CSS11506 with Tomcat web server?

Answered Question
Apr 5th, 2008

Basically, I use SSL termination on CSS's SSL module and it seems no work for the web server using tomcat. The tomcat server insists to use http, not https. (The server always indicate client to query a URL with http head, not a URL with https head.)


Is it possible to change the behavior from CSS? My configuration is:


ssl-proxy-list ssl-slot3

ssl-server 19

ssl-server 19 vip address 10.1.1.19

ssl-server 19 rsakey testRSAkey

ssl-server 19 rsacert testCAcert

ssl-server 19 cipher rsa-with-rc4-128-sha 10.4.98.19 81


service test-backendserver-8080

ip address 10.3.3.29

protocol tcp

port 8080

keepalive type tcp

keepalive port 8080

active


content ssl-test-rule

vip address 10.1.1.19

protocol tcp

port 443

add service ssl-slot3-srv

active


content ssl-test-rule2

vip address 10.2.2.19

protocol tcp

port 8080

add service test-backendserver-8080

balance leastconn

active

Any comments will be appreciated


Thanks in advance



Correct Answer by Gilles Dufour about 8 years 10 months ago

I do not see the benefit of doing backend ssl if the frontend is cleartext.

Unless the CSS is on the clientside and you want to go accross the internet to the server.

In this case, yes, backend ssl could be a solution.


But verify first with a sniffer trace what is going on.


Gilles.

Correct Answer by Gilles Dufour about 8 years 10 months ago

your tomcat server is either using absolute path (so link like http://.....) in this case the only thing you can do is modify the server, or the tomcat server is sending a redirect to the client to http://....

The SSL-mod can intercept the redirect and rewrite it to HTTPS.


You need to add a command 'ssl-server 19 urlrewrite 1 * sslport 443 clearport 8080'


A sniffer trace would tell you why the client keeps using http.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Gilles Dufour Sat, 04/05/2008 - 06:23

your tomcat server is either using absolute path (so link like http://.....) in this case the only thing you can do is modify the server, or the tomcat server is sending a redirect to the client to http://....

The SSL-mod can intercept the redirect and rewrite it to HTTPS.


You need to add a command 'ssl-server 19 urlrewrite 1 * sslport 443 clearport 8080'


A sniffer trace would tell you why the client keeps using http.


Gilles.

julxu Mon, 04/07/2008 - 01:15


if it is absolute path, can I use backend-ssl configuration to achive L5 load balancing (with stickness)?



Correct Answer
Gilles Dufour Mon, 04/07/2008 - 01:34

I do not see the benefit of doing backend ssl if the frontend is cleartext.

Unless the CSS is on the clientside and you want to go accross the internet to the server.

In this case, yes, backend ssl could be a solution.


But verify first with a sniffer trace what is going on.


Gilles.

julxu Wed, 04/16/2008 - 19:03

Gilles, thousands thanks your help.


Tomcat's native behavior is to generate

absolute URL's on all redirects. And that cannot be changed.


To fix it is to change configuration on tomcat to treat CSS as a proxy server.

Actions

This Discussion