1

We have a web application hosted on Tomcat server (clustered), with two Apache web servers sitting in front and F5 load balance5 in front of apache. SSL is configured in F5 load balancer. Now whenever someone accesses our application using the load balancer's secure url, our java web application does not evaluate request.isSecure to be true. Is there any setting I need to do enable this.

In our apache web server we have the following configuration using proxy balancer

ServerName ip:80

ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/ stickysession=JSESSIONID nofailover=Off
ProxyPassReverse / balancer://mycluster/
<Proxy balancer://mycluster>
          BalancerMember ajp://ipapp1:8009 route=jvm1 loadfactor=1
          BalancerMember ajp://ipapp2:8009 route=jvm2 loadfactor=1 status=+H
          ProxySet lbmethod=byrequests
</Proxy>

I tried to change the connector details in server.xml of tomcat by adding scheme= "https", secure="true" and proxyPort="443" for 8080 but it did not work.

What am I missing here?

Sandeep Nair
  • 3,630
  • 3
  • 26
  • 38
  • If you're terminating SSL at the BIG-IP, why are you trying to validate encryption at the web server behind it? You're sending an unencrypted connection so it should validate as unsecure. If you're not worried about performance, Bridge the SSL connection and reencrypt with a server SSL profile from the BIG-IP to the web server to satisfy this. Else, you're going to need to write some sort of iRule within the BIG-IP to notify the web server that the connection was previously encrypted and have your application validate that string. – Chase Nov 10 '15 at 21:34
  • Actually we are using openSAML for SSO. We are getting "saml endpoint url not matching error" because the end point url is having https, and in the application server(tomcat) when we are trying to get request protocol obviously we are getting http, since https terminates at load balancer. So was trying to explore options as to how can i make tomcat aware that use https. – Sandeep Nair Nov 26 '15 at 06:32

2 Answers2

1

You'd need to check your app to see if it is supported, but typically a header is forwarded communicating the request protocol. Traditionally this was the X-Forwarded-Proto header, but X-... nomenclature has been deprecated. The Forwarded header now supports what was X-Forwarded-For, X-Forwarded-Proto, etc... in one header. There is still wide support for the deprecated method however, so either approach should work pending app support.

X-Forwarded-Proto: https

or

Forwarded: proto=https

The new standards are described in RFC 7239

Community
  • 1
  • 1
Jason Rahm
  • 670
  • 3
  • 14
0

Maybe I'm a bit late here, but I had the same situation. I added

scheme= "https", secure="true" and proxyPort="443"

on port 8009 , not on port 8080 like the original question. That's because from Apache the request is made via AJP on port 8009. Also, Apache must have http-ssl.conf enabled from http.conf and it has to be listening on port 443.

I tried this configuration and it worked, the request sent through the Load Balancer in front of the Apache reported the tomcat webapp in https correctly.

I hope this helps who has the same problem, it took me days to understand this.

AndreZ
  • 1