We currently have a Tomcat application running with SSL on port 443. Right now we have an apache server that accepts http requests on port 80 and redirects to the Tomcat instance:
<VirtualHost *:80>
ServerName domain.com
ServerAlias domain.com
<LocationMatch "/">
Redirect permanent / https://domain.com/
</LocationMatch>
</VirtualHost>
Tomcat is handling SSL, because there's no proxy, just a simple redirect to the SSL port:
<Connector
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/app/ssl/domain_com.jks" keystorePass="ourpassword"
clientAuth="false" sslProtocol="TLS"/>
We want to begin using the apache web server as a proxy and additionally, do per-IP redirects to certain apps that should only be used by hosts on a pre-determined IP range. We would also like to redirect IPs that don't match the pre-determined list to a static html page hosted on the apache server.
My first question is: Should I continue to handle SSL on Tomcat's end, or should I use apache with SSL while forwarding to an "unprotected" tomcat port?
Is there any way to redirect to different apps (and potentially hosts) depending on the incoming IP?
thanks,
del
Best Answer
As to the SSL handling, this is a typical use case of SSL Offloading. Since you are very probabily going to use one SSL Certificate (certificate for your domain name), you are going to have one apache and n Tomcats.. So apache is the better place for SSL handling. The communicate bewteen Apache and Tomcat should then through AJP and NOT http or https..
I have written a step by step instruction to SSL offloading, might be helpful to you. And the link to it : http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html