29 May 2015

Configure tomcat (on HTTP) to work with HTTPS Load Balancer/Reverse Proxy

Introduction:

The following pattern is common when deploying java webapps on tomcat.

(HTTPS) LB/Reverse Proxy <--> (HTTP)Tomcat <--> Webapp


Usually, the HTTPS certificate is being installed on the Load Balancer/Reverse Proxy, then the LB/RP will communicate with internal tomcat on HTTP/AJP. (see References)

Note:

The following configurations is required only if LB/RP to connect to tomcat on HTTP.

If the communication done on AJP, then no configuration is required to pass HTTPS information to tomcat.

As one of the design goals of AJP is :
"Adding support for SSL, so that isSecure() and getScheme() will function correctly within the servlet container. The client certificates and cipher suite will be available to servlets as request attributes
(quote from https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html)


Update:

If you use HTTP connector, still the below configuration is not required, just tell tomcat (thought the connector configurations), on which scheme the response should be returned by using:

<Connector protocol="HTTP/1.1" port="8081" proxyName="linux-server" proxyPort="443" scheme="https" secure="true"/>

references: 

There are 2 steps required in case of the communication done on HTTP:

1. On the LB/RP you need to configure it to send its http scheme (in this case https) as a request header to the tomcat servers.

In apache2, you may need to use the following line in apache2.conf (depends on your LB/RP)


RequestHeader add x-forwarded-proto “https”
2. On tomcat side, you need to tell it to use the protocol scheme of the LB/RP that is being sent in the headers.

To do so, you need to add the following valve to conf/server.xml

No comments: