Hi Chris, Thanks for the reply.
Local host means the machine i am logged in to server.lbg.com You are right, example.lbg.com is CNAME record. I dont have any SAN configured for the certificate. The certificate is requested for only server.lbg.com So if i just request new certificate with SAN it should work ? If yes, I will request for it and follow your steps as below suggested. Should i use CName record or DNS? Does it make difference? Thanks, Lavanya On Wednesday, April 24, 2024, Christopher Schultz < ch...@christopherschultz.net> wrote: > Lavanya, > > On 4/24/24 07:37, lavanya tech wrote: > >> Sorry I understood wrongly here with regards to my environment, Let me >> start from the beginning. I donot want to use redirect at all. I simply >> wanted to force apache tomcat to use both localhost and dns name of the >> localhost via url. >> > > When you say "force" what do you mean? > > When you say "use both localhost and DNS name" what do you mean? > > When you say "localhost" do you mean 127.0.0.1 or "the machine I'm > logged-into right now"? > > I have DNS resollution as below. >> >> server.lbg.com --> localhost >> > > Is that a CNAME record? > > nslookup server.lbg.com (localhost) >> Name: server.lbg.com >> Address: 192.168.100.20 >> alias: example.lbg.com >> > > That's a weird DNS response. The DNS name "localhost" should *always* > return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return > 191.168.100.20. > > We have working the below urls working: >> https://server.lbg.com:8443/towl >> https://example.lbg.com:8443/towl --> redirects to >> > > What do you mean "redirect"? Does it return a 30x response that causes the > browser to make a new request to \/ > > https://server.lbg.com:8443/towl --> still works --> we have SSL >> configured for the same but this SSL certificate doesnot have additional >> DNS setup. >> > > What SANs are in your certificate? How many certificates do you have? > > But I would need to somehow access https://example.lbg.com --> which >> means >> I would need to access via 443 here ? >> > > I'm so confused. What needs to access what? > > I tried to adding the below to server.xml as below, but that doesnot seems >> to work. >> >> <Connector port="80" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> connectionTimeout="20000" >> redirectPort="443" /> >> > > This will only redirect (HTTP 302) requests to http://yourhost/anything > to https://yourhost/anything *if the application specifically requests > CONFIDENTIAL transport*. It doesn't just redirect everything by default. If > you want it to redirect everything, you'll need to set that up e.g. using > RewriteValve. There are other options, too. > > Do i need additional SSL certificate for the https://example.lbg.com to >> make it work ? >> > > If you don't want your browser to complain, you will need at least one TLS > certificate that contains every Subject Alternative Name (SAN) for every > possible hostname you expect to use with this service. You ca do it with > multiple certificates as well, but a single cert with multiple SANs is less > work. > > Do i need to set up an additional web server for this like apache or nginx >> for redirecting requests? >> > > No. > > Please stop saying "redirect" because it sounds like you almost never mean > "HTTP 30x redirect" and that's confusing everything. > > I *think* you only need the following: > > 1. A TLS certificate with the following SANs: > > * server.lbg.com > * example.lbg.com > * localhost (you shouldn't do this) > > 2. DNS configured for all hostnames: > > * server.lbg.com -> A 192.168.100.20 > * example.lgb.com -> A 192.168.100.20 > > 3. Tomcat configured with a single <Host> which is the default virtual > host. Note that this is the *default Tomcat configuration* and doesn't need > to be changed from the default. > > 4. Tomcat configured with your certificate like this: > > <Connector ... > SSLEnabled="true"> > <SSLHostConfig> > <Certificate > certificateFile="/path/to/your/cert.crt" > certificateKeyFile="/path/to/your/key.pem" /> > <!-- You may need certificateKeyPassword in <Certificate> --> > </SSLHostConfig> > </Connector> > > If your SANs are configured properly, this should allow you to connect > using any of these URLs: > > $ curl https://server.lbg.com/towl/login.jsp > > (returns login page) > > $ curl https://example.lbg.com/towl/login.jsp > > (returns login page) > > If your application's web.xml contains something like this: > > <security-constraint> > <web-resource-collection> > <web-resource-name>theapp</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > ... then these URLs insecure HTTP URLs should redirect your clients: > > $ curl http://server.lbg.com/towl/login.jsp > > (returns HTTP 302 redirect to https://server.lbg.com/towl/login.jsp) > > $ curl https://server.lbg.com/towl/login.jsp > > (returns HTTP 302 redirect to https://example.lbg.com/towl/login.jsp) > > I don't think you need any use of the RewriteValve unless you want to > handle sending HTTP 302 redirect responses to insecure requests without > specifying the CONFIDENTIAL transport-guarantee in your application's > web.xml file. But I don't see any reason NOT to have that in there. > > -chris > > On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >> Lavanya, >>> >>> On 4/22/24 05:21, lavanya tech wrote: >>> >>>> Could you please explain, what you exactly mean ? So here redirect is >>>> >>> not a >>> >>>> solution right ? >>>> >>> >>> Redirecting is fine. >>> >>> Perhaps you should take a step back and decide: what do you actually >>> want, here? You might be trying to solve problem X by applying solution >>> Y, and you've already decided that solution Y is correct so you are >>> trying to get help with that. >>> >>> Perhaps ask for help with Problem X? >>> >>> For example, "I don't want users to have to type the name of my >>> application to reach it so I want example.com/ to go to my application >>> instead of example.com/myapp/". >>> >>> Or, "I have multiple domains and I want all of them to redirect to the >>> canonical domain example.com and to go to me web application /myapp so >>> everything goes to example.com/myapp/". >>> >>> "You'd have to use a glob/regex if >>>> you wanted to check for [anything and maybe nothing.]example.com." >>>> >>> >>> There is nothing in your configuration or question that suggests that >>> the hostname in the request is relevant, but you are making it a >>> *requirement* that the request contains a specific Host header. IF you >>> don't actually need that, why do you have it? >>> >>> -chris >>> >>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz < >>>> ch...@christopherschultz.net> wrote: >>>> >>>> Ammu, >>>>> >>>>> On 4/19/24 08:32, lavanya tech wrote: >>>>> >>>>>> Thank you very much. I removed <Host> for example.com as well as >>>>>> >>>>> adding >>> >>>> an >>>>> >>>>>> <Alias> in server.xml >>>>>> I copied context.xml file >>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml >>>>>> Removed < in rewrite.config files. >>>>>> >>>>>> But still I dont redirect the URL. >>>>>> >>>>> >>>>> If you have <Context> in server.xml and also your application in the >>>>> webapps/ directory, then you will be double-deploying your application. >>>>> >>>>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be >>>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are >>>>> important) >>>>> and remove the <Context> element from your server.xml. >>>>> >>>>> Then start your server and read the logs. >>>>> >>>>> *nslookup alias.example.com <http://alias.example.com> >>>>>> gives-->Non-authoritative answer:Name: www.example.com >>>>>> <http://www.example.com>Address: 192.168.200.10Aliases: >>>>>> >>>>> alias.example.com >>>>> >>>>>> <http://alias.example.com>* >>>>>> >>>>>> >>>>>> Just to give some information here, *www.example.com >>>>>> <http://www.example.com>* has alias* "alias.example.com >>>>>> <http://alias.example.com>"* >>>>>> But https://www.example.com:7777/example --> works fine with out >>>>>> >>>>> issues >>> >>>> but >>>>> >>>>>> the alias doesnot works (https://alias.example.com) >>>>>> So i am not sure if the redirect url helps or if its correct >>>>>> >>>>> >>>>> Your rewrite configuration says that you have to be using host >>>>> "example.com" but your request goes to www.example.com. Your >>>>> configuration should only redirect a request such as: >>>>> >>>>> $ curl -v http://example.com:7777/something >>>>> >>>>> HTTP/1.1 301 Moved Permanently >>>>> ... >>>>> Location: https://www.example.com:7777/example >>>>> >>>>> If you make a request like: >>>>> >>>>> $ curl -v http://www.example.com:7777/something >>>>> >>>>> I wouldn't expect a redirect because of your "host" condition. The >>>>> "%{HTTP_HOST} example.com" looks at the entire Host header and not >>>>> just >>>>> anything that ends in "example.com". You'd have to use a glob/regex if >>>>> you wanted to check for [anything and maybe nothing.]example.com. >>>>> >>>>> You'd also have to make sure that your application is serving responses >>>>> to requests to / which is why I'm recommending you use the ROOT web >>>>> application name instead of "towl". >>>>> >>>>> -chris >>>>> >>>>> On Fri, Apr 19, 2024 at 1:21 PM Christopher Schultz < >>>>>> ch...@christopherschultz.net> wrote: >>>>>> >>>>>> Ammu, >>>>>>> >>>>>>> On 4/18/24 09:34, lavanya tech wrote: >>>>>>> >>>>>>>> I am attaching server.xml and context.xml and rewrite.config files. >>>>>>>> The paths are >>>>>>>> >>>>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/context.xml >>>>>>>> <Context> >>>>>>>> <Valve >>>>>>>> >>>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve" >>>>> >>>>>> /> >>>>>>> >>>>>>>> <!-- Other context configuration --> >>>>>>>> </Context> >>>>>>>> >>>>>>> >>>>>>> This file ^^^ is in the wrong place. It should be in >>>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml >>>>>>> >>>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/WEB-INF/rewrite.config >>>>>>>> >>>>>>>> <RewriteCond %{HTTP_HOST} example.com [NC] >>>>>>>> <RewriteRule ^/(.*)$ https://www.example.com:7777/example [R=301,L] >>>>>>>> >>>>>>> >>>>>>> Why do you have < symbols at the beginning of these lines? >>>>>>> >>>>>>> server.xml >>>>>>>> >>>>>>>> > [...] >>>>>>> >>>>>>>> >>>>>>>> <Host name="example.com" appBase="webapps" >>>>>>>> >>>>>>> unpackWARs="true" >>> >>>> autoDeploy="true"> >>>>>>>> <Context path="" docBase="towl" /> >>>>>>>> >>>>>>> >>>>>>> It's best not to define any <Context> in server.xml. I would remove >>>>>>> >>>>>> this >>> >>>> <Context> entirely and allow Tomcat to auto-reploy from your >>>>>>> webapps/towl directory. If you need this application to be deployed >>>>>>> as >>>>>>> the ROOT context (on / and not /towl) then you should re-name >>>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl to >>>>>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT >>>>>>> >>>>>>> You also don't need a <Host> for example.com as well as adding an >>>>>>> <Alias> for the same domain (though this is probably to anonymize the >>>>>>> configuration). You can feel free to simply use the "localhost" >>>>>>> <Host> >>>>>>> as the default <Host> and deploy everything into it. This makes your >>>>>>> configuration changes relative to a stock Tomcat less significant and >>>>>>> easier to apply to new versions if/when necessary. >>>>>>> >>>>>>> -chris >>>>>>> >>>>>>> On Thu, Apr 18, 2024 at 2:17 PM Christopher Schultz < >>>>>>>> ch...@christopherschultz.net> wrote: >>>>>>>> >>>>>>>> Ammu, >>>>>>>>> >>>>>>>>> On 4/18/24 07:45, lavanya tech wrote: >>>>>>>>> >>>>>>>>>> I added classname rewrite valeus in contex.xml file . >>>>>>>>>> >>>>>>>>>> <!-- REWRITE VALVE --> >>>>>>>>>> <Valve >>>>>>>>>> >>>>>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve" >>>>>>> >>>>>>>> /> >>>>>>>>> >>>>>>>>>> <!-- // --> >>>>>>>>>> >>>>>>>>>> created rewrite.config so both of them is located under conf >>>>>>>>>> under >>>>>>>>>> apache-tomcat. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <RewriteCond %{HTTP_HOST} example.com >>>>>>>>>> [NC] >>>>>>>>>> <RewriteRule ^/(.*)$ >>>>>>>>>> https://www.example.com:7777/example [R=301,L] >>>>>>>>>> >>>>>>>>>> So according to the documentaion they say context.xml should be >>>>>>>>>> >>>>>>>>> placed >>>>> >>>>>> under webapps and rewrite.config file should be put in WEB-INF >>>>>>>>>> >>>>>>>>> folder >>> >>>> of >>>>>>> >>>>>>>> apache-tomcat . I placed and restarted tomcat webserver but still >>>>>>>>>> >>>>>>>>> it >>> >>>> doesnot redirect. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Can you give full paths to both server.xml and rewrite.config, >>>>>>>>> >>>>>>>> re-post >>> >>>> your current server.xml <Context> element, and the complete contents >>>>>>>>> >>>>>>>> of >>>>> >>>>>> rewrite.config? >>>>>>>>> >>>>>>>>> Have you looked at the log files after start? >>>>>>>>> >>>>>>>>> -chris >>>>>>>>> >>>>>>>>> On Thu, Apr 18, 2024 at 1:36 PM lavanya tech < >>>>>>>>>> >>>>>>>>> lavanyatech...@gmail.com >>>>> >>>>>> >>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hi Thomas, >>>>>>>>>>> >>>>>>>>>>> Thanks for the fast response. >>>>>>>>>>> >>>>>>>>>>> I added classname rewrite valeus in contex.xml file . >>>>>>>>>>> >>>>>>>>>>> <!-- REWRITE VALVE --> >>>>>>>>>>> <Valve >>>>>>>>>>> >>>>>>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve" >>>>>>> >>>>>>>> /> >>>>>>>>> >>>>>>>>>> <!-- // --> >>>>>>>>>>> >>>>>>>>>>> created rewrite.config so both of them is located under conf >>>>>>>>>>> >>>>>>>>>> under >>> >>>> apache-tomcat. >>>>>>>>>>> >>>>>>>>>>> So according to the documentaion they say context.xml should be >>>>>>>>>>> >>>>>>>>>> placed >>>>> >>>>>> under webapps and rewrite.config file should be put in WEB-INF >>>>>>>>>>> >>>>>>>>>> folder >>>>> >>>>>> of >>>>>>> >>>>>>>> apache-tomcat >>>>>>>>>>> >>>>>>>>>>> Thnks, >>>>>>>>>>> Ammu >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Thu, Apr 18, 2024 at 1:22 PM Mark Thomas <ma...@apache.org> >>>>>>>>>>> >>>>>>>>>> wrote: >>>>> >>>>>> >>>>>>>>>>> On 18/04/2024 12:05, lavanya tech wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>> >>>>>>>>>>>>> I am using "Tomcat 10.1" in our environment and I wanted to >>>>>>>>>>>>> >>>>>>>>>>>> redirect >>>>> >>>>>> url >>>>>>>>> >>>>>>>>>> from https://example.com to https://www.servercom:7777 and for >>>>>>>>>>>>> >>>>>>>>>>>> this i >>>>>>> >>>>>>>> modified the server.xml as below in tomcat config, and the below >>>>>>>>>>>>> configuration doesnot seems to work. Does anyone has ideas. >>>>>>>>>>>>> >>>>>>>>>>>> Please >>> >>>> suggest. >>>>>>>>>>>> >>>>>>>>>>>>> The url alone https://www.servercom:7777/ already works. But >>>>>>>>>>>>> >>>>>>>>>>>> just >>> >>>> redirection from the old to one doesnot. >>>>>>>>>>>>> >>>>>>>>>>>>> <Host name="example.com" appBase="app" unpackWARs="true" >>>>>>>>>>>>> >>>>>>>>>>>> autoDeploy="true"> >>>>>>>>>>>> >>>>>>>>>>>>> <Context path="" docBase="example" /> >>>>>>>>>>>>> <Alias>example.com</Alias> >>>>>>>>>>>>> <!-- Add RewriteValve and RewriteRule here --> >>>>>>>>>>>>> <Valve >>>>>>>>>>>>> >>>>>>>>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve"/> >>>>>>>>>>>> >>>>>>>>>>>>> <Engine name="Catalina" defaultHost="localhost"> >>>>>>>>>>>>> <Host name="example.com" appBase="app" >>>>>>>>>>>>> >>>>>>>>>>>> unpackWARs="true" >>>>> >>>>>> autoDeploy="true"> >>>>>>>>>>>>> <Context path="" docBase="example" /> >>>>>>>>>>>>> <Alias>example.com</Alias> >>>>>>>>>>>>> <Valve >>>>>>>>>>>>> >>>>>>>>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve"/> >>>>>>>>>>>> >>>>>>>>>>>>> <Engine name="Catalina" >>>>>>>>>>>>> >>>>>>>>>>>> defaultHost="localhost"> >>> >>>> <Host name="example.com" appBase="app" >>>>>>>>>>>>> unpackWARs="true" autoDeploy="true"> >>>>>>>>>>>>> <Context path="" docBase="example" /> >>>>>>>>>>>>> <Alias>example.com</Alias> >>>>>>>>>>>>> <!-- Rewrite rule to redirect to >>>>>>>>>>>>> www.servercom:8080/example --> >>>>>>>>>>>>> <RewriteCond %{HTTP_HOST} >>>>>>>>>>>>> example\.com >>>>>>>>>>>>> >>>>>>>>>>>> [NC] >>>>> >>>>>> <RewriteRule ^/(.*)$ >>>>>>>>>>>>> https://www.servercom:7777/example/$1 [R=301,L] >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 1. That isn't valid XML. >>>>>>>>>>>> >>>>>>>>>>>> 2. Where in the Tomcat docs does it say you can nest re-write >>>>>>>>>>>> >>>>>>>>>>> rules >>> >>>> in >>>>>>> >>>>>>>> a >>>>>>>>> >>>>>>>>>> Host element (or any other element)? >>>>>>>>>>>> >>>>>>>>>>>> </Host> >>>>>>>>>>>>> </Engine> >>>>>>>>>>>>> </Host> >>>>>>>>>>>>> </Engine> >>>>>>>>>>>>> </Host> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> You need to configure the RewriteValve. >>>>>>>>>>>> https://tomcat.apache.org/tomcat-10.1-doc/rewrite.html >>>>>>>>>>>> >>>>>>>>>>>> Mark >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------ >>>>> --------- >>>>> >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------ >>> --------- >>> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> ------------------------------------------------------------ >>>>>>> --------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
