users@glassfish.java.net

Re: GlassFish v3, mod_jk and sticky sessions on http & https

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Fri, 26 Feb 2010 19:09:56 -0800

glassfish_at_javadesktop.org wrote:
> Hello Jan,
>
> I am having similar troubles too.I have set the cookieSecure="false" to circumvent this problem. appearently switching from http -> https it would keep the same cookie, but a secure version, when switching https -> http, it would then get a new cookie. (since the secure cookie is used once, i guess)
>
>

If the request that initiated the session came in over https (or was
proxied to the
backend over plain mod_jk, but with extra (header) info from which the
backend could determine that the original request received at the frontend
had been secure), then the session tracking cookie will also be marked
as secure,
which has the effect that it will be included only with subsequent
client requests
that are also secure.

> You mentioned:
>
>
>> 2. Is your LB properly configured to forward any SSL related info to
>> the backend, so that the backend can determine whether the original
>> request (between the client and the LB) came in over http or https?
>>
>
> I was not able to get mod_jk working with ssl. How do we exactly configure the LB (apache + mod_jk) in this case, to forward SSL related info to the backend?
>
>

I think this is done by the following config that is mentioned in the docs:

# Should mod_jk send SSL information (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificate? (default is
SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT

> I have followed wiki.glassfish.java.net/attach/AdministrationGuide/SJSASEEAG.pdf (page 113 and 114) - but the apache would not allow https://site.com:443, but it would let http://site.com:443 -
>
> I have done extensive log file watching and figured out that the workers are working ok, but the SSL info was not forwarded.
>
>
Are you saying that you've configured Apache in SSL-terminating mode,
configured a single, non-secure mod_jk listener on the backend, set
JkExtractSSL
to "On" (the default mode), and are still not seeing any SSL info getting
transmitted to the backend?

One easy test would be to send an https request to a Servlet, and have
the Servlet
call ServletRequest#isSecure: if this method returns "true", then you
know that
SSL info has been transmitted to the backend (because otherwise,
ServletRequest#isSecure would have returned "false").

Thanks,

Jan
> Best Regards,
> -C.B.
> [Message sent by forum member 'cambazz' (cambazz_at_gmail.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=389032
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>