How to setup Tomcat with AWS Loadbalancer SSL offloading
Category : How To
Recently I ran into an issue with an application which was running in tomcat. My plans were to run an AWS Application Load Balancer which would offload the HTTPS Certificate from the application servers. The problem is that my application was writing full path URLs based on the server name tomcat was hosted on.
This post will walk through the process of setting up your Tomcat application to be able to offload SSL certificates to a load balancer event if you have full path urls embedded in your code.
The first step is to setup your domain name, which you will use for your application. My personal preference is to go with Route 53, as it’s baked into AWS, you can get free certificates to host on your load balancer and you get a lot of other benefits in regards to how routing is handled. This domain name will be needed for the next step.
Create your EC2 instance, and install tomcat. In your CATALINA_HOME directory open the “conf/server.xml” file. Scroll down until you find the “<Connector>” lines.
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
Once you find this segment, copy it and paste the copy right below the line in the server.xml file. You’re then going to set the port to a different port number (such as 8081) and add in lines which will tell tomcat that it should behave as if it were encrypted and hosting the domain.
<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" proxyName="YourDomainName.com" secure="true" scheme="https" SSLEnabled="true" />
Save the file and restart tomcat
At this point you need to setup your SSL certificate. To do this you’ll need to navigate to “Certificate Manager” in your AWS console. Once there you’ll need to request a certificate.
The certificate will need to verify that you own the domain. If you used Route 53 it will give you an option to add a CName to Route 53 by clicking a button (this is probably the easiest way to verify the domain). Once you do this, you’ll need to wait for AWS to verify your certificate.
Now that you’ve setup all the pieces, your ready to setup your AWS Application Load Balancer. To do this navigate in the AWS Console to EC2 and click the Load Balancer option on the left hand navigation menu.
This selection will take you to the list of your existing load balancers.
Click the “Create Load Balancer” button on the top of the screen. Then select “Application Load Balancer”. On the next screen type in a name for your load balancer, set the protocol to “HTTPS” and finally set the availability zones for your load balancer in your VPC. Click the next button.
On the next screen, select the certificate you setup in Step 3, then click next.
The next screen will prompt you to select a security group. On this step you can either go with the default, but more than likely you’ll want to have a security group strategy to limit access to your server, but in this example we’ll go with default. Click next.
By default the wizard will want to create a new target group. Here you’re going to fill in the options simular to the following, but feel free to be creative with the Name property.
Click the next button.
Finally select your server instance you setup. Click next, then click create.
Once your Application Load Balancer has been created, the last step is to setup your Route 53 A record to point to your load balancer as an alias.
Once you finish updating route 53 your domain name will now work with HTTPS while your Tomcat server runs without a certificate using HTTP, offloading encryption to your load balancer.