This content has been marked as final. Show 3 replies
If I understand the problem correctly, a https request coming in at the loadbalancer from outside is converted to http internally.
Most loadbalancers assume that the internal network is secure and convert all the https requests to http internally (which I think provides some performance advantage). One solutuion could be to turn on https routing, ie. the income https requests will be forwarded to https internally. For example the software loadbalncer which come with the Sun Application server, provides the option to turn on https-routing In the loadbalancer.xml.
Hope this helps
Right, understood, i could just forward all requests directly into the server as pure https request and NOT use the SSL accellerator at the loadbalancer.
Thanks for the reply Vishwas_Bhari, I appreciate the feedback.
However, that's not what I want. I want all my SSL at the loadbalancers (pair of bigip's) so I can just do regular http from loadbalancer to app server.
Oracle 10g and tomcat have the ability to 'spoof' the jvm either through a switch applied in the oracle/apache httpd or through a valve in tomcat.
sun app server apparently has no such thing that I have found just yet.
The ascii diagram I am aiming for:
[browser] <--https--> [loadbalancer] <-- http --> [appserver]
The problem is that when java dynamically constructs links in the appserver, it sees 'http' instead of 'https' as the protocol it should use. I want a way to override that.
I have a support ticket open with sun right now, but I wanted to know if others out there have already solved this problem.
This configuration IS common for high performance apps...off load the SSL to the load balancer, i am very surprised that Sun doesn't recognize this.
We have explored the theory of placing the sunwebserver in between the LB and the app server with the loadbalancer plugin, but I am not sure that the https-routing switch facilitates what I am asking for.
I mean, geez, it could be as easy as overriding the protocol with a -D switch instead of stuffing another process in front of the darn app server.
comments and insights welcome...
A possible solution is to use the software LB plugin(bundled with the appserver) as you suggested. With the s/w lb, you could use the authpassthroughEnabled property on the AS, this helps in recognising the correct scheme of the request.
You can read abt authpassthrougEnabled here:
- There is a bug associated with this solution:
I believe the AS dosent not provide any option to use the hardware loadbalancer in the way you have mentioned. However, there is a plan to incorporate a solution in the next appserver release AS8.2EE.