Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Hi, use a quot at AccessLogValve pattern to a muliple value field. "%{X-Forwarded-For}i" %l %u %t "%r" %s %b Look the following definition: http://en.wikipedia.org/wiki/X- Forwarded-For First value is the client ip. Peter Am 05.01.2008 um 22:19 schrieb Rainer Jung: Hi Gregory, the descriptions below work (at least) for TC 5.0/5.5/6.0. Gregory Gerard schrieb: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Don't use "secure", use scheme="https" instead. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. I assume you are talking about the access log? For common log format, but using the client IP, you take the pattern: %{X-Forwarded-For}i %l %u %t "%r" %s %b See: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Caution: X-Forwarded-For can contain multiple IP addresses, if the request passed through multiple proxies and they are configured to add IPs, not to overwrite. Keep this in mind when doing analysis on the field. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? There should be no need for code changes :) thanks, greg Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Gregory Gerard wrote: Thanks! I'll give that a whirl. So you're saying that my marking it as scheme='https' HttpServletRequest.isSecure() will respond with true? Good to know about the multiple IPs... Didn't know that was legal but makes sense. Logging would be fine (though I don't know how the access log would handle it when parsed) but I'm more trying to get HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most value (which I would make the assumption that it's the browser's address). this is a configuration on the F5, read the manual for that. Filip greg Rainer Jung wrote: Hi Gregory, the descriptions below work (at least) for TC 5.0/5.5/6.0. Gregory Gerard schrieb: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Don't use "secure", use scheme="https" instead. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. I assume you are talking about the access log? For common log format, but using the client IP, you take the pattern: %{X-Forwarded-For}i %l %u %t "%r" %s %b See: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Caution: X-Forwarded-For can contain multiple IP addresses, if the request passed through multiple proxies and they are configured to add IPs, not to overwrite. Keep this in mind when doing analysis on the field. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? There should be no need for code changes :) thanks, greg Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Rainer Jung wrote: Hi Gregory, the descriptions below work (at least) for TC 5.0/5.5/6.0. Gregory Gerard schrieb: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Don't use "secure", use scheme="https" instead. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html on tomcat 6, use both secure="true" and scheme="https", just set SSLEnabled="false" When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. I assume you are talking about the access log? For common log format, but using the client IP, you take the pattern: %{X-Forwarded-For}i %l %u %t "%r" %s %b See: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Caution: X-Forwarded-For can contain multiple IP addresses, if the request passed through multiple proxies and they are configured to add IPs, not to overwrite. Keep this in mind when doing analysis on the field. Remember, that you can configure F5 to not modify the src address of TCP, so that you get a true idea of where the connection is coming from. Look through your F5 manuals. Filip Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? There should be no need for code changes :) thanks, greg Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Gregory Gerard schrieb: Thanks! I'll give that a whirl. So you're saying that my marking it as scheme='https' HttpServletRequest.isSecure() will respond with true? No, sorry, see my second post. The attribute scheme is used when a self-referencing redirect gets constructed. That's a way of producing a httpd redirect, although technically the reuqest is http. secure should do what you want. Please post your connector configuration. Good to know about the multiple IPs... Didn't know that was legal but makes sense. Logging would be fine (though I don't know how the access log would handle it when parsed) but I'm more trying to get HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most value (which I would make the assumption that it's the browser's address). No idea about the getRemote*. Others? mod_jk corrsponds with the AJP connector, and this connector fakes those getRemote* from the info retrieved by mod_jk. greg Rainer Jung wrote: Hi Gregory, the descriptions below work (at least) for TC 5.0/5.5/6.0. Gregory Gerard schrieb: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Don't use "secure", use scheme="https" instead. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. I assume you are talking about the access log? For common log format, but using the client IP, you take the pattern: %{X-Forwarded-For}i %l %u %t "%r" %s %b See: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Caution: X-Forwarded-For can contain multiple IP addresses, if the request passed through multiple proxies and they are configured to add IPs, not to overwrite. Keep this in mind when doing analysis on the field. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? There should be no need for code changes :) thanks, greg Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
In Tomcat 6.0.x you can do In Tomcat 5.5.x you can write a Filter that creates a HttpServletRequestWrapper, that returns true on isSecure, and https on getScheme or you can take a look at org.apache.catalina.valves.SSLValve, which reads headers set by the server in front, most commonly apache httpd Filip Gregory Gerard wrote: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? thanks, greg - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Thanks! I'll give that a whirl. So you're saying that my marking it as scheme='https' HttpServletRequest.isSecure() will respond with true? Good to know about the multiple IPs... Didn't know that was legal but makes sense. Logging would be fine (though I don't know how the access log would handle it when parsed) but I'm more trying to get HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most value (which I would make the assumption that it's the browser's address). greg Rainer Jung wrote: Hi Gregory, the descriptions below work (at least) for TC 5.0/5.5/6.0. Gregory Gerard schrieb: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Don't use "secure", use scheme="https" instead. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. I assume you are talking about the access log? For common log format, but using the client IP, you take the pattern: %{X-Forwarded-For}i %l %u %t "%r" %s %b See: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Caution: X-Forwarded-For can contain multiple IP addresses, if the request passed through multiple proxies and they are configured to add IPs, not to overwrite. Keep this in mind when doing analysis on the field. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? There should be no need for code changes :) thanks, greg Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Sorry didn't read your post carefully enough. The access log thing is OK, but about the redirect: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Concerning redirects from http to https: what about attribute redirectPort on the 8080 connector? But of course you need to set it to a port, that's available on the F5. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Can you give your full connector 8081 configuration? Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
Hi Gregory, the descriptions below work (at least) for TC 5.0/5.5/6.0. Gregory Gerard schrieb: I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. Don't use "secure", use scheme="https" instead. See http://tomcat.apache.org/tomcat-6.0-doc/config/http.html When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. I assume you are talking about the access log? For common log format, but using the client IP, you take the pattern: %{X-Forwarded-For}i %l %u %t "%r" %s %b See: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Caution: X-Forwarded-For can contain multiple IP addresses, if the request passed through multiple proxies and they are configured to add IPs, not to overwrite. Keep this in mind when doing analysis on the field. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? There should be no need for code changes :) thanks, greg Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5.5.20+ behind an F5 Load Balancer doing SSL Connector problem
I've got an F5 load balancer running version 9.3 of the software. I've got several Tomcat installations behind it. The F5 does all SSL and clear traffic as a reverse proxy, rewriting headers as needed for cookies and whatnot. I have one connector on 8080 for the clear traffic. My problem: I tried to add another connector on 8081 setting secure to true so that the HttpServletRequest would say, yup, this is a secure connection and tell the 8080 connector 8081 is the secure address it should use when trying to upshift to higher security. When I did this and started Tomcat up, it whined about not being able to open up my keystore. I want all my SSL to offloaded and keep the keys out of each machine and centrally managed. I *just* want to get the servlets to believe the connection is secure. This is analogous to HTTPd doing the SSL offload with the mod_jk connector. Also, the header X-Forwarded-For is set by the F5 and I'd like the Connector to also give out this IP instead of the load balancer's. Any ideas short of recompiling Tomcat with a modified connector? Anyone else faced this problem? thanks, greg - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]