Setting up a secure connection for external users

Before you begin

The following strategy combines two techniques: one for separating your users into those who connect over HTTP and those who connect over HTTPS, and another one for securing the HTTPS connection behind a firewall.

First, set up your application server (Tomcat) to listen on one IP address and port using HTTP; then, set up another Web server to listen on a different IP address or port using HTTPS. Set up the second (front end) server to act as a reverse proxy and feed any requests it gets to the first instance above. Enforce security on the proxy server with a firewall.

The sequence for setting up these measures might be as follows:

Procedure

  1. Make machine1:8080 your normal Tomcat instance. All the internal WorldServer users should go to http://machine1:8080/ws/login.
  2. Set up a front end Web server listening on a different IP address or port, such as machine2:443. Configure this machine as a proxy server, forwarding requests to machine1.
  3. After you have set up your infrastructure like this, set up your firewall to only allow access to machine2 via SSL and block any external access to machine1. This allows you to force any external user to go through the secure connection to WorldServer.

Results

The following figure illustrates this setup.

Figure 1. Secure WorldServer Connection Setup