trailblazzyr55
asked on
Tomcat 7 > Apache 2.x > Coyote Point Load Balancer
Where do I start...? lol..
We have our web server configuration setup behind a Coyote Point Load Balancer which directs request to one of two web servers. On the web servers we have Apache 2 setup, primarily for rewrite functionality, and Tomcat 7 sitting behind Apache as the servlet container. We're using AJP for handling static content sitting on Apache.
The issue I'm hoping to get some direction on is that our load balancer is handling the SSL and certificates. So from my understanding all encryption/decryption is happening on the load balancer. The problem is I need to somehow tell Tomcat that the incoming request was over HTTPS so I can set the secure flag on our JSessionID cookie.
Currently everything seems to be working as far as handling requests and such, but I cannot seem to get the secure flag set. I know if Apache itself was handling the SSL I could configure a connector on Tomcat to know the the incoming request was secure, however how does it work with Apache as the middle man between the Coyote load balancer and Tomcat?
I'm not specifically looking for line by line configuration answers, but a high level configuration direction for example: configure such and such connector on Tomcat to handle requests from Apache which should have such and such setting so it knows it received a secure request from the load balancer, even though the load balancer is handling the decryption and SSL...
Basically how do I pass down a flag letting Tomcat know the original request was a secure request so I can ultimately set the secure flag on the JSESSIONID cookie. I know once the load balancer gets the requests and decrypts that generally I shouldn't have to worry about SSL from there, however for security scan concerns, they're insistent on having the JSESSIONID cookie's flag set to secure when behind HTTPS.
Thanks in advance...
We have our web server configuration setup behind a Coyote Point Load Balancer which directs request to one of two web servers. On the web servers we have Apache 2 setup, primarily for rewrite functionality, and Tomcat 7 sitting behind Apache as the servlet container. We're using AJP for handling static content sitting on Apache.
The issue I'm hoping to get some direction on is that our load balancer is handling the SSL and certificates. So from my understanding all encryption/decryption is happening on the load balancer. The problem is I need to somehow tell Tomcat that the incoming request was over HTTPS so I can set the secure flag on our JSessionID cookie.
Currently everything seems to be working as far as handling requests and such, but I cannot seem to get the secure flag set. I know if Apache itself was handling the SSL I could configure a connector on Tomcat to know the the incoming request was secure, however how does it work with Apache as the middle man between the Coyote load balancer and Tomcat?
I'm not specifically looking for line by line configuration answers, but a high level configuration direction for example: configure such and such connector on Tomcat to handle requests from Apache which should have such and such setting so it knows it received a secure request from the load balancer, even though the load balancer is handling the decryption and SSL...
Basically how do I pass down a flag letting Tomcat know the original request was a secure request so I can ultimately set the secure flag on the JSESSIONID cookie. I know once the load balancer gets the requests and decrypts that generally I shouldn't have to worry about SSL from there, however for security scan concerns, they're insistent on having the JSESSIONID cookie's flag set to secure when behind HTTPS.
Thanks in advance...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Closed / Answered by Question Author
ASKER
<IfModule env_module>
# Fake SSL if Loadbalancer does SSL-Offload
SetEnvIf Front-End-Https "on" HTTPS=on
</IfModule>
but this doesn't seem to be working or make apache think it's handling SSL does anyone have any ideas how I could make this work?