Yay! I came up with a solution to my own problem. Here is what you
do:
In Tomcat server.xml, you can configure the Connector to run behind a
proxy using the proxyName and proxyPort parameters.
Here is the relevant piece of Tomcat documentation on these parameters:
"The proxyName and proxyPort attributes can be used when Tomcat is run
behind a proxy server. These attributes modify the values returned to
web applications that call the request.getServerName() and
request.getServerPort() methods, which are often used to construct
absolute URLs for redirects. Without configuring these attributes, the
values returned would reflect the server name and port on which the
connection from the proxy server was received, rather than the server
name and port to whom the client directed the original request."
Well, in my case, I'm running Tomcat behind an SSL decoder, not a
Proxy, but the effect is the same, and the solution is the same.
So, in the Connector attributes, I set the "proxyName" to the server
name of my website as seen from the outside world. I set "proxyPort"
to 443. I set "scheme" to "https", and I set "secure" to "true".
And it works!!! When Tomcat generates absolute URL's, it knows to use
these parameters to build the URL rather than the values from the
incoming request.
This solution seems so obvious in hindsight, but coming from the other
direction, I didn't know what to look for. I was doing tons of reading
on the topic of "SSL with Tomcat" and not on the topic of "proxies with
Tomcat".
Hope this helps someone else!
Robert Pappas
wrote:
> Greetings!
>
> We have implemented an HTTPS application on Tomcat, and we run multiple
> Application Servers for load-balancing.
>
> Without getting into all the details of what and WHY....we have a
> hardware SSL decoder in front of our load balancer.
>
> So, the user browser submits an https request, and the SSL decoder
> turns it into an http request, and Tomcat processes the http request.
>
> The only problem is, every time Tomcat generates a page redirect, it
> sends a fully qualified URL back to the browser, and it prepends "http"
> onto the URL. (Tomcat thinks we are running an http side, but we are
> actually running an https site).
>
> And when the user browser receives an "http" redirect after sending an
> "https" request, it pops up a security warning to the user. (At least
> Internet Explorer does.)
>
> Is there any way to tell Tomcat "Hey, I know the requests are coming in
> as http, but please generate all outbound redirects as https!!!"
>
> I found that you could set the "scheme" parameter on a Tomcat
> Connector, and that kinda works, but it breaks the Tomcat Login Process
> (j_security_check), because j_security_check adds a port number (80) to
> the URL. And you end up with an https request going to port
> 80....which causes a nasty error.
>
> How about we give up on Tomcat and try WebSphere or a commercial
> Application Server? Do THEY handle this better?
>
> Any help desperately appreciated!!!
>
> Robert Pappas
>
注: 在请求到达负载均衡器之前,需经过 硬件 SSL 解码器对 请求进行解密处理
转自
http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html
503
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
