Thanks! I'll give that a whirl. So you're saying that my marking it as
scheme='https' HttpServletRequest.isSecure() will respond with true?
Good to know about the multiple IPs... Didn't know that was legal but
makes sense.
Logging would be fine (though I don't know how the access log would
handle it when parsed) but I'm more trying to get
HttpServletRequest.getRemoteAddr()/getRemoteHost to return outer-most
value (which I would make the assumption that it's the browser's address).
greg
Rainer Jung wrote:
Hi Gregory,
the descriptions below work (at least) for TC 5.0/5.5/6.0.
Gregory Gerard schrieb:
I've got an F5 load balancer running version 9.3 of the software.
I've got several Tomcat installations behind it.
The F5 does all SSL and clear traffic as a reverse proxy, rewriting
headers as needed for cookies and whatnot.
I have one connector on 8080 for the clear traffic.
My problem: I tried to add another connector on 8081 setting secure
to true so that the HttpServletRequest would say, yup, this is a
secure connection and tell the 8080 connector 8081 is the secure
address it should use when trying to upshift to higher security.
Don't use "secure", use scheme="https" instead. See
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
When I did this and started Tomcat up, it whined about not being able
to open up my keystore.
I want all my SSL to offloaded and keep the keys out of each machine
and centrally managed. I *just* want to get the servlets to believe
the connection is secure. This is analogous to HTTPd doing the SSL
offload with the mod_jk connector.
Also, the header X-Forwarded-For is set by the F5 and I'd like the
Connector to also give out this IP instead of the load balancer's.
I assume you are talking about the access log?
For common log format, but using the client IP, you take the pattern:
%{X-Forwarded-For}i %l %u %t "%r" %s %b
See:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
Caution: X-Forwarded-For can contain multiple IP addresses, if the
request passed through multiple proxies and they are configured to add
IPs, not to overwrite. Keep this in mind when doing analysis on the
field.
Any ideas short of recompiling Tomcat with a modified connector?
Anyone else faced this problem?
There should be no need for code changes :)
thanks,
greg
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
