Lavanya,
On 4/24/24 15:39, lavanya tech wrote:
Local host means the machine i am logged in to server.lbg.com
You are right, example.lbg.com is CNAME record.
Okay, thanks for clearing that up.
I dont have any SAN configured for the certificate. The certificate is
requested for only server.lbg.com
You will never be able to make a secure request to anything other than
server.lbg.com without seeing an error. I highly recommend adding the
other hostname as a SAN to your certificate if you really want to
support this.
Even if you wanted https://example.lbg.com/whatever to return an HTTP
302 redirect to https://server.lbg.com/whatever, the user would see a
certificate hostname mismatch error which is ugly. It's best to make it
work without users seeing ugly things.
So if i just request new certificate with SAN it should work ? If yes,
I
will request for it and follow your steps as below suggested.
Yes, it should.
Should i use CName record or DNS? Does it make difference?
CNAME *is* DNS.
Whenever possible, use hostnames and not IP addresses as SANs. It's more
flexible that way, and users get to see hostnames instead of IP
addresses.
-chris
On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/24/24 07:37, lavanya tech wrote:
Sorry I understood wrongly here with regards to my environment, Let
me
start from the beginning. I donot want to use redirect at all. I
simply
wanted to force apache tomcat to use both localhost and dns name of
the
localhost via url.
When you say "force" what do you mean?
When you say "use both localhost and DNS name" what do you mean?
When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
logged-into right now"?
I have DNS resollution as below.
server.lbg.com --> localhost
Is that a CNAME record?
nslookup server.lbg.com (localhost)
Name: server.lbg.com
Address: 192.168.100.20
alias: example.lbg.com
That's a weird DNS response. The DNS name "localhost" should *always*
return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
191.168.100.20.
We have working the below urls working:
https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to
What do you mean "redirect"? Does it return a 30x response that
causes the
browser to make a new request to \/
https://server.lbg.com:8443/towl --> still works --> we have SSL
configured for the same but this SSL certificate doesnot have
additional
DNS setup.
What SANs are in your certificate? How many certificates do you have?
But I would need to somehow access https://example.lbg.com --> which
means
I would need to access via 443 here ?
I'm so confused. What needs to access what?
I tried to adding the below to server.xml as below, but that doesnot
seems
to work.
<Connector port="80"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="443" />
This will only redirect (HTTP 302) requests to
http://yourhost/anything
to https://yourhost/anything *if the application specifically
requests
CONFIDENTIAL transport*. It doesn't just redirect everything by
default. If
you want it to redirect everything, you'll need to set that up e.g.
using
RewriteValve. There are other options, too.
Do i need additional SSL certificate for the https://example.lbg.com
to
make it work ?
If you don't want your browser to complain, you will need at least
one TLS
certificate that contains every Subject Alternative Name (SAN) for
every
possible hostname you expect to use with this service. You ca do it
with
multiple certificates as well, but a single cert with multiple SANs
is less
work.
Do i need to set up an additional web server for this like apache or
nginx
for redirecting requests?
No.
Please stop saying "redirect" because it sounds like you almost never
mean
"HTTP 30x redirect" and that's confusing everything.
I *think* you only need the following:
1. A TLS certificate with the following SANs:
* server.lbg.com
* example.lbg.com
* localhost (you shouldn't do this)
2. DNS configured for all hostnames:
* server.lbg.com -> A 192.168.100.20
* example.lgb.com -> A 192.168.100.20
3. Tomcat configured with a single <Host> which is the default virtual
host. Note that this is the *default Tomcat configuration* and
doesn't need
to be changed from the default.
4. Tomcat configured with your certificate like this:
<Connector ...
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateFile="/path/to/your/cert.crt"
certificateKeyFile="/path/to/your/key.pem" />
<!-- You may need certificateKeyPassword in <Certificate> -->
</SSLHostConfig>
</Connector>
If your SANs are configured properly, this should allow you to connect
using any of these URLs:
$ curl https://server.lbg.com/towl/login.jsp
(returns login page)
$ curl https://example.lbg.com/towl/login.jsp
(returns login page)
If your application's web.xml contains something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>theapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
... then these URLs insecure HTTP URLs should redirect your clients:
$ curl http://server.lbg.com/towl/login.jsp
(returns HTTP 302 redirect to
https://server.lbg.com/towl/login.jsp)
$ curl https://server.lbg.com/towl/login.jsp
(returns HTTP 302 redirect to
https://example.lbg.com/towl/login.jsp)
I don't think you need any use of the RewriteValve unless you want to
handle sending HTTP 302 redirect responses to insecure requests
without
specifying the CONFIDENTIAL transport-guarantee in your application's
web.xml file. But I don't see any reason NOT to have that in there.
-chris
On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/22/24 05:21, lavanya tech wrote:
Could you please explain, what you exactly mean ? So here redirect
is
not a
solution right ?
Redirecting is fine.
Perhaps you should take a step back and decide: what do you actually
want, here? You might be trying to solve problem X by applying
solution
Y, and you've already decided that solution Y is correct so you are
trying to get help with that.
Perhaps ask for help with Problem X?
For example, "I don't want users to have to type the name of my
application to reach it so I want example.com/ to go to my
application
instead of example.com/myapp/".
Or, "I have multiple domains and I want all of them to redirect to
the
canonical domain example.com and to go to me web application
/myapp so
everything goes to example.com/myapp/".
"You'd have to use a glob/regex if
you wanted to check for [anything and maybe nothing.]example.com."
There is nothing in your configuration or question that suggests
that
the hostname in the request is relevant, but you are making it a
*requirement* that the request contains a specific Host header. IF
you
don't actually need that, why do you have it?
-chris
On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Ammu,
On 4/19/24 08:32, lavanya tech wrote:
Thank you very much. I removed <Host> for example.com as well as
adding
an
<Alias> in server.xml
I copied context.xml file
/git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
Removed < in rewrite.config files.
But still I dont redirect the URL.
If you have <Context> in server.xml and also your application in
the
webapps/ directory, then you will be double-deploying your
application.
Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
/git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are
important)
and remove the <Context> element from your server.xml.
Then start your server and read the logs.
*nslookup alias.example.com <http://alias.example.com>
gives-->Non-authoritative answer:Name: www.example.com
<http://www.example.com>Address: 192.168.200.10Aliases:
alias.example.com
<http://alias.example.com>*
Just to give some information here, *www.example.com
<http://www.example.com>* has alias* "alias.example.com
<http://alias.example.com>"*
But https://www.example.com:7777/example --> works fine with out
issues
but
the alias doesnot works (https://alias.example.com)
So i am not sure if the redirect url helps or if its correct
Your rewrite configuration says that you have to be using host
"example.com" but your request goes to www.example.com. Your
configuration should only redirect a request such as:
$ curl -v http://example.com:7777/something
HTTP/1.1 301 Moved Permanently
...
Location: https://www.example.com:7777/example
If you make a request like:
$ curl -v http://www.example.com:7777/something
I wouldn't expect a redirect because of your "host" condition. The
"%{HTTP_HOST} example.com" looks at the entire Host header and
not
just
anything that ends in "example.com". You'd have to use a
glob/regex if
you wanted to check for [anything and maybe nothing.]example.com.
You'd also have to make sure that your application is serving
responses
to requests to / which is why I'm recommending you use the ROOT
web
application name instead of "towl".
-chris
On Fri, Apr 19, 2024 at 1:21 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Ammu,
On 4/18/24 09:34, lavanya tech wrote:
I am attaching server.xml and context.xml and rewrite.config
files.
The paths are
/git/app/apache-tomcat-10.1.11/webapps/towl/context.xml
<Context>
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve"
/>
<!-- Other context configuration -->
</Context>
This file ^^^ is in the wrong place. It should be in
/git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
/git/app/apache-tomcat-10.1.11/webapps/towl/WEB-INF/rewrite.config
<RewriteCond %{HTTP_HOST} example.com [NC]
<RewriteRule ^/(.*)$ https://www.example.com:7777/example
[R=301,L]
Why do you have < symbols at the beginning of these lines?
server.xml
> [...]
<Host name="example.com" appBase="webapps"
unpackWARs="true"
autoDeploy="true">
<Context path="" docBase="towl" />
It's best not to define any <Context> in server.xml. I would
remove
this
<Context> entirely and allow Tomcat to auto-reploy from your
webapps/towl directory. If you need this application to be
deployed
as
the ROOT context (on / and not /towl) then you should re-name
/git/app/apache-tomcat-10.1.11/webapps/towl to
/git/app/apache-tomcat-10.1.11/webapps/ROOT
You also don't need a <Host> for example.com as well as adding
an
<Alias> for the same domain (though this is probably to
anonymize the
configuration). You can feel free to simply use the "localhost"
<Host>
as the default <Host> and deploy everything into it. This makes
your
configuration changes relative to a stock Tomcat less
significant and
easier to apply to new versions if/when necessary.
-chris
On Thu, Apr 18, 2024 at 2:17 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Ammu,
On 4/18/24 07:45, lavanya tech wrote:
I added classname rewrite valeus in contex.xml file .
<!-- REWRITE VALVE -->
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve"
/>
<!-- // -->
created rewrite.config so both of them is located under conf
under
apache-tomcat.
<RewriteCond %{HTTP_HOST}
example.com
[NC]
<RewriteRule ^/(.*)$
https://www.example.com:7777/example [R=301,L]
So according to the documentaion they say context.xml should
be
placed
under webapps and rewrite.config file should be put in WEB-INF
folder
of
apache-tomcat . I placed and restarted tomcat webserver but
still
it
doesnot redirect.
Can you give full paths to both server.xml and rewrite.config,
re-post
your current server.xml <Context> element, and the complete
contents
of
rewrite.config?
Have you looked at the log files after start?
-chris
On Thu, Apr 18, 2024 at 1:36 PM lavanya tech <
lavanyatech...@gmail.com
wrote:
Hi Thomas,
Thanks for the fast response.
I added classname rewrite valeus in contex.xml file .
<!-- REWRITE VALVE -->
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve"
/>
<!-- // -->
created rewrite.config so both of them is located under
conf
under
apache-tomcat.
So according to the documentaion they say context.xml
should be
placed
under webapps and rewrite.config file should be put in WEB-INF
folder
of
apache-tomcat
Thnks,
Ammu
On Thu, Apr 18, 2024 at 1:22 PM Mark Thomas <
ma...@apache.org>
wrote:
On 18/04/2024 12:05, lavanya tech wrote:
Hi Team,
I am using "Tomcat 10.1" in our environment and I wanted
to
redirect
url
from https://example.com to https://www.servercom:7777 and
for
this i
modified the server.xml as below in tomcat config, and the
below
configuration doesnot seems to work. Does anyone has
ideas.
Please
suggest.
The url alone https://www.servercom:7777/ already works.
But
just
redirection from the old to one doesnot.
<Host name="example.com" appBase="app" unpackWARs="true"
autoDeploy="true">
<Context path="" docBase="example" />
<Alias>example.com</Alias>
<!-- Add RewriteValve and RewriteRule here -->
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve"/>
<Engine name="Catalina"
defaultHost="localhost">
<Host name="example.com" appBase="app"
unpackWARs="true"
autoDeploy="true">
<Context path="" docBase="example" />
<Alias>example.com</Alias>
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve"/>
<Engine name="Catalina"
defaultHost="localhost">
<Host name="example.com" appBase="app"
unpackWARs="true" autoDeploy="true">
<Context path=""
docBase="example" />
<Alias>example.com</Alias>
<!-- Rewrite rule to redirect
to
www.servercom:8080/example -->
<RewriteCond %{HTTP_HOST}
example\.com
[NC]
<RewriteRule ^/(.*)$
https://www.servercom:7777/example/$1 [R=301,L]
1. That isn't valid XML.
2. Where in the Tomcat docs does it say you can nest
re-write
rules
in
a
Host element (or any other element)?
</Host>
</Engine>
</Host>
</Engine>
</Host>
You need to configure the RewriteValve.
https://tomcat.apache.org/tomcat-10.1-doc/rewrite.html
Mark
------------------------------------------------------------
---------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:
users-h...@tomcat.apache.org
------------------------------------------------------------
---------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
------------------------------------------------------------
---------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
