lindner (lindner) wrote,

On Vox: Tomcat and SSL Accelerators

Using an SSL Accelerator like a Netscaler is really useful, you can offload a lot of work to a device that supports this in hardware and can use SSL session affinity to send requests to the same backend.  In the simplest setup the SSL Accelerator accepts the request and proxies it to your internal set of hosts running on port 80.

However, code that generates redirects and URLs works poorly because the servletRequest.getScheme(), getSecure() and getServerPort() will return http/false/80 for SSL and non-SSL connections.

One way to solve this is listen on multiple ports.  Create a Connection on 80 and 443, but do not run SSL on either port.  Then for the 443 port you configure it with secure="true" and scheme="https".  This is suboptimal however as then you have to manage yet another server pool in your load balancer and you end up sending twice the health checks.  Not so good.

You might try to solve this by using a ServletFilter.  You can use an HttpServletRequestWrapper instance to change the scheme/port/and secure flag.  Sadly this doesn't work, because of the way tomcat implements HttpServletResponse, it uses the original request object to ascertain the scheme/secure flag/port.  Overriding these will allow application logic to see the updated values.  You get into trouble when you call encodeRedirectURL() or sendRedirect() with non-absolute URLs.

Lucky for us Tomcat supports a way to inject code into the connection handling phase via Valves.  A valve can query and alter the Catalina and Coyote request objects before the first filter is run.  

To make your Valve work you'll need to configure your load balancer to send a special header when SSL is in use.  On the Netscaler this can be done by setting owa_support on.  With that enabled the http header Front-End-Https: On is sent for requests that use SSL.

Once we have these pieces in place the Valve is fairly straightforward:


import javax.servlet.ServletException;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;

public class NetscalerSSLValve extends ValveBase {

        public void invoke(Request req, Response resp) throws IOException, ServletException {
                if ("On".equals(req.getHeader("Front-End-Https"))) {
                if ( getNext() != null ) {
                        getNext().invoke(req, resp);

Compile this, stick it in the tomcat lib directory, add an entry in your server.xml and away you go.

Originally posted on


Comments for this post were disabled by the author