Re: Tomcat Https loadbalancing??

Wed, 25 Nov 2009 03:07:25 -0800 


On 25/11/09 10:36, Peter Crowther wrote:

2009/11/25 jkv<j.kumara...@gmail.com>:

   

I got one small doubt in the last point that you said.

In this environment, you only want your "public" certificate on httpd.
Tomcat will not be doing anything that uses it, so don't put a copy
on those machines.

this means that I will not enable SSL in my tomcat.. I will comment
<!--<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               ....>  -->

tag totally from server.xml file in tomcat and have just one connetor
element i.e.,

<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

     

Certainly you only need the AJP connector, as Tomcat will never be
handling http or https requests.


   

If you want your tomcat to ever know that its getting a secure request
you'll need 2 ajp connectors - one as the default is "not secure"

the other needs to say "i'm secure" otherwise when you do a 
transport-guarantee in your web.xml

your client will be in an infinite loop
as tomcat never sees a "secure" request....



Thanks for the reply, that really helped a lot and we can also conclude we
cannot have a secure horizontal loadbalancing with Apache and Tomcat!

     

Depends what you mean by "secure", as the level of security is
relative, not absolute.  There are more moving parts to secure, but
it's possible to secure all of them to a reasonable standard.

No system is *ever* 100% secure from attack, even if it's 100 metres
underground, powered by its own generator, no network,
Faraday-shielded, has a division of armed guards protecting its bunker
and has self-destruct systems built in.  It just depends how much the
attacker wants your data, and therefore what resource (s)he is willing
to commit to acquiring them.

- Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
























					Reply via email to