29 May 2015

Configure tomcat (on HTTP) to work with HTTPS Load Balancer/Reverse Proxy

Introduction:

The following pattern is common when deploying java webapps on tomcat.

(HTTPS) LB/Reverse Proxy <--> (HTTP)Tomcat <--> Webapp

Usually, the HTTPS certificate is being installed on the Load Balancer/Reverse Proxy, then the LB/RP will communicate with internal tomcat on HTTP/AJP. (see References)

Note:

The following configurations is required only if LB/RP to connect to tomcat on HTTP.

If the communication done on AJP, then no configuration is required to pass HTTPS information to tomcat.
As one of the design goals of AJP is :
"Adding support for SSL, so that isSecure() and getScheme() will function correctly within the servlet container. The client certificates and cipher suite will be available to servlets as request attributes
(quote from https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html)

Update:

If you use HTTP connector, still the below configuration is not required, just tell tomcat (thought the connector configurations), on which scheme the response should be returned by using:

<Connector protocol="HTTP/1.1" port="8081" proxyName="linux-server" proxyPort="443" scheme="https" secure="true"/>

references: 

There are 2 steps required in case of the communication done on HTTP:

1. On the LB/RP you need to configure it to send its http scheme (in this case https) as a request header to the tomcat servers.

In apache2, you may need to use the following line in apache2.conf (depends on your LB/RP)

RequestHeader add x-forwarded-proto “https”
2. On tomcat side, you need to tell it to use the protocol scheme of the LB/RP that is being sent in the headers.

To do so, you need to add the following valve to conf/server.xml
<Valve className="org.apache.catalina.valves.RemoteIpValve” 
    remoteIpHeader="x-forwarded-for” 
    proxiesHeader="x-forwarded-by” 
    protocolHeader="x-forwarded-proto" />
Also don't forget to add proxyName and proxyPort to the connector you will use to receive connections from the LB/RP like this;
<Connector port="8081" proxyName="my_web_server.com" proxyPort="80"/>

See sample server.xml

And thats it, just restart tomcat and it will work like expected.
Tested with Apache2 on ubuntu and tomcat8

 References:

https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
http://www.tomcatexpert.com/blog/2010/06/16/deciding-between-modjk-modproxyhttp-and-modproxyajp
https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Proxies_Support
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html#Proxy_Support
http://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
http://stackoverflow.com/questions/5741210/handling-x-forwarded-proto-in-java-apache-tomcat
http://support.citrix.com/article/CTX123676
https://www.wikiwand.com/en/List_of_HTTP_header_fields
http://serverfault.com/questions/181177/rewriting-302-app-server-redirect-urls-with-apache-proxy-in-the-middle
http://www.wikiwand.com/en/Reverse_proxy
https://www.mulesoft.com/tcat/tomcat-connectors
http://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html
http://discussions.citrix.com/topic/315307-http-x-forwarded-proto/
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)