Showing results for 
Search instead for 
Did you mean: 

SSL offloading for JBOSS and Tomcat servers.

Occasional Contributor

SSL offloading for JBOSS and Tomcat servers.

(Originally posted February 5, 2007)


Re: SSL offloading for JBOSS and Tomcat servers.

Many customers who run ZXTM in front of a J2EE application server, like JBoss or Tomcat, would like to use the high performance SSL processing of ZXTM but still need their application to know when the connection was secured. The Apache AJP protocol can be used to achieve this<!-- A AJP 1.3 Connector on port 8009 > <Connector port="8009" address="${jboss.bind.address}" emptySessionPath="true" enableLookups="false" redirectPort="8443" protocol="AJP/1.3"/> <! A AJP 1.3 Connector on port 8010 --> Apache mod_jk


If you are connecting to JBOSS using Mod_JK with Apache or Microsoft IIS you will need to add a new worker connection for the new service. In your worker properties file for mod_jk, add a worker with the following attributes:


worker.ajp13_secure.port=8010 worker.ajp13_secure.type=ajp13


Here we created a new worker called "ajp13_secure". Now we can map requests to this worker from the Apache or IIS configuration and the applications run via this connection will be told they are secure.


The Web Server and ZXTM


You will now want to create a new virtual server. It can be a name based virtual host or you could run it on a different IP or port. You will need to be able to send the SSL traffic to this new server without causing confusion with the non secure version. This new virtual server will map J2EE apps via the ajp13_secure mod_jk worker. When you create your HTTP service with SSL Decryption enabled you will want to attach the vserver to a pool containing the service which backs onto the AJP listener you have set to be secured. In the Apache mod_jk configuration above it would map to ajp13_secure. If you are connecting with Zeus Web Server you will need to configure the Java Servlet mapping through the admin interface. If you run both secure and insecure versions of the website you will need to run two identical virtual servers. The first will take HTTP traffic and connect to the AJP listener on port 8009 (the normal service), and the second will map to the AJP listener on port 8010 (the secured version).