Avatar of trailblazzyr55
 asked on

Tomcat 7 > Apache 2.x > Coyote Point Load Balancer

Where do I start...? lol..

We have our web server configuration setup behind a Coyote Point Load Balancer which directs request to one of two web servers. On the web servers we have Apache 2 setup, primarily for rewrite functionality, and Tomcat 7 sitting behind Apache as the servlet container. We're using AJP for handling static content sitting on Apache.

The issue I'm hoping to get some direction on is that our load balancer is handling the SSL and certificates. So from my understanding all encryption/decryption is happening on the load balancer. The problem is I need to somehow tell Tomcat that the incoming request was over HTTPS so I can set the secure flag on our JSessionID cookie.

Currently everything seems to be working as far as handling requests and such, but I cannot seem to get the secure flag set. I know if Apache itself was handling the SSL I could configure a connector on Tomcat to know the the incoming request was secure, however how does it work with Apache as the middle man between the Coyote load balancer and Tomcat?

I'm not specifically looking for line by line configuration answers, but a high level configuration direction for example: configure such and such connector on Tomcat to handle requests from Apache which should have such and such setting so it knows it received a secure request from the load balancer, even though the load balancer is handling the decryption and SSL...

Basically how do I pass down a flag letting Tomcat know the original request was a secure request so I can ultimately set the secure flag on the JSESSIONID cookie. I know once the load balancer gets the requests and decrypts that generally I shouldn't have to worry about SSL from there, however for security scan concerns, they're insistent on having the JSESSIONID cookie's flag set to secure when behind HTTPS.  

Thanks in advance...
Apache Web ServerJava App ServersNetworking Hardware-Other

Avatar of undefined
Last Comment

8/22/2022 - Mon

I've actually made a bit of progress however I can't seem to figure out how to use the header variable our hardware load balancer is setting for requests that come in over SSL. Basically the load balancer is handling the request and then forwarding to one of two apache servers. If the request was via SSL, we're setting  Front-End-Https from the load balancer.

<IfModule env_module>
     # Fake SSL if Loadbalancer does SSL-Offload
     SetEnvIf Front-End-Https "on" HTTPS=on

but this doesn't seem to be working or make apache think it's handling SSL does anyone have any ideas how I could make this work?

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Closed / Answered by Question Author
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck