you said. In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. this means that I will not enable SSL in my tomcat.. I will comment !-- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true -- tag totally from server.xml file in tomcat and have just one connetor element i.e., Connector port=8009 protocol=AJP/1.3 redirectPort=443 / I think I will have to remove the redirectPort=443 attribute also?? as its been handled for me by Apache. Thanks for the reply, that really helped a lot and we can also conclude we cannot have a secure horizontal loadbalancing with Apache and Tomcat! Regards JKV Peter Crowther wrote: 2009/11/25 jkv j.kumara...@gmail.com: We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? Yes. Apache has to terminate the SSL connection when you're load balancing. While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? The AJP protocol is not secure. It is only used between httpd and Tomcat. You should perform some suitable threat modelling of your system. If you think the threat from an attacker being able to sniff packets on the path between httpd and Tomcat is sufficiently low, leave it unencrypted. If you think the threat is too high, encrypt it using some kind of secure tunnel between httpd and Tomcat, such as a VPN connection. My guess is that if someone's able to sniff packets on the link between httpd and Tomcat, you already have a big security issue. Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. Hope this helps, - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510331.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
On 25/11/2009 10:18, jkv wrote: Thanks Peter, That really helps me a lot. I got one small doubt in the last point that you said. In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. this means that I will not enable SSL in my tomcat.. I will comment !--Connector port=443 protocol=HTTP/1.1 SSLEnabled=true -- tag totally from server.xml file in tomcat and have just one connetor element i.e., Connector port=8009 protocol=AJP/1.3 redirectPort=443 / I think I will have to remove the redirectPort=443 attribute also?? as its been handled for me by Apache. The redirectPort setting should stay, but HTTPD will still handle the connection. (If you remove the setting it'll probably just default to a 443 anyway.) It is used by Tomcat when a web.xml contains a transport-guarantee is set to CONFIDENTIAL, to redirect upgrade the connection. p Thanks for the reply, that really helped a lot and we can also conclude we cannot have a secure horizontal loadbalancing with Apache and Tomcat! Regards JKV Peter Crowther wrote: 2009/11/25 jkvj.kumara...@gmail.com: We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? Yes. Apache has to terminate the SSL connection when you're load balancing. While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? The AJP protocol is not secure. It is only used between httpd and Tomcat. You should perform some suitable threat modelling of your system. If you think the threat from an attacker being able to sniff packets on the path between httpd and Tomcat is sufficiently low, leave it unencrypted. If you think the threat is too high, encrypt it using some kind of secure tunnel between httpd and Tomcat, such as a VPN connection. My guess is that if someone's able to sniff packets on the link between httpd and Tomcat, you already have a big security issue. Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. Hope this helps, - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client - getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Hope this helps D On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510458.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
On 25/11/2009 10:28, jkv wrote: Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client - getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Note: you'll probably need more cert licenses, if they're commercial ones, if you're deploying the cert on multiple Tomcats rather than on one HTTPD. p On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
2009/11/25 jkv j.kumara...@gmail.com: I got one small doubt in the last point that you said. In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. this means that I will not enable SSL in my tomcat.. I will comment !-- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true -- tag totally from server.xml file in tomcat and have just one connetor element i.e., Connector port=8009 protocol=AJP/1.3 redirectPort=443 / Certainly you only need the AJP connector, as Tomcat will never be handling http or https requests. Thanks for the reply, that really helped a lot and we can also conclude we cannot have a secure horizontal loadbalancing with Apache and Tomcat! Depends what you mean by secure, as the level of security is relative, not absolute. There are more moving parts to secure, but it's possible to secure all of them to a reasonable standard. No system is *ever* 100% secure from attack, even if it's 100 metres underground, powered by its own generator, no network, Faraday-shielded, has a division of armed guards protecting its bunker and has self-destruct systems built in. It just depends how much the attacker wants your data, and therefore what resource (s)he is willing to commit to acquiring them. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Always make a drawing. client - https - tcp-loadbalancer - still same https connection- multiple tomcats client - https - http-loadbalancer (Apache, proxy) - new ajp/http(s) connection- multiple tomcats Normally the loadbalancer and tomcats are in the same private network. It is your choice if that is secure enough. In the end the data is unencrypted in the database I guess, so normally you trust your own network. Ronald. Op woensdag, 25 november 2009 10:18 schreef jkv j.kumara...@gmail.com: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Hello, As Ronald said, we made some drawings on a detailed document Tomcat, SSL, secure communications and X-Forwarded-Proto (1) that explains solutions to handle HTTPS at the Tomcat, Apache Httpd and Load Balancer layers. The document is written in french but the google translation is quite good (2). My preference is to use a level 7 load balancer in front of Apache httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat servers. Of course, this topology is not always the best one but is very often relevant. Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr http://blog.xebia.fr (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (2) http://translate.google.com/translate?js=yprev=_thl=enie=UTF-8u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2Fsl=frtl=en On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop ronald-mailingl...@base.nl wrote: Always make a drawing. client - https - tcp-loadbalancer - still same https connection- multiple tomcats client - https - http-loadbalancer (Apache, proxy) - new ajp/http(s) connection- multiple tomcats Normally the loadbalancer and tomcats are in the same private network. It is your choice if that is secure enough. In the end the data is unencrypted in the database I guess, so normally you trust your own network. Ronald. Op woensdag, 25 november 2009 10:18 schreef jkv j.kumara...@gmail.com: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Pid, there is no need to have a commercial grade cert between your httpd and tomcat as thats in essence a private comms channel between your 2 servers the client won't know / see / care Use a self sign - as long as httpd has your cert all should be well D On 25/11/09 10:32, Pid wrote: On 25/11/2009 10:28, jkv wrote: Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client - getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Note: you'll probably need more cert licenses, if they're commercial ones, if you're deploying the cert on multiple Tomcats rather than on one HTTPD. p On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
On 25/11/09 10:36, Peter Crowther wrote: 2009/11/25 jkvj.kumara...@gmail.com: I got one small doubt in the last point that you said. In this environment, you only want your public certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. this means that I will not enable SSL in my tomcat.. I will comment !--Connector port=443 protocol=HTTP/1.1 SSLEnabled=true -- tag totally from server.xml file in tomcat and have just one connetor element i.e., Connector port=8009 protocol=AJP/1.3 redirectPort=443 / Certainly you only need the AJP connector, as Tomcat will never be handling http or https requests. If you want your tomcat to ever know that its getting a secure request you'll need 2 ajp connectors - one as the default is not secure the other needs to say i'm secure otherwise when you do a transport-guarantee in your web.xml your client will be in an infinite loop as tomcat never sees a secure request Thanks for the reply, that really helped a lot and we can also conclude we cannot have a secure horizontal loadbalancing with Apache and Tomcat! Depends what you mean by secure, as the level of security is relative, not absolute. There are more moving parts to secure, but it's possible to secure all of them to a reasonable standard. No system is *ever* 100% secure from attack, even if it's 100 metres underground, powered by its own generator, no network, Faraday-shielded, has a division of armed guards protecting its bunker and has self-destruct systems built in. It just depends how much the attacker wants your data, and therefore what resource (s)he is willing to commit to acquiring them. - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Cyrille, Nice if you've got that sort of money. it is quite cool because you can off-load the https part so some custom hardware - again cool if you've got the money Personally i prefer mod_proxy_ajp with the balancing as well. D On 25/11/09 10:57, Cyrille Le Clerc wrote: Hello, As Ronald said, we made some drawings on a detailed document Tomcat, SSL, secure communications and X-Forwarded-Proto (1) that explains solutions to handle HTTPS at the Tomcat, Apache Httpd and Load Balancer layers. The document is written in french but the google translation is quite good (2). My preference is to use a level 7 load balancer in front of Apache httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat servers. Of course, this topology is not always the best one but is very often relevant. Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr http://blog.xebia.fr (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (2) http://translate.google.com/translate?js=yprev=_thl=enie=UTF-8u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2Fsl=frtl=en On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop ronald-mailingl...@base.nl wrote: Always make a drawing. client - https - tcp-loadbalancer - still same https connection- multiple tomcats client - https - http-loadbalancer (Apache, proxy) - new ajp/http(s) connection- multiple tomcats Normally the loadbalancer and tomcats are in the same private network. It is your choice if that is secure enough. In the end the data is unencrypted in the database I guess, so normally you trust your own network. Ronald. Op woensdag, 25 november 2009 10:18 schreef jkvj.kumara...@gmail.com: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Https loadbalancing??
We use network appliances that sit above Apache Web Server and takes care of all SSL encryption/decryption. This ensures all border-client communication is secured whilst traffic within our estate is purely http/ajp. The level of security in our virtual circuits and inter-segment firewalls ensures we can limit traffic to what source/destinations should be involved, as well as provide a quality of service. This configuration also removes away any potential overheads on Web Server / App Server associated with SSL processing. -Original Message- From: jkv [mailto:j.kumara...@gmail.com] Sent: 25 November 2009 10:28 To: users@tomcat.apache.org Subject: Re: Tomcat Https loadbalancing?? Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client - getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Hope this helps D On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510458.h tml Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Connaught plc is a FTSE 250 company. We are the UK's leading provider of integrated services operating in the compliance, social housing and public sector markets. Please visit our website to see a full list of Connaught's Registered Companies www.connaught.plc.uk/group/aboutconnaught/registeredcompanies Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this message. Connaught plc, Head Office 01392 444546 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
On 25/11/2009 11:03, David Cassidy wrote: Pid, there is no need to have a commercial grade cert between your httpd and tomcat as thats in essence a private comms channel between your 2 servers the client won't know / see / care Use a self sign - as long as httpd has your cert all should be well That's not what I meant. I was, perhaps imprecisely, referring to the need for multiple licenses if the OP did decide to pass SSL through to Tomcat. p D On 25/11/09 10:32, Pid wrote: On 25/11/2009 10:28, jkv wrote: Thanks David, I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know That sounds good but when https request hits Apache the certificate will be issued by the server to the client, now when this is again sent as https request to tomcat, which will again try issuing a certificate (I guess as this is a protocol standard), I dont know whether will this affect the client - getting two certificates for a single https request?? Has any body done this before??? David Cassidy wrote: Hey Yes if you want httpd to load balance https requests you do need it to handle the https connection - and hence it needs the keys, certs etc Sadly the ajp protocol is in fact insecure if you have the httpd and tomcat on separate boxes you do have a security issue as the connection is transporting data in the clear. I would imagine that with mod_proxy you could load balance https requests so that the https request goes to httpd then its load balanced between https requests to multiple tomcats. What you'll loose over the ajp protocol i'm sure someone will let us know Note: you'll probably need more cert licenses, if they're commercial ones, if you're deploying the cert on multiple Tomcats rather than on one HTTPD. p On 25/11/09 09:18, jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
jkv wrote: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. SSL has a cost, in terms of encrypting/decrypting all communications, in terms of bandwidth, in terms of setup complexity, and in terms of maintenance complexity. So it should be used when necessary, and not otherwise. If you are using Apache httpd anyway as a front-end, you probably need HTTPS between the clients and Apache, because that link goes over non-secure connections. The question is, is the connection between Apache and Tomcat secure ? That is to some extent a relative and/or subjective judgement. If that connection goes over the Internet also, then it is not secure. If it goes only over an internal network, then you have to decide if that network, for practical purposes, can be termed as secure. If both Apache and Tomcat are on the same host, then it is already as secure as it can be. Thus if you decide that the Apache/Tomcat connections are secure, simplify your life and optimise the efficiency by keeping things simple, and handle all SSL stuff at the Apache level. (I believe that in technical terms, this is called terminate SSL at the Apache level.) The AJP protocol itself is not secure, in the sense that it does not, by itself, encrypt the data it exchanges. It can however, as far as I know, be configured to run over an SSL connection, if needed. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Https loadbalancing??
Hello David, Nice if you've got that sort of money. I will go further, I feel the price of the famous hardware load balancers is completely excessive in comparison with the other components we use on production. It is very common to see on production small servers (cheap dual x86 processors, cheap Linux, free JVM, free Tomcat/JBoss/Jetty, free SpringFramework, free Hibernate, ...) and in front of them hardware load balancers that cost more than 50 K USD. I feel open source will come to load balancers as it came to operating systems, application servers or database servers. Products like HA Proxy are very appealing for inexpensive load balancing, they will fit many production requirements. I found interesting docs about inexpensive load balancing : - Making applications scalable with Load Balancing by Willy Tarreau, the father of HA Proxy http://1wt.eu/articles/2006_lb/ - loadbalancing.org FAQ : a provocative opinion http://www.loadbalancing.org/ it is quite cool because you can off-load the https part Look at Willy Tarreau's Making applications scalable with Load Balancing, he offloads SSL for almost free with a neat architecture. Personally i prefer mod_proxy_ajp with the balancing as well. I am preparing a blog post on AJP versus HTTP :-) My preference goes to HTTP because it has always been enough for my needs, even on high volume web sites, it is standard, network admins knows this protocol, all the network device can speak it, I can troubleshoot it with telnet and curl, ... :-) Cyrille -- Cyrille Le Clerc clecl...@xebia.fr http://blog.xebia.fr On Wed, Nov 25, 2009 at 12:09 PM, David Cassidy da...@twocats.co.uk wrote: Cyrille, Nice if you've got that sort of money. it is quite cool because you can off-load the https part so some custom hardware - again cool if you've got the money Personally i prefer mod_proxy_ajp with the balancing as well. D On 25/11/09 10:57, Cyrille Le Clerc wrote: Hello, As Ronald said, we made some drawings on a detailed document Tomcat, SSL, secure communications and X-Forwarded-Proto (1) that explains solutions to handle HTTPS at the Tomcat, Apache Httpd and Load Balancer layers. The document is written in french but the google translation is quite good (2). My preference is to use a level 7 load balancer in front of Apache httpd servers with mod_proxy_http+mod_proxy_balancer and then Tomcat servers. Of course, this topology is not always the best one but is very often relevant. Hope this helps, Cyrille -- Cyrille Le Clerc clecl...@xebia.fr http://blog.xebia.fr (1) http://blog.xebia.fr/2009/11/13/tomcat-ssl-communications-securisees-et-x-forwarded-proto/ (2) http://translate.google.com/translate?js=yprev=_thl=enie=UTF-8u=http%3A%2F%2Fblog.xebia.fr%2F2009%2F11%2F13%2Ftomcat-ssl-communications-securisees-et-x-forwarded-proto%2Fsl=frtl=en On Wed, Nov 25, 2009 at 11:45 AM, Ronald Klop ronald-mailingl...@base.nl wrote: Always make a drawing. client - https - tcp-loadbalancer - still same https connection- multiple tomcats client - https - http-loadbalancer (Apache, proxy) - new ajp/http(s) connection- multiple tomcats Normally the loadbalancer and tomcats are in the same private network. It is your choice if that is secure enough. In the end the data is unencrypted in the database I guess, so normally you trust your own network. Ronald. Op woensdag, 25 november 2009 10:18 schreef jkvj.kumara...@gmail.com: Hello, We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of requests has grown up and we have decided to do go for clustering and loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk loadbalacing. My certificate resides in Tomcat. In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, should I configure Apache to handle HTTPS and tell it about my certificate details? While loadbalancing I understand that http/https request to Apache is converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I enable SSL in tomcat to handle this request? Should I have two copies of my certificate files if Apache and Tomcat reside on two different physical machines(Horizontal Clustering)? I searched the forums and they are too advanced for my question. I am really new to clustering and load balancing and any help is deeply appreciated. Thanks in advance. Regards jkv -- View this message in context: http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26509573.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands,