On Fri, Aug 1, 2014 at 11:49 AM, John Smith <tomcat.ran...@gmail.com> wrote:
> > > > > TC 7.0.54 / RHEL 6 > > > > > > I have two physical servers, each running an instance of TC. The > servers > > > are behind a hardware loadbalancer. IPTables is routing request on 80 > to > > > 8080. > > > > > > This seems unnecessary. If you have a hardware load balancer in front of > > Tomcat, it is the only thing that would ever talk to Tomcat. Thus if you > > just configure it to go to port 8080 you don't need the iptables rule. I > > can't imagine it's hurting anything, but just thought I'd mention it. > > > Not at all, it would seem like a better choice than an OS level redirect > like iptables. > > > > > > Tomcat runs under a non-root user. All good. > > > > > > I needed to protect an area of our webapp under SSL. Went ahead and > > > installed the cert on each server. I can go directly to each server by > IP > > > under SSL and get the cert (with the expected IP doesn't match FQDN > > > warning). > > > > > > > You probably want the SSL certificate installed on your hardware load > > balancer. End client's browsers are going to connect to the hardware > load > > balancer, not Tomcat. Thus you'd want the certificate there so your end > > users can benefit from it. > > > > Ex: browser -> HTTPS -> load balancer -> HTTP or HTTPS -> Tomcat > > > > If you put an SSL certificate on your Tomcat servers, that would allow > you > > to secure the connection between your load balancer and Tomcat. > Depending > > on your network and security requirements this may or may not be > necessary. > > I'd say most people don't do this because terminating SSL on the load > > balancer is sufficient. It just depends on your requirements though. > > > Ok, that makes sense. I think just on the loadbalancer will work. In our > configuration, unencrypted traffic between the LB and the servers is > subject to minimal risk, and our security requirements aren't critical. > > > > > > But when I go through the loadbalancer I can't access anything under > port > > > 8443. I redirected 443 to 8443 on each TC server using IPTables, but > > still > > > no luck. > > > > > > Is there anything I'm missing? > > > > > > The load balancer is almost certainly listening on port 80 and 443. To > > test, you'd want to connect to the load balancer on one of those ports. > > The load balancer would then connect to one of your backend nodes and > > proxy the request on your behalf. Your browser will not connect directly > > to the backend nodes (see my point above about not needing the iptables > > rule), unless you specifically point it to the ip address of one of the > > backend nodes. > > > > Sorry, I'm a bit unclear on this. What method of connecting would let me > test? > To test, you would just open your browser and connect to the load balancer. For example, put "http://<you-lb-dns-name>/" and for SSL "https://<your-lb-dns-name>". If everything works, you'll get a response from your application. Behind the scenes, this will send a request to the load balancer, either via HTTP or HTTPS. If you're load balancer is functioning at layer 7, like Mark mentioned, it'll get the HTTP request and proxy this to one of your backend servers. The backend server will then process the request and return it to the load balancer. The load balancer will then return the response to your browser. As your testing keep this process in mind. If you encounter a problem just try to break down the flow from your browser to the server and back. If you look at the request at each hop through this process, you can often find where things went wrong. For example, did the request hit the LB? If not, maybe we have a firewall issue or ports are configured right. If so, did it hit one of the backend servers? If not, maybe there's a config issue in the lb. If it did, what response did it get? A 4xx / 5xx error, ok something went wrong on the backend, need to investigate the logs there for more details. Hope that helps to clarify. Dan > > > > I think you'd want it on the load balancer. Possibly with additional > certs > > on your backend nodes, if you want HTTPS communication between the load > > balancer and the Tomcat nodes. > > > > Dan > > > > Thanks so much for the detailed and quick reply. > John >
