Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS11506 with Tomcat web server?

Basically, I use SSL termination on CSS's SSL module and it seems no work for the web server using tomcat. The tomcat server insists to use http, not https. (The server always indicate client to query a URL with http head, not a URL with https head.)

Is it possible to change the behavior from CSS? My configuration is:

ssl-proxy-list ssl-slot3

ssl-server 19

ssl-server 19 vip address 10.1.1.19

ssl-server 19 rsakey testRSAkey

ssl-server 19 rsacert testCAcert

ssl-server 19 cipher rsa-with-rc4-128-sha 10.4.98.19 81

service test-backendserver-8080

ip address 10.3.3.29

protocol tcp

port 8080

keepalive type tcp

keepalive port 8080

active

content ssl-test-rule

vip address 10.1.1.19

protocol tcp

port 443

add service ssl-slot3-srv

active

content ssl-test-rule2

vip address 10.2.2.19

protocol tcp

port 8080

add service test-backendserver-8080

balance leastconn

active

Any comments will be appreciated

Thanks in advance

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: CSS11506 with Tomcat web server?

your tomcat server is either using absolute path (so link like http://.....) in this case the only thing you can do is modify the server, or the tomcat server is sending a redirect to the client to http://....

The SSL-mod can intercept the redirect and rewrite it to HTTPS.

You need to add a command 'ssl-server 19 urlrewrite 1 * sslport 443 clearport 8080'

A sniffer trace would tell you why the client keeps using http.

Gilles.

Cisco Employee

Re: CSS11506 with Tomcat web server?

I do not see the benefit of doing backend ssl if the frontend is cleartext.

Unless the CSS is on the clientside and you want to go accross the internet to the server.

In this case, yes, backend ssl could be a solution.

But verify first with a sniffer trace what is going on.

Gilles.

4 REPLIES
Cisco Employee

Re: CSS11506 with Tomcat web server?

your tomcat server is either using absolute path (so link like http://.....) in this case the only thing you can do is modify the server, or the tomcat server is sending a redirect to the client to http://....

The SSL-mod can intercept the redirect and rewrite it to HTTPS.

You need to add a command 'ssl-server 19 urlrewrite 1 * sslport 443 clearport 8080'

A sniffer trace would tell you why the client keeps using http.

Gilles.

New Member

Re: CSS11506 with Tomcat web server?

if it is absolute path, can I use backend-ssl configuration to achive L5 load balancing (with stickness)?

Cisco Employee

Re: CSS11506 with Tomcat web server?

I do not see the benefit of doing backend ssl if the frontend is cleartext.

Unless the CSS is on the clientside and you want to go accross the internet to the server.

In this case, yes, backend ssl could be a solution.

But verify first with a sniffer trace what is going on.

Gilles.

New Member

Re: CSS11506 with Tomcat web server?

Gilles, thousands thanks your help.

Tomcat's native behavior is to generate

absolute URL's on all redirects. And that cannot be changed.

To fix it is to change configuration on tomcat to treat CSS as a proxy server.

276
Views
0
Helpful
4
Replies
CreatePlease to create content