3 Replies Latest reply: Feb 28, 2006 2:19 AM by 807581 RSS

    load balance https for outside, get content via http from inside

    807581
      We have a sun application server (2005Q4) which we want to run our web app and have the web app properly render dynamic urls with the proper protocol and port. This web app is a commercial one (sun actually :) ) so we do not want to screw around with it's internals.

      For instance, I can access https://www.abc.com/index.jsp and it will render the urls just fine as they are relative urls.
      However, the rest of the application uses dynamic url generation with protocol://hostname:port/ format.

      So, even though we are serving the pages via SSL at the load balancer (bigip 1000's), the content is being rendered within the j2ee container's environment which is appears as http protocol and not https protocol.

      Is there a recommended way to do this?
      Do I need to install the load balancer plugin even though I am load balancing via hardware?
      Will it perform the translation for me?
      Do I just need to flip a switch somewhere in the JVM to override the http protocol with https?

      Insight welcome. I will post a solution back to the forum once I have one.

      Thanks!

      C.
        • 1. Re: load balance https for outside, get content via http from inside
          807581
          If I understand the problem correctly, a https request coming in at the loadbalancer from outside is converted to http internally.

          Most loadbalancers assume that the internal network is secure and convert all the https requests to http internally (which I think provides some performance advantage). One solutuion could be to turn on https routing, ie. the income https requests will be forwarded to https internally. For example the software loadbalncer which come with the Sun Application server, provides the option to turn on https-routing In the loadbalancer.xml.


          Hope this helps

          V.
          • 2. Re: load balance https for outside, get content via http from inside
            807581
            Right, understood, i could just forward all requests directly into the server as pure https request and NOT use the SSL accellerator at the loadbalancer.

            Thanks for the reply Vishwas_Bhari, I appreciate the feedback.

            However, that's not what I want. I want all my SSL at the loadbalancers (pair of bigip's) so I can just do regular http from loadbalancer to app server.

            Oracle 10g and tomcat have the ability to 'spoof' the jvm either through a switch applied in the oracle/apache httpd or through a valve in tomcat.

            sun app server apparently has no such thing that I have found just yet.

            The ascii diagram I am aiming for:

            [browser] <--https--> [loadbalancer] <-- http --> [appserver]

            The problem is that when java dynamically constructs links in the appserver, it sees 'http' instead of 'https' as the protocol it should use. I want a way to override that.

            I have a support ticket open with sun right now, but I wanted to know if others out there have already solved this problem.

            This configuration IS common for high performance apps...off load the SSL to the load balancer, i am very surprised that Sun doesn't recognize this.


            We have explored the theory of placing the sunwebserver in between the LB and the app server with the loadbalancer plugin, but I am not sure that the https-routing switch facilitates what I am asking for.

            I mean, geez, it could be as easy as overriding the protocol with a -D switch instead of stuffing another process in front of the darn app server.

            comments and insights welcome...
            • 3. Re: load balance https for outside, get content via http from inside
              807581
              A possible solution is to use the software LB plugin(bundled with the appserver) as you suggested. With the s/w lb, you could use the authpassthroughEnabled property on the AS, this helps in recognising the correct scheme of the request.
              You can read abt authpassthrougEnabled here:
              http://swforum.sun.com/jive/thread.jspa?threadID=62488

              - There is a bug associated with this solution:
              http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6367421

              I believe the AS dosent not provide any option to use the hardware loadbalancer in the way you have mentioned. However, there is a plan to incorporate a solution in the next appserver release AS8.2EE.

              Vishwas