2009/11/25 jkv <j.kumara...@gmail.com>: > We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of > requests has grown up and we have decided to do go for clustering and > loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk > loadbalacing. My certificate resides in Tomcat. > > In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk, > should I configure Apache to handle HTTPS and tell it about my certificate > details?
Yes. Apache has to terminate the SSL connection when you're load balancing. > While loadbalancing I understand that http/https request to Apache is > converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I > enable SSL in tomcat to handle this request? The AJP protocol is not secure. It is only used between httpd and Tomcat. You should perform some suitable threat modelling of your system. If you think the threat from an attacker being able to sniff packets on the path between httpd and Tomcat is sufficiently low, leave it unencrypted. If you think the threat is too high, encrypt it using some kind of secure tunnel between httpd and Tomcat, such as a VPN connection. My guess is that if someone's able to sniff packets on the link between httpd and Tomcat, you already have a big security issue. > Should I have two copies of my certificate files if Apache and Tomcat reside > on two different physical machines(Horizontal Clustering)? In this environment, you only want your "public" certificate on httpd. Tomcat will not be doing anything that uses it, so don't put a copy on those machines. Hope this helps, - Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
