troubleshooting Question

Tomcat 7 > Apache 2.x > Coyote Point Load Balancer

Avatar of trailblazzyr55
trailblazzyr55 asked on
Apache Web ServerJava App ServersNetworking Hardware-Other
3 Comments1 Solution1026 ViewsLast Modified:
Where do I start...? lol..

We have our web server configuration setup behind a Coyote Point Load Balancer which directs request to one of two web servers. On the web servers we have Apache 2 setup, primarily for rewrite functionality, and Tomcat 7 sitting behind Apache as the servlet container. We're using AJP for handling static content sitting on Apache.

The issue I'm hoping to get some direction on is that our load balancer is handling the SSL and certificates. So from my understanding all encryption/decryption is happening on the load balancer. The problem is I need to somehow tell Tomcat that the incoming request was over HTTPS so I can set the secure flag on our JSessionID cookie.

Currently everything seems to be working as far as handling requests and such, but I cannot seem to get the secure flag set. I know if Apache itself was handling the SSL I could configure a connector on Tomcat to know the the incoming request was secure, however how does it work with Apache as the middle man between the Coyote load balancer and Tomcat?

I'm not specifically looking for line by line configuration answers, but a high level configuration direction for example: configure such and such connector on Tomcat to handle requests from Apache which should have such and such setting so it knows it received a secure request from the load balancer, even though the load balancer is handling the decryption and SSL...

Basically how do I pass down a flag letting Tomcat know the original request was a secure request so I can ultimately set the secure flag on the JSESSIONID cookie. I know once the load balancer gets the requests and decrypts that generally I shouldn't have to worry about SSL from there, however for security scan concerns, they're insistent on having the JSESSIONID cookie's flag set to secure when behind HTTPS.  

Thanks in advance...

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros