Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: Liferay 4.2.1 with Loadbalancing and SSL Acceleration
Hey All,
I've run into a few disturbing problems with Liferay 4.2.1 and deployment in a typical HA scenario. We are attempting to deploy 2 Liferay instances behind an F5 BigIP HW loadbalancer. We initially ran into issues with tomcat clustering introduced by this bug:
http://support.liferay.com/browse/LEP-2000
We are now running into issues with SSL acceleration and url rewriting. It seems as if liferay is embedding urls prefixed with "http://" into hidden form fields. ie:
input name="_8_redirect" type="hidden" value="http://xxx.xxxx.net/web/portal/home?p_p_id=8&p_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&"
this is escaping our loadbalancer's rewriting features and thus causing browsers to redirect to a non-encrypted, blocked URL. I've tried tried resolving this in tomcat using
both a Proxy approach and the approach outlined in this url:
http://www.unc.edu/~adamc/docs/tomcat/tc-accel.html
to no avail. The Proxy approach results in url's that are prepended with the http:// prefix and 443 specified as the port #, ie:
http://xxx.xxx.net:443/
Can someone point me in the right direction to resolve this issue?
Thanks,
-John
I've run into a few disturbing problems with Liferay 4.2.1 and deployment in a typical HA scenario. We are attempting to deploy 2 Liferay instances behind an F5 BigIP HW loadbalancer. We initially ran into issues with tomcat clustering introduced by this bug:
http://support.liferay.com/browse/LEP-2000
We are now running into issues with SSL acceleration and url rewriting. It seems as if liferay is embedding urls prefixed with "http://" into hidden form fields. ie:
input name="_8_redirect" type="hidden" value="http://xxx.xxxx.net/web/portal/home?p_p_id=8&p_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&"
this is escaping our loadbalancer's rewriting features and thus causing browsers to redirect to a non-encrypted, blocked URL. I've tried tried resolving this in tomcat using
both a Proxy approach and the approach outlined in this url:
http://www.unc.edu/~adamc/docs/tomcat/tc-accel.html
to no avail. The Proxy approach results in url's that are prepended with the http:// prefix and 443 specified as the port #, ie:
http://xxx.xxx.net:443/
Can someone point me in the right direction to resolve this issue?
Thanks,
-John
sure
terminate your ssl with apache + use IP based virutal hosts to best support SSL easily.
I don't think liferay virtual hosts are truly ready for "primetime" yet...
I have many issues with them in JIRA that are not fixed yet.
until they get fixed, i'd stay away from them (except to play with)
terminate your ssl with apache + use IP based virutal hosts to best support SSL easily.
I don't think liferay virtual hosts are truly ready for "primetime" yet...
I have many issues with them in JIRA that are not fixed yet.
until they get fixed, i'd stay away from them (except to play with)
Jason,
Thanks for responding. My SSL connections are terminating at the loadbalancer. Traffic between tomcat and the loadbalancer is unencrypted. As such, i need http:// urls to be rewritten as https:// urls so the client browsers will hit the correct host. Even if i was terminating the SSL with apache, it seems like the issue would be the same. Ie, Liferay would still need to provide URL's that are prepended with https:// I'm wondering what the best way to configure this is...
-jd
Thanks for responding. My SSL connections are terminating at the loadbalancer. Traffic between tomcat and the loadbalancer is unencrypted. As such, i need http:// urls to be rewritten as https:// urls so the client browsers will hit the correct host. Even if i was terminating the SSL with apache, it seems like the issue would be the same. Ie, Liferay would still need to provide URL's that are prepended with https:// I'm wondering what the best way to configure this is...
-jd
We actually use relative links almost everywhere in the code, so you shouldn't be seeing this behavior.
Where is this that you're seeing this?
Where is this that you're seeing this?
We are running into the same issue with 4.2.1. Our site utilizes a Cisco CSS11506 hw load balancer and we currently use its ssl acceleration capabilities. The load balancer proxies requests on behalf of the user to Liferay via http protocol. All of our url's within the portal are being prefixed with http. Is there a method to hard code the protocol to force https?
We have same kind of issue with Liferay 4.3.0 and Citrix accecss gateway which does URL rewriting. I think Liferay relies too much on javascript magic hacks.
Take Liferay index.html for example which uses javascript to do a redirect.
<body onload="javascript:location.replace('/c')"></body>
Citrix Access Gateway chokes on this.
Also, has anyone ever succeeded in using the "Save Page As" feature of the browser. All of the pages that I save look completely broken.
Take Liferay index.html for example which uses javascript to do a redirect.
<body onload="javascript:location.replace('/c')"></body>
Citrix Access Gateway chokes on this.
Also, has anyone ever succeeded in using the "Save Page As" feature of the browser. All of the pages that I save look completely broken.
First of all, why do I get redirected to the main page everytime I try to load this page!? IE and FF.
Second, I believe the problems that people are experiencing with SSL offloading and URL writing is a problem due to configuration (load balancer and container) AND not (necessarily) a problem due to the application, in this case Liferay.
At our university we also ran into this problem with our portal (uPortal). We didn't get SSL offloading to work in our case due to a bug in Tomcat 5.0.x. I believe it has been fixed in 5.5.x and above but we haven't tried. So in our case our load balancer was doing the SSL encryption/decryption and Tomcat would receive http (unencrypted) traffic on port 443; we wanted Tomcat to write URLs with https on port 443. In our implementation we were setting our Tomcat connectors scheme to https and secure to true. It seems that this should be fixed in 5.5 if not 6.0. Maybe someone with this problem can try out modifying these variables - if using 6.0 try setting SSLEnabled to false too.
James
Second, I believe the problems that people are experiencing with SSL offloading and URL writing is a problem due to configuration (load balancer and container) AND not (necessarily) a problem due to the application, in this case Liferay.
At our university we also ran into this problem with our portal (uPortal). We didn't get SSL offloading to work in our case due to a bug in Tomcat 5.0.x. I believe it has been fixed in 5.5.x and above but we haven't tried. So in our case our load balancer was doing the SSL encryption/decryption and Tomcat would receive http (unencrypted) traffic on port 443; we wanted Tomcat to write URLs with https on port 443. In our implementation we were setting our Tomcat connectors scheme to https and secure to true. It seems that this should be fixed in 5.5 if not 6.0. Maybe someone with this problem can try out modifying these variables - if using 6.0 try setting SSLEnabled to false too.
James
Don't know, but this sounds rather like a feature missing from Tomcat, than a Liferay bug.
I remember lately a thread where it was discussed that Liferay uses the standard API to get host names/port numbers in such cases.
So if Tomcat provides a proxyPort option, you can change the port that the end users get to receive in their pages.
Since, however, Tomcat is missing a proxyProtocol option, I guess it will always believe that the request was received with http and all relevant URLs should be generated with that protocol. (I've quickly searched through the source and found for example references to ServletRequest.isSecure(), which would return false in your case).
Regards,
C/
I remember lately a thread where it was discussed that Liferay uses the standard API to get host names/port numbers in such cases.
So if Tomcat provides a proxyPort option, you can change the port that the end users get to receive in their pages.
Since, however, Tomcat is missing a proxyProtocol option, I guess it will always believe that the request was received with http and all relevant URLs should be generated with that protocol. (I've quickly searched through the source and found for example references to ServletRequest.isSecure(), which would return false in your case).
Regards,
C/
Community
Company
Feedback