Apache Tomcat with SSL behind Amazon ELB
If you’re running a high-availability system of some kind, chances are you are into some sort of Load Balancing. If you happen to be writing a Java app, and happen to be using Apache Tomcat as your servlet container, then this tip is for you.
I had a system which needed to be HTTPS-only but also have the SSL terminated at the load balancer. Naturally, I forwarded the HTTP and HTTPS ports on my Elastic Load Balancer and had my application configured to redirect any insecure connections to an SSL connection. I started having a couple of strange issues where occasionally it would leave the connection on HTTP when it should have been redirecting.
My setup was basically:
HTTP (80) -----> ELB -----> Tomcat (8080)
HTTPS (443) -----> ELB -----> Tomcat (8080)
Turned out, I needed to set a couple of extra options in my Tomcat HTTP Connector section (find it in server.xml
). This was the combination of options that did it for me:
<Connector
port="8080"
protocol="HTTP/1.1"
proxyPort="443"
scheme="https"
secure="true"
proxyName="myapp.example.com"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
This assumes your app is hosted at myapp.example.com
In my case, the one that really did the trick was secure="true"
which according to the documentation:
Set this attribute to true if you wish to have calls to
request.isSecure()
to returntrue
for requests received by thisConnector
.
Hopefully this will save someone some headaches.