A**o 发帖数: 1550 | 1 i have an apache/jboss stack which works ok with both http and https.
now i'm adding a load balancer (lb) in front of the apache.
and the load balancer can do the ssl for the apache.
however, if the lb does the ssl termination,
the apache doesn't know it's from ssl anymore
and it's kind of screw up the redirects from tomcat below.
and suggestions? |
k***r 发帖数: 4260 | 2 is it possible to disable SSL so that the lb acts like
a port forwarder?
【在 A**o 的大作中提到】 : i have an apache/jboss stack which works ok with both http and https. : now i'm adding a load balancer (lb) in front of the apache. : and the load balancer can do the ssl for the apache. : however, if the lb does the ssl termination, : the apache doesn't know it's from ssl anymore : and it's kind of screw up the redirects from tomcat below. : and suggestions?
|
A**o 发帖数: 1550 | 3 yes, of course, that's what i'm using now.
just felt a waste not able to use lb's function. :)
【在 k***r 的大作中提到】 : is it possible to disable SSL so that the lb acts like : a port forwarder?
|
k***r 发帖数: 4260 | 4 Another option is to forward HTTP and HTTPS to two
different Apache instances
【在 A**o 的大作中提到】 : yes, of course, that's what i'm using now. : just felt a waste not able to use lb's function. :)
|
A**o 发帖数: 1550 | 5 hey, good point! i'll try that tmr.
【在 k***r 的大作中提到】 : Another option is to forward HTTP and HTTPS to two : different Apache instances
|
A**o 发帖数: 1550 | 6 wait, how does the other apache to tell the tomcat that
it's a https connection, then?
【在 k***r 的大作中提到】 : Another option is to forward HTTP and HTTPS to two : different Apache instances
|
k***r 发帖数: 4260 | 7 How about the one handling HTTPS redirects/proxies the
requests to specific URLs on your tomcat so that your
Tomcat knows?
【在 A**o 的大作中提到】 : wait, how does the other apache to tell the tomcat that : it's a https connection, then?
|
A**o 发帖数: 1550 | 8 i have minimal knowledge of the lb.
and the network guy has no knowledge of apache/tomcat.
that's the problem.
【在 k***r 的大作中提到】 : How about the one handling HTTPS redirects/proxies the : requests to specific URLs on your tomcat so that your : Tomcat knows?
|
k***r 发帖数: 4260 | 9 Just tell the network person to forward HTTPS to this host1:port1
and HTTP to host2:port2 (host1 and host2 can be the same as long
as port1 and port2 are different.)
Then you should be able to figure out the rest. You should be able
to replace the HTTPS apache instance with a squid, though.
I'm not sure how LB works. Wouldn't you lose the source IP in
the logs?
I'd use a lightweight web server as software load balancer.
【在 A**o 的大作中提到】 : i have minimal knowledge of the lb. : and the network guy has no knowledge of apache/tomcat. : that's the problem.
|
m******t 发帖数: 2416 | 10
Why does tomcat _need_ to know? (or why does apache even need
to know, now that you've it all handled by the lb?)
【在 A**o 的大作中提到】 : wait, how does the other apache to tell the tomcat that : it's a https connection, then?
|
k***r 发帖数: 4260 | 11 Maybe I didn't understand you correctly:
"apache doesn't know it's from ssl anymore
and it's kind of screw up the redirects from tomcat below."
I thought you your tomcat needed to know where a request
is coming from (http or https).
【在 m******t 的大作中提到】 : : Why does tomcat _need_ to know? (or why does apache even need : to know, now that you've it all handled by the lb?)
|
m******t 发帖数: 2416 | 12
Isn't that information always in the request url? Well unless
the lb is configured to also rewrite the request url, in which
case I would recommend also configure the lb to save the original
url in a different request header.
【在 k***r 的大作中提到】 : Maybe I didn't understand you correctly: : "apache doesn't know it's from ssl anymore : and it's kind of screw up the redirects from tomcat below." : I thought you your tomcat needed to know where a request : is coming from (http or https).
|
k***r 发帖数: 4260 | 13 You wanted to differentiate http and https request? No?
I'm not sure if the request URL has this when tomcat sees it.
Do you see that in tomcat log or servlet code?
【在 m******t 的大作中提到】 : : Isn't that information always in the request url? Well unless : the lb is configured to also rewrite the request url, in which : case I would recommend also configure the lb to save the original : url in a different request header.
|
m******t 发帖数: 2416 | 14
Unless your lb or apache rewrites the url completely, it should be kept
exactly as the client requested it.
【在 k***r 的大作中提到】 : You wanted to differentiate http and https request? No? : I'm not sure if the request URL has this when tomcat sees it. : Do you see that in tomcat log or servlet code?
|