Introduction:The following pattern is common when deploying java webapps on tomcat.
(HTTPS) LB/Reverse Proxy <--> (HTTP)Tomcat <--> Webapp
Usually, the HTTPS certificate is being installed on the Load Balancer/Reverse Proxy, then the LB/RP will communicate with internal tomcat on HTTP/AJP. (see References)
Note:The following configurations is required only if LB/RP to connect to tomcat on HTTP.
If the communication done on AJP, then no configuration is required to pass HTTPS information to tomcat.
As one of the design goals of AJP is :
"Adding support for SSL, so that isSecure() and getScheme() will function correctly within the servlet container. The client certificates and cipher suite will be available to servlets as request attributes"(quote from https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html)
If you use HTTP connector, still the below configuration is not required, just tell tomcat (thought the connector configurations), on which scheme the response should be returned by using:
<Connector protocol="HTTP/1.1" port="8081" proxyName="linux-server" proxyPort="443" scheme="https" secure="true"/>
There are 2 steps required in case of the communication done on HTTP:
In apache2, you may need to use the following line in apache2.conf (depends on your LB/RP)
RequestHeader add x-forwarded-proto “https”
To do so, you need to add the following valve to conf/server.xml
<Valve className="org.apache.catalina.valves.RemoteIpValve” remoteIpHeader="x-forwarded-for” proxiesHeader="x-forwarded-by” protocolHeader="x-forwarded-proto" />
<Connector port="8081" proxyName="my_web_server.com" proxyPort="80"/>
See sample server.xml