Posted by
David E. Jones on
Oct 18, 2005; 10:04pm
URL: http://ofbiz.116.s1.nabble.com/OFBiz-Dev-Sample-RMI-Client-from-ofbiz-blog-tp166143p166151.html
Alex,
This is an issue common to all SSL accelerators. The option #1 that
you mentioned is a good way to go and generally the approach for
applications behind this sort of tool. In most cases the SSL
accelerator can send the encrypted requests to a different port or
add an entry to the HTTP request header so that applications can
distinguish between secure and insecure pages, and for either of
these options OFBiz would have to be changed to recognize these as
qualifiers for secure requests.
To turn off the SSL forwarding and requirement in general just change
use https property in the url.properties file, or the corresponding
field on the webapp's WebSite record.
Generally when an SSL accelerator is used, whether a separate port or
HTTP header entry is added or not, the application servers should be
available only through the accelerator and should either be on an
internal only network, or have all such ports blocked from the
outside with a firewall. That is true for load balancers and other
such pass through appliances in general actually, even for things
like an Apache front facing server or such.
-David
On Oct 17, 2005, at 6:56 AM, Alex Schmelkin wrote:
> A production web cluster that we maintain is planned to be upgraded to
> terminate ssl directly on our load balancer, a cisco content
> switch. All
> ssl keys and encryption/decryption will be moved to the l-b, which
> in turn
> will only communicate over http with the web servers.
>
> Setup:
> request -> load balancer -> apache (mod_jk) -> tomcat/ofbiz
>
> Ofbiz is not loving the setup for pages that are configured to
> require ssl
> (checkout, payment, my account, etc). Requests that are indeed secure
> appear to have been communicated to ofbiz over a non-encrypted
> channel, and
> ofbiz issues a 302 redirect to serve the current page with ssl.
>
> This results in a endless loop of 302's as the request will never
> satisfy
> ofbiz's encrypted requirement and always result in a redirect
> response.
>
> Two options come to mind that we don't love. I'm hoping there are
> setups
> that others are using in production clusters that are a bit better:
>
> 1) turn off secure page requirements -- but, this would allow
> someone to
> manually browse to
http://server/myaccount, which is not ideal
>
> 2) have the load balancer re-encrypt the ssl traffic and
> communicate with
> the web server over https again -- this would make this problem go
> away but
> doubles the load on the l-b, and puts ssl load back on the web servers
> again.
>
> Any suggestions are greatly appreciated!
>
> Thanks.
>
>
> _______________________________________________
> Dev mailing list
>
[hidden email]
>
http://lists.ofbiz.org/mailman/listinfo/dev>
_______________________________________________
Dev mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/dev