front ending tomcat with apache2

Mon Sep 17 15:15:59 EDT 2007

David,

Unless you've enabled a distributed Ticket store (i.e. The JBossCache one),
you may see new tickets generated (as each server maintains its own
collection of tickets).

-Scott

On 9/17/07, David Pham <dpham6 at gmail.com> wrote:
>
> Thank you all for the input.  I was able to enable SSL support for my
> apache loadbalancer and it does a good job of balancing requests to my CAS
> in a round-robin fashion.
>
> Claudio - I'm not sure if my certificates are set up like you stated.
> Basically I created a cert for my apache and each of my CASes have a cert.
> It appears that when a client is directed to the loadbalancer, only the cert
> for my apache is used.  In addition I believe sticky sessions is enabled by
> default, but I'll double-check my configurations and make sure it's
> implemented.
>
> Andrew - I'm using mod_jk.  I'll add the configs as suggested.
>
> One last thing, I'm not sure if this issue is related or a side effect of
> the load balancer , but it appears my CAS instances is constantly generating
> new tickets even for the same client session.  After authentication, the
> client receives a TGC and each time the same casified application is
> accessed, a new TGC is generated w/o regards to the existing ticket.  Is
> this normal behavior?
>
> Regards, David
>
> On 9/17/07, Andrew R Feller <afelle1 at lsu.edu> wrote:
> >
> >  David,
> >
> >
> >
> > If you are using Apache HTTPD and Tomcat, then you can use either mod_jk
> > or the newer mod_proxy_ajp module.  I have used both and find them both
> > fairly easy to use.  The only security concern I am aware of is with the
> > Connector used for the AJP communication over port 8009.  Specify the
> > address attribute to localhost (127.0.0.1) in order to avoid it
> > receiving requests from only Apache HTTPD on the machine it runs on:
> >
> >
> >
> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
> >
> > tomcatAuthentication="false" address="127.0.0.1" enableLookups="false"
> > />
> >
> >
> >
> > HTH,
> >
> >
> >
> > Andrew R Feller, Analyst
> >
> > Subversion Administrator
> >
> > University Information Systems
> >
> > Louisiana State University
> >
> > afelle1 at lsu.edu
> >
> > (office) 225.578.3737
> >   ------------------------------
> >
> > *From:* cas-bounces at tp.its.yale.edu [mailto: cas-bounces at tp.its.yale.edu]
> > *On Behalf Of *Scott Battaglia
> > *Sent:* Saturday, September 15, 2007 10:43 PM
> > *To:* Yale CAS mailing list
> > *Subject:* Re: front ending tomcat with apache2
> >
> >
> >
> > David,
> >
> > I believe most people just use mod_jk between the Apache server and
> > Tomcat.  I'm not aware of any additional secure configuration you can do to
> > mod_jk.
> >
> > Your Apache's http connector obviously should be SSL ;-)
> >
> > -Scott
> >
> > On 9/14/07, *David Pham* <dpham6 at gmail.com> wrote:
> >
> > I am front ending my CASes, which run on Tomcat 5.5, with an Apache2
> > load balancer that uses mod_jk and I am assuming
> > a SSL connector will be needed in order for the load balancer to
> > redirect requests to the CAS servers.  Does anyone have
> > any useful documentation on how this can be done?
> >
> > Thank you in advance.
> >
> > David
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>

-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070917/37d9f01a/attachment.html 