Thanks Peter,
That really helps me a lot.
I got one small doubt in the last point that you said.
In this environment, you only want your "public" certificate on httpd.
Tomcat will not be doing anything that uses it, so don't put a copy
on those machines.
this means that I will not enable SSL in my tomcat.. I will comment
<!-- <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
....> -->
tag totally from server.xml file in tomcat and have just one connetor
element i.e.,
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
I think I will have to remove the redirectPort="443" attribute also?? as its
been handled for me by Apache.
Thanks for the reply, that really helped a lot and we can also conclude we
cannot have a secure horizontal loadbalancing with Apache and Tomcat!
Regards
JKV
Peter Crowther wrote:
>
> 2009/11/25 jkv <j.kumara...@gmail.com>:
>> We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
>> requests has grown up and we have decided to do go for clustering and
>> loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
>> loadbalacing. My certificate resides in Tomcat.
>>
>> In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
>> should I configure Apache to handle HTTPS and tell it about my
>> certificate
>> details?
>
> Yes. Apache has to terminate the SSL connection when you're load
> balancing.
>
>> While loadbalancing I understand that http/https request to Apache is
>> converted to ajp and tunneled to Tomcat, so is ajp protocol secure?
>> should I
>> enable SSL in tomcat to handle this request?
>
> The AJP protocol is not secure. It is only used between httpd and
> Tomcat. You should perform some suitable threat modelling of your
> system. If you think the threat from an attacker being able to sniff
> packets on the path between httpd and Tomcat is sufficiently low,
> leave it unencrypted. If you think the threat is too high, encrypt it
> using some kind of secure tunnel between httpd and Tomcat, such as a
> VPN connection.
>
> My guess is that if someone's able to sniff packets on the link
> between httpd and Tomcat, you already have a big security issue.
>
>> Should I have two copies of my certificate files if Apache and Tomcat
>> reside
>> on two different physical machines(Horizontal Clustering)?
>
> In this environment, you only want your "public" certificate on httpd.
> Tomcat will not be doing anything that uses it, so don't put a copy
> on those machines.
>
> Hope this helps,
>
> - Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/Tomcat-Https-loadbalancing---tp26509573p26510331.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
