Link to home
Create AccountLog in
Avatar of trailblazzyr55
trailblazzyr55

asked on

Tomcat 7 > Apache 2.x > Coyote Point Load Balancer

Where do I start...? lol..

We have our web server configuration setup behind a Coyote Point Load Balancer which directs request to one of two web servers. On the web servers we have Apache 2 setup, primarily for rewrite functionality, and Tomcat 7 sitting behind Apache as the servlet container. We're using AJP for handling static content sitting on Apache.

The issue I'm hoping to get some direction on is that our load balancer is handling the SSL and certificates. So from my understanding all encryption/decryption is happening on the load balancer. The problem is I need to somehow tell Tomcat that the incoming request was over HTTPS so I can set the secure flag on our JSessionID cookie.

Currently everything seems to be working as far as handling requests and such, but I cannot seem to get the secure flag set. I know if Apache itself was handling the SSL I could configure a connector on Tomcat to know the the incoming request was secure, however how does it work with Apache as the middle man between the Coyote load balancer and Tomcat?

I'm not specifically looking for line by line configuration answers, but a high level configuration direction for example: configure such and such connector on Tomcat to handle requests from Apache which should have such and such setting so it knows it received a secure request from the load balancer, even though the load balancer is handling the decryption and SSL...

Basically how do I pass down a flag letting Tomcat know the original request was a secure request so I can ultimately set the secure flag on the JSESSIONID cookie. I know once the load balancer gets the requests and decrypts that generally I shouldn't have to worry about SSL from there, however for security scan concerns, they're insistent on having the JSESSIONID cookie's flag set to secure when behind HTTPS.  

Thanks in advance...
Avatar of trailblazzyr55
trailblazzyr55

ASKER

I've actually made a bit of progress however I can't seem to figure out how to use the header variable our hardware load balancer is setting for requests that come in over SSL. Basically the load balancer is handling the request and then forwarding to one of two apache servers. If the request was via SSL, we're setting  Front-End-Https from the load balancer.

<IfModule env_module>
     # Fake SSL if Loadbalancer does SSL-Offload
     SetEnvIf Front-End-Https "on" HTTPS=on
</IfModule>

but this doesn't seem to be working or make apache think it's handling SSL does anyone have any ideas how I could make this work?
ASKER CERTIFIED SOLUTION
Avatar of trailblazzyr55
trailblazzyr55

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Closed / Answered by Question Author