Re: Tomcat Https loadbalancing??

Wed, 25 Nov 2009 04:42:12 -0800 

jkv wrote:

Hello,

We are using Tomcat 6.0 and running HTTPS (enabled SSL). The number of
requests has grown up and we have decided to do go for clustering and
loadbalancing. We have decided to go for Apache and mod_proxy/mod_jk
loadbalacing. My certificate resides in Tomcat. 
In order to loadbalance HTTPS request using Apache and mod_proxy/mod_jk,
should I configure Apache to handle HTTPS and tell it about my certificate
details? 
While loadbalancing I understand that http/https request to Apache is
converted to ajp and tunneled to Tomcat, so is ajp protocol secure? should I
enable SSL in tomcat to handle this request? 
Should I have two copies of my certificate files if Apache and Tomcat reside
on two different physical machines(Horizontal Clustering)?

I searched the forums and they are too advanced for my question. I am really
new to clustering and load balancing and any help is deeply appreciated.
Thanks in advance.
SSL has a cost, in terms of encrypting/decrypting all communications, in terms of bandwidth, in terms of setup complexity, and in terms of maintenance complexity. 
So it should be used when necessary, and not otherwise.
If you are using Apache httpd anyway as a front-end, you probably need HTTPS between the clients and Apache, because that link goes over non-secure connections. 

The question is, is the connection between Apache and Tomcat secure ?
That is to some extent a relative and/or subjective judgement.
If that connection goes over the Internet also, then it is not secure.
If it goes only over an internal network, then you have to decide if that network, for practical purposes, can be termed as secure. If both Apache and Tomcat are on the same host, then it is already as secure as it can be. Thus if you decide that the Apache/Tomcat connections are secure, simplify your life and optimise the efficiency by keeping things simple, and handle all SSL stuff at the Apache level. (I believe that in technical terms, this is called "terminate SSL at the Apache level".)
The AJP protocol itself is not secure, in the sense that it does not, by itself, encrypt the data it exchanges. It can however, as far as I know, be configured to run over an SSL connection, if needed. 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to