Posted by Alex Schmelkin on Oct 17, 2005; 1:56pm
URL: http://ofbiz.116.s1.nabble.com/OFBiz-Dev-Sample-RMI-Client-from-ofbiz-blog-tp166143p166150.html

A production web cluster that we maintain is planned to be upgraded to
terminate ssl directly on our load balancer, a cisco content switch.  All
ssl keys and encryption/decryption will be moved to the l-b, which in turn
will only communicate over http with the web servers.

Setup:
request -> load balancer -> apache (mod_jk) -> tomcat/ofbiz

Ofbiz is not loving the setup for pages that are configured to require ssl
(checkout, payment, my account, etc).  Requests that are indeed secure
appear to have been communicated to ofbiz over a non-encrypted channel, and
ofbiz issues a 302 redirect to serve the current page with ssl.

This results in a endless loop of 302's as the request will never satisfy
ofbiz's encrypted requirement and always result in a redirect response.

Two options come to mind that we don't love.  I'm hoping there are setups
that others are using in production clusters that are a bit better:

1) turn off secure page requirements -- but, this would allow someone to
manually browse to http://server/myaccount, which is not ideal

2) have the load balancer re-encrypt the ssl traffic and communicate with
the web server over https again -- this would make this problem go away but
doubles the load on the l-b, and puts ssl load back on the web servers
again.

Any suggestions are greatly appreciated!

Thanks.

 
_______________________________________________
Dev mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/dev