> > > TC 7.0.54 / RHEL 6 > > > > I have two physical servers, each running an instance of TC. The servers > > are behind a hardware loadbalancer. IPTables is routing request on 80 to > > 8080. > > > This seems unnecessary. If you have a hardware load balancer in front of > Tomcat, it is the only thing that would ever talk to Tomcat. Thus if you > just configure it to go to port 8080 you don't need the iptables rule. I > can't imagine it's hurting anything, but just thought I'd mention it.
Not at all, it would seem like a better choice than an OS level redirect like iptables. > > Tomcat runs under a non-root user. All good. > > > > I needed to protect an area of our webapp under SSL. Went ahead and > > installed the cert on each server. I can go directly to each server by IP > > under SSL and get the cert (with the expected IP doesn't match FQDN > > warning). > > > > You probably want the SSL certificate installed on your hardware load > balancer. End client's browsers are going to connect to the hardware load > balancer, not Tomcat. Thus you'd want the certificate there so your end > users can benefit from it. > > Ex: browser -> HTTPS -> load balancer -> HTTP or HTTPS -> Tomcat > > If you put an SSL certificate on your Tomcat servers, that would allow you > to secure the connection between your load balancer and Tomcat. Depending > on your network and security requirements this may or may not be necessary. > I'd say most people don't do this because terminating SSL on the load > balancer is sufficient. It just depends on your requirements though. Ok, that makes sense. I think just on the loadbalancer will work. In our configuration, unencrypted traffic between the LB and the servers is subject to minimal risk, and our security requirements aren't critical. > > But when I go through the loadbalancer I can't access anything under port > > 8443. I redirected 443 to 8443 on each TC server using IPTables, but > still > > no luck. > > > > Is there anything I'm missing? > > > The load balancer is almost certainly listening on port 80 and 443. To > test, you'd want to connect to the load balancer on one of those ports. > The load balancer would then connect to one of your backend nodes and > proxy the request on your behalf. Your browser will not connect directly > to the backend nodes (see my point above about not needing the iptables > rule), unless you specifically point it to the ip address of one of the > backend nodes. Sorry, I'm a bit unclear on this. What method of connecting would let me test? > I think you'd want it on the load balancer. Possibly with additional certs > on your backend nodes, if you want HTTPS communication between the load > balancer and the Tomcat nodes. > > Dan > Thanks so much for the detailed and quick reply. John