Ping a Specific Port

Question

jemminger

Asked: 2011-05-05 09:54:13 +0800 CST2011-05-05 09:54:13 +0800 CST 2011-05-05 09:54:13 +0800 CST

ssl between balancer members?

772

I have apache running on one machine as a load balancer:

<VirtualHost *:443>
  ServerName    ssl.example.com
  DocumentRoot  /home/example/public

  SSLEngine             on
  SSLCertificateFile    /etc/pki/tls/certs/example.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.key

  <Proxy balancer://myappcluster>
    BalancerMember http://app1.example.com:12345 route=app1
    BalancerMember http://app2.example.com:12345 route=app2
  </Proxy>

  ProxyPass         / balancer://myappcluster/ stickysession=_myapp_session
  ProxyPassReverse  / balancer://myappcluster/

</VirtualHost>

Note that the balancer takes requests under SSL port 443, but then communicates to the balancer members on a non-ssl port. Is it possible to have the forwarding to the balancer members be under SSL too?

If so, is this the best/recommended way?

If so, do I have to have another SSL cert for each balancer member?

Does the SSLProxyEngine directive have anything to do with this?

3 Answers

Voted

Shane Madden · Answer 1 · 2011-05-05T09:59:55+08:00

Shane Madden

2011-05-05T09:59:55+08:002011-05-05T09:59:55+08:00

Yes, you're on the right track. You'll want to set up an SSL listener on your backend devices.

You will need certs for them, but it can probably just be self-signed ones - unless you set a SSLProxyVerify command, Apache doesn't care about authenticating them (of course, you can have it verify if you choose)

And yes, set an SSLProxyEngine on, and change your ProxyPass directives to https and the correct new port.

1

user207421 · Answer 2 · 2012-06-25T16:53:24+08:00

user207421

2012-06-25T16:53:24+08:002012-06-25T16:53:24+08:00

You don't want to do this. Your Apache HTTPD balancer should be running in the same LAN as the Tomcats so SSL shouldn't be required, and in any case Apache HTTP has to be the SSL endpoint to the client anyway, and also a trusted SSL endpoint to Tomcat. There's no point in the second part of that.

You can configure Apache HTTPD SSL so as to pass on the client certificates etc over AJP so your web-app can't actually tell it isn't SSL, and the degree to which you can customize SSL right down to the directory level in Apache HTTPD makes it a far better place to handle SSL configuration anyway.

0

user155957 · Answer 3 · 2013-01-25T13:14:15+08:00

user155957

2013-01-25T13:14:15+08:002013-01-25T13:14:15+08:00

I found that if you balance SSL to non-SSL Tomcat, then the Tomcat app gets its base set to the non-ssl URL, which seems to cause problems with a mixture of SSL and non-SSL content. Passing SSL to an SSL Tomcat works fine.

0

ssl between balancer members?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?