Forum Discussion

Tyson_James's avatar
Tyson_James
Icon for Altostratus rankAltostratus
Sep 25, 2018

HTTPS to Tomcat 8003....

I think I have a very similar issue to the two following articles, however we have tried the respective "fixes" and had no joy :

 

https://devcentral.f5.com/questions/https-to-tomcat8080

 

https://devcentral.f5.com/questions/apache-tomcat-configuration-ltm

 

So basically, my situation is this :

 

CLIENT --> HTTPS --> F5 --> HTTP:8003 --> Tomcat Server

 

I have created a VIP which handles the SSL-termination. Then I have a server pool with a tomcat server listening on port 8003. When I connect directly to the tomcat server on port 8003 inside my network ( ), I get the expected tomcat page. However, when I connect through my F5 load-balancer to ( , which points to a pool with that contains the tomcat server listening on 8003 ), then I get "This site can’t be reached. "vip_server_name" refused to connect. ERR_CONNECTION_REFUSED.

 

I need to know what I needs to do to either my F5 load-balancer or my tomcat server to make the connections work? I "think" it is choking on the HTTPS and HTTP back and forth communications, but I am a lightweight in Linux and Tomcat and I am also fairly new to F5. Any help is greatly appreciated.

 

application delivery
BIG-IP
iRules

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 25, 2018

    There are a number of things that it could be, but you'd need to run some additional tests to narrow it down.

    • We first need to verify that traffic is actually getting to the Tomcat server. You can do that with a tcpdump capture on the server side F5 VLAN. You should see the port 8003 traffic in this capture. And since it's not encrypted, you can also see what the requests and response look like (using the -Xs0 switch).

      tcpdump -lnni [server side vlan] -Xs0 port 8003

    • Assuming you see a full TCP 3-way handshake and some data going back and forth, look at the payload. Look for any responses from the server that look like HTTP redirects. You can also install Fiddler on the client side to get a better look. What you're looking for here are any redirects or URLs coming from Tomcat that specify "; instead of ";. This is a non-uncommon problem when application servers don't understand they're in an SSL-terminated environment and continue to send resource links via http.

    Let us know what you see from the above tests.