Load Balancing Web Applications
Subject:   Load Balancing, Server Affinity, and HTTPS
Date:   2005-08-22 07:21:53
From:   trulore

We are implementing a Load Balanced HTTPS Web Application with Server Affinity.

We are using the last solution diagrammed in this article.

We have a hardware SSL decoder sitting in front of our load balancer. This allows the load balancer to read the incoming requests, and thus "pin" a user to a given server for the duration of their session.

However, the problem we have is this:

The https requests come into the SSL decoder, but they come out of the SSL decoder as http requests to our Web Server. So, our Web Server and Java App Server THINK they are hosting an "http" site, not "https". They think the user's browser sent an http request.

And when I send a page redirect from any place in my application (response.sendRedirect) the Application Server (Tomcat in our case) will automatically prepend "http" to the front of the URL to fully-qualify it.

(The Sun Spec for Servlets says that the container must fully qualify all redirects that it sends back to the browser.)

Well, if the browser receives an "http" redirect as a response to an "https" request, it pops up a security warning, especially if the browser is Internet Explorer.

How does can this solution possibly work then?

Every time we do a redirect to another page, the user gets a warning, and we do LOTS of redirects.

Even if I re-write my own redirects to fully qualify them to specify "https", I can't control the redirects that are generated by other Java Libraries (like Struts and JSF and especially j_security_check).

I can't use a Servlet Filter, because j_security_check (the login process) bypasses Servlet Filters by design. And j_security_check uses page redirects. (At least the Tomcat version of j_security_check does).

I've also had problems with other places in the application where we generate fully qualified URL's for other for a "base" tag.

It just seems like we will be forever asking for trouble by "tricking" Tomcat into thinking it's running an http site when it's actually https.

But is there ANY other way to achieve Server Affinity over HTTPS without doing it this way???

We are willing to replace Tomcat with WebSphere or Oracle 10g or Weblogic or whatever it takes. I just want a solution that works.

Thanks! :)

Robert Pappas

1 to 2 of 2
1 to 2 of 2