Hi Chris,
Where are you defining the RewriteValve itself?
Defined rewritevalve here
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve" />
resource="conf/rewrite.config" />
2) reated rewrite.config and added as below under conf/
RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I already
have this mappings /* in web.xml file)
<security-constraint>
<web-resource-collection>
<web-resource-name>Logging Area</web-resource-name>
<description>
Authentication for registered users.
</description>
<url-pattern>/*</url-pattern>
<url-pattern>/api/v1/search</url-pattern> <!-- protect search
endpoint whitelisted above -->
<url-pattern>/api/v1/suggest/*</url-pattern> <!-- protect suggest
endpoint whitelisted above -->
</web-resource-collection>
<auth-constraint>
<role-name>LDAP_USER</role-name>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
4) Restarted Tomcat, Then I cannot access https://server.lbg.com:8443/towl
--> Have below error
Message java.nio.file.NoSuchFileException:
/git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
Description The server encountered an unexpected condition that prevented
it from fulfilling the request.
5) Also https://example.lbg.com doesnot work anymore
Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
How can I do that. I already changed towl.war to ROOT.war
But still both the urls have error as mentioned above.
Si I revereted back the changes.
That's weird. Try stopping, deleting the work/ directory and restarting.
--> I have this wierd behavior for some reason, thoudh index.jsp is located
no changes were made to file. After deleting cookies url works
where Am I going wrong.
Thanks,
Lavanya
On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Lavanya,
>
> On 5/10/24 04:37, lavanya tech wrote:
> > I tried the below and have the issues.
> >
> > 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
> > 2) remanmed towl.war to ROOT.war
> > 3) created rewrite.config and added as below under conf/
>
> Where are you defining the RewriteValve itself?
>
> > RewriteCond %{REQUEST_URI} ^/towl/(.*)
> > RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
> If this is being handled by the ROOT servlet then I think it's right.
>
> > 4) added this in web.xml file of /webapps/towl/web.xml/
> >
> > <!-- Servlet mappings -->
> > <!-- Add your existing servlet mappings here -->
> >
> > <!-- Security constraint to restrict access to /towl path -->
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Restricted Access to
> > /towl</web-resource-name>
> > <url-pattern>/towl/*</url-pattern>
>
> No, this is wrong. Since this is the "towl" application and not ROOT,
> you want to map /* and not /towl/* because the application will never
> see the /towl/ as it's an application/context prefix that Tomcat will
> remove.
>
> > </web-resource-collection>
> > <auth-constraint>
> > <!-- Deny access to all roles -->
> > </auth-constraint>
> > </security-constraint>
> >
> > Also I noticed that even if I rename the towl application to ROOT, when i
> > call the url with https://example.lbg.com/towl --> this towl directory
> is
> > getting created under webapps by default
>
> If webapps/towl is being created, then it's happening for some other
> reason. Do you have anything under conf/Catalina/*/towl.xml which points
> to a WAR file or something? If so, remove that.
>
> > 5) Resarted tomcat and I have the below error and all the urls have the
> > same issue
> >
> > Message org.apache.jasper.JasperException:
> > java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>
> That's weird. Try stopping, deleting the work/ directory and restarting.
>
> > Description The server encountered an unexpected condition that prevented
> > it from fulfilling the request.
> >
> > Exception
> >
> > org.apache.jasper.JasperException: org.apache.jasper.JasperException:
> > java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
> >
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
> >
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
> > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
> > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
> > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
>
> Before you do anything with redirecting, can you just make sure you are
> only deploying ROOT.war and nothing else?
>
> This should allow you to reach the application at both
> https://example.lbg.com/ and https://server.lbg.com/ as well as both of
> those with port 8443.
>
> Then use the applications and make sure they are working as expected.
> Then, we'll add the /towl handling.
>
> -chris
>
> > On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Lavanya,
> >>
> >> On 5/9/24 13:48, lavanya tech wrote:
> >>> Thank you so much for your explanation. I will try these options.
> >>>
> >>> Do server and example both resolve to the same IP?
> >>> -yes
> >>
> >> Good, that significantly reduces the complexity required, since you can
> >> do it will a single process (Tomcat) in a single environment.
> >>
> >>> So I need follow both 4a/b and 5a/b steps here or any of them ?
> >>>
> >>> If I setup exactly by using below steps , then I should access both the
> >>> urls right ? https://server.lbg.com:8443/towl and
> >> https://example.lbg.com
> >>
> >> If you visit either hostname with /towl, you will be redirected to
> >> example.lbg.com/ with no port number. example:8443 will still work and
> >> no redirect will take place... unless you specifically make arrangements
> >> for that. We can do that later if you really want to.
> >>
> >> Let's get the other things working, first.
> >>
> >> -chris
> >>
> >>> On Thursday, May 9, 2024, Christopher Schultz <
> >> ch...@christopherschultz.net>
> >>> wrote:
> >>>
> >>>> Lavanya,
> >>>>
> >>>> On 5/9/24 02:58, lavanya tech wrote:
> >>>>
> >>>>> Just giving background again of this topic again.
> >>>>>
> >>>>> 1) The application team who is working they wanted to access the url
> >>>>> https://server.lbg.com:8443/towl —> which should redirect or point
> to
> >>>>> https://example.lbg.com
> >>>>>
> >>>>> Is that a typo? You want specifically https://server.lbg.com/towl
> and
> >>>>> https://example.lbg.com/ to point to your application?
> >>>>> — It’s not the Typo the requirements are still the
> >> same.
> >>>>>
> >>>>
> >>>> Okay.
> >>>>
> >>>> Do server and example both resolve to the same IP?
> >>>>
> >>>> 2) Hence I added firewall rule to redirect port 443 to 8443. And the
> url
> >>>>> https://example.lbg.com started working but its pointing to
> >>>>> https://server.lbg.com:8443 indeed and not
> >> https://server.lbg.com:8443/to
> >>>>> wl
> >>>>>
> >>>>> But then they wanted the point 1 to have it. If I understood
> >> correctly. So
> >>>>> basically to achieve this we wanted a reverse proxy setup ?
> >>>>>
> >>>>> I didnot define any additional host in server.xml file on just left
> to
> >>>>> default to local host.
> >>>>>
> >>>>
> >>>> Here's what you have to do in order to support this odd configuration.
> >>>>
> >>>> 1. Configure your firewall to route port 443 -> 8443. I suspect this
> is
> >>>> already done.
> >>>>
> >>>> 2. Deploy Tomcat on server.lbg.com with a <Connector> on port 8443.
> >> This
> >>>> is the default, so there shouldn't be anything to do. I suspect this
> is
> >>>> already done. You should set proxyPort="443" and proxyName="
> >>>> example.lbg.com" in your <Connector>. This will ensure that any URLs
> >>>> generated by Tomcat or your application will point to
> >>>> https://example.lbg.com/ and not to server.lbg.com or have a port
> >> number
> >>>> or whatever.
> >>>>
> >>>> 3. Re-name your application directory or WAR file from towl -> ROOT
> >> (upper
> >>>> case is important). So if you have tomcat/webapps/towl re-name that to
> >>>> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name
> that
> >> to
> >>>> tomcat/webapps/ROOT.war.
> >>>>
> >>>> The last thing to do is get /towl to re-direct to /. There are a few
> >> ways
> >>>> of doing that.
> >>>>
> >>>> 4a. Configure your application (now called ROOT and deployed on / and
> >> not
> >>>> /towl anymore) to handle the /towl URL and specifically redirect this
> >> back
> >>>> to /. This is oddly specific and has the application trying to
> redirect
> >> to
> >>>> itself which is weird.
> >>>>
> >>>> 4b. Create a new application called towl or towl.war which will be
> >>>> deployed on /towl and have THAT redirect to /. I think this is cleaner
> >>>> because you can call the application anything you'd like and it will
> >> still
> >>>> work. You don't have to match URL patterns yourself, you just re-name
> >> the
> >>>> WAR file if you suddenly want to use /towl2 instead of /towl.
> >>>>
> >>>> There are several ways to redirect.
> >>>>
> >>>> 5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A few
> >>>> notes: (1) the (*) means "capture this string" and \1 means "put the
> >> string
> >>>> back. This allows you to redirect /towl/foo/bar to /foo/bar instead of
> >>>> losing the /foo/bar. This syntax may not be perfect, adapt it to your
> >>>> needs. (2) Remember that the towl application is deployed on /towl so
> >> you
> >>>> don't want to redirect /towl/foo/bar you only want redirect /foo/bar
> >> since
> >>>> the URL will be relative to the current context (/towl). Got that?
> >> Finally,
> >>>> (3) you need to use a global redirect that does *NOT* redirect back to
> >> the
> >>>> /towl application. Normally, if you redirect to /foo you'll get an
> >>>> application-relative redirect from something like a rewrite
> >>>> valve/filter/whatever. Take care to redirect relative to the SERVER
> and
> >> not
> >>>> to the application.
> >>>>
> >>>> 5b. Write your own servlet to do a specific redirect.
> >>>>
> >>>> I hope that helps,
> >>>> -chris
> >>>>
> >>>> On Wednesday, May 8, 2024, Christopher Schultz <
> >>>>> ch...@christopherschultz.net>
> >>>>> wrote:
> >>>>>
> >>>>> Lavanya,
> >>>>>>
> >>>>>> On 5/8/24 06:48, lavanya tech wrote:
> >>>>>>
> >>>>>> I figured out how I can it make it work with 443. Now the URls are
> >>>>>>> working.
> >>>>>>> I added iptables route 443 to 8443 and it started working.
> >>>>>>>
> >>>>>>> nslookup example.lbg.com
> >>>>>>>
> >>>>>>> Non-authoritative answer:
> >>>>>>> Name: server.lbg.com
> >>>>>>> Address: 192.168.200.105
> >>>>>>> Aliases: example.lbg.com
> >>>>>>>
> >>>>>>>
> >>>>>>> I have some application towl running with apache tomcat. I have the
> >>>>>>> below
> >>>>>>> URLs working.
> >>>>>>>
> >>>>>>> https://server.lbg.com:8443/towl
> >>>>>>> https://server.lbg.com
> >>>>>>> https://example.lbg.com
> >>>>>>> https://example.lbg.com/towl
> >>>>>>>
> >>>>>>>
> >>>>>>> Now i wanted to disable the url https://example.lbg.com/towl and
> >>>>>>> https://server.lbg.com and access only the other remaining two.
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>> I would *highly* recommend that you pick either /towl or / and not
> >> try to
> >>>>>> do both, unless you want to deploy the application twice (which is
> >> fine,
> >>>>>> just deploy towl.war and ROOT.war as copies of each other). If you
> >> try to
> >>>>>> re-write /towl to / or / to /towl, you'll find you spend the rest of
> >> your
> >>>>>> days tracking-down edge-cases and "fixing" them -- likely making
> >> things
> >>>>>> confusing and, probably, worse.
> >>>>>>
> >>>>>> In the end our goal to makesure that the links are not always dead
> as
> >>>>>> soon
> >>>>>>
> >>>>>>> as the towl is moved to a new machine. Can you pelase assit me how
> >> to do
> >>>>>>> that?
> >>>>>>>
> >>>>>>>
> >>>>>> The goal should be that "moving" the application only means changing
> >> DNS
> >>>>>> and everything else works as expected.
> >>>>>>
> >>>>>> If you:
> >>>>>>
> >>>>>> 1. Deploy the application with a single context (e.g. /towl, which I
> >>>>>> recommend)
> >>>>>>
> >>>>>> 2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT
> >>>>>> application that does nothing but redirect ; my personal preference)
> >>>>>>
> >>>>>> 3. Do not define any <Host> other than "localhost" and make it the
> >>>>>> default. Do not bother with any <Alias> elements since they are not
> >>>>>> necessary.
> >>>>>>
> >>>>>> Moving the application should only require that you:
> >>>>>>
> >>>>>> 4. Deploy the same application with the same configuration in the
> new
> >>>>>> location
> >>>>>>
> >>>>>> 5. Change DNS to point example.lbg.com and server.lbg.com to the
> new
> >>>>>> location of the service
> >>>>>>
> >>>>>> Hope that helps,
> >>>>>> -chris
> >>>>>>
> >>>>>> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Lavanya,
> >>>>>>
> >>>>>> On 4/30/24 07:10, lavanya tech wrote:
> >>>>>>
> >>>>>> Can you tell me how to do the below ? How should I setup Tomcat in
> >>>>>> server.xml ?
> >>>>>>
> >>>>>>
> >>>>>> If you want to use port 443 (the default port for HTTPS) then you
> will
> >>>>>> need to change Tomcat to bind to port 443 (if that's allowed on your
> >> OS)
> >>>>>> or arrange to have port 443 routed to port 8443. You may need
> >> additional
> >>>>>> configuration in Tomcat (specifically: proxyPort) to avoid having
> >> Tomcat
> >>>>>> generate URLs with ":8443" in them.
> >>>>>>
> >>>>>> Looking forward to your reply.
> >>>>>>
> >>>>>>
> >>>>>> If Tomcat is listening on port 8443 then you will need to include
> that
> >>>>>> in your URL, period. If you want to allow URLs without a port
> number,
> >>>>>> you will have to arrange to have something listening on port 443.
> >>>>>>
> >>>>>> On Windows, Tomcat can listen directly on port 443. On UNIX and
> >>>>>> UNIX-like systems, you won't be able to do this without running
> Tomcat
> >>>>>> as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
> >>>>>>
> >>>>>> There are other ways to get port 443 working, but I'll need to know
> >> more
> >>>>>> about your environment. The port issue is "easier" than figuring out
> >>>>>> whatever is going on with your DNS, aliases, etc. so I would
> recommend
> >>>>>> we fix one thing at a time.
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech <
> >> lavanyatech...@gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>> Hi Chris,
> >>>>>>
> >>>>>> There is no issues with browser, because I tested with different
> >>>>>>
> >>>>>> browsers
> >>>>>>
> >>>>>> and it all works fine. I am sure that there is no issue with the
> >>>>>> certificate.
> >>>>>> Because I was able to establish successful connections with
> port
> >>>>>>
> >>>>>> 8443, it
> >>>>>>
> >>>>>> just doesnot work with out port
> >>>>>>
> >>>>>> curl https://example.lbg.com/towl
> >>>>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
> >>>>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
> >>>>>>
> >>>>>>
> >>>>>> If you want to use port 443 (the default port for HTTPS) then you
> will
> >>>>>> need to change Tomcat to bind to port 443 (if that's allowed on your
> >> OS)
> >>>>>> or arrange to have port 443 routed to port 8443. You may need
> >> additional
> >>>>>> configuration in Tomcat (specifically: proxyPort) to avoid having
> >> Tomcat
> >>>>>> generate URLs with ":8443" in them.
> >>>>>>
> >>>>>> <Connector port="443" protocol="HTTP/1.1"
> >>>>>> connectionTimeout="20000"
> >>>>>> redirectPort="8443"
> >>>>>> maxThreads="150"
> >>>>>> scheme="https" secure="true" SSLEnabled="true"
> >>>>>> keystoreFile="path_to_your_keystore_file"
> >>>>>> keystorePass="your_keystore_password"
> >>>>>> keystoreType="PKCS12"
> >>>>>> clientAuth="false" sslProtocol="TLS"
> >>>>>> proxyPort="443"/>
> >>>>>>
> >>>>>> should i use connect port like the above ? But you mentioned before
> >> we
> >>>>>> dont need any configuration changes. Please clarify I am not able to
> >>>>>>
> >>>>>> figure
> >>>>>>
> >>>>>> this out and I have this issue many days pending. How to make it
> work
> >>>>>>
> >>>>>> with
> >>>>>>
> >>>>>> port 8443 and with out port
> >>>>>>
> >>>>>> Also I wanted to use weburl with alias name permanently instead of
> the
> >>>>>> hostname. How can I achieve both
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Lavanya
> >>>>>>
> >>>>>>
> >>>>>> -->
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Lavanya,
> >>>>>>
> >>>>>> On 4/25/24 07:24, lavanya tech wrote:
> >>>>>>
> >>>>>> Hi Chris,
> >>>>>>
> >>>>>> One question / doubt:
> >>>>>>
> >>>>>> As I mentioned earlier, the below URLS already working in the
> browser
> >>>>>>
> >>>>>> https://server.lbg.com:8443/towl
> >>>>>> https://example.lbg.com:8443/towl -> redirect ( which means when I
> >>>>>>
> >>>>>> hit in
> >>>>>>
> >>>>>> browser) it points to https://server.lbg.com:8443/towl ---> To be
> >>>>>>
> >>>>>> frank,
> >>>>>>
> >>>>>> even I donot need redirect here, not sure why it redirects.
> >>>>>>
> >>>>>> My question is why its working even though SAN is not registered
> with
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> certificate ? It doesnot even throw warning in the browser.
> >>>>>>
> >>>>>>
> >>>>>> I'm not sure. Is it possible you have dismissed this error in the
> past
> >>>>>> and the browser is remembering that? Try this with a different web
> >>>>>> browser or maybe with curl from the command-line to see what
> happens.
> >>>>>>
> >>>>>> Why https://server.lbg.com/towl or https://example.lbg.com/towl -->
> >>>>>>
> >>>>>> How it
> >>>>>>
> >>>>>> should work with New SAN certificate ?
> >>>>>>
> >>>>>>
> >>>>>> You don't need to worry about the port number or application name,
> >> only
> >>>>>> the hostname is a part of the SAN.
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech <
> >>>>>>
> >>>>>> lavanyatech...@gmail.com
> >>>>>>
> >>>>>>
> >>>>>> wrote:
> >>>>>>
> >>>>>> Hi Chris,
> >>>>>>
> >>>>>>
> >>>>>> Thanks I will request new certificate with SANs and I will try to
> fix
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> things from our end.
> >>>>>>
> >>>>>> Best Regards,
> >>>>>> Lavanya
> >>>>>>
> >>>>>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Lavanya,
> >>>>>>
> >>>>>> On 4/24/24 15:39, lavanya tech wrote:
> >>>>>>
> >>>>>> Local host means the machine i am logged in to server.lbg.com
> >>>>>>
> >>>>>> You are right, example.lbg.com is CNAME record.
> >>>>>>
> >>>>>>
> >>>>>> Okay, thanks for clearing that up.
> >>>>>>
> >>>>>> I dont have any SAN configured for the certificate. The certificate
> >>>>>>
> >>>>>> is
> >>>>>>
> >>>>>> requested for only server.lbg.com
> >>>>>>
> >>>>>>
> >>>>>> You will never be able to make a secure request to anything other
> >>>>>>
> >>>>>> than
> >>>>>>
> >>>>>> server.lbg.com without seeing an error. I highly recommend adding
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> other hostname as a SAN to your certificate if you really want to
> >>>>>> support this.
> >>>>>>
> >>>>>> Even if you wanted https://example.lbg.com/whatever to return an
> >>>>>>
> >>>>>> HTTP
> >>>>>>
> >>>>>> 302 redirect to https://server.lbg.com/whatever, the user would
> >>>>>>
> >>>>>> see a
> >>>>>>
> >>>>>> certificate hostname mismatch error which is ugly. It's best to make
> >>>>>>
> >>>>>> it
> >>>>>>
> >>>>>> work without users seeing ugly things.
> >>>>>>
> >>>>>> So if i just request new certificate with SAN it should work ? If
> >>>>>>
> >>>>>> yes, I
> >>>>>>
> >>>>>> will request for it and follow your steps as below suggested.
> >>>>>>
> >>>>>>
> >>>>>> Yes, it should.
> >>>>>>
> >>>>>> Should i use CName record or DNS? Does it make difference?
> >>>>>>
> >>>>>>
> >>>>>> CNAME *is* DNS.
> >>>>>>
> >>>>>> Whenever possible, use hostnames and not IP addresses as SANs. It's
> >>>>>>
> >>>>>> more
> >>>>>>
> >>>>>> flexible that way, and users get to see hostnames instead of IP
> >>>>>>
> >>>>>> addresses.
> >>>>>>
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> On Wednesday, April 24, 2024, Christopher Schultz <
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Lavanya,
> >>>>>>
> >>>>>> On 4/24/24 07:37, lavanya tech wrote:
> >>>>>>
> >>>>>> Sorry I understood wrongly here with regards to my environment,
> >>>>>>
> >>>>>> Let me
> >>>>>>
> >>>>>> start from the beginning. I donot want to use redirect at all. I
> >>>>>>
> >>>>>> simply
> >>>>>>
> >>>>>> wanted to force apache tomcat to use both localhost and dns name
> >>>>>>
> >>>>>> of
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> localhost via url.
> >>>>>>
> >>>>>>
> >>>>>> When you say "force" what do you mean?
> >>>>>>
> >>>>>> When you say "use both localhost and DNS name" what do you mean?
> >>>>>>
> >>>>>> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
> >>>>>> logged-into right now"?
> >>>>>>
> >>>>>> I have DNS resollution as below.
> >>>>>>
> >>>>>>
> >>>>>> server.lbg.com --> localhost
> >>>>>>
> >>>>>>
> >>>>>> Is that a CNAME record?
> >>>>>>
> >>>>>> nslookup server.lbg.com (localhost)
> >>>>>>
> >>>>>> Name: server.lbg.com
> >>>>>> Address: 192.168.100.20
> >>>>>> alias: example.lbg.com
> >>>>>>
> >>>>>>
> >>>>>> That's a weird DNS response. The DNS name "localhost" should
> >>>>>>
> >>>>>> *always*
> >>>>>>
> >>>>>> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
> >>>>>> 191.168.100.20.
> >>>>>>
> >>>>>> We have working the below urls working:
> >>>>>>
> >>>>>> https://server.lbg.com:8443/towl
> >>>>>> https://example.lbg.com:8443/towl --> redirects to
> >>>>>>
> >>>>>>
> >>>>>> What do you mean "redirect"? Does it return a 30x response that
> >>>>>>
> >>>>>> causes
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> browser to make a new request to \/
> >>>>>>
> >>>>>> https://server.lbg.com:8443/towl --> still works --> we have SSL
> >>>>>>
> >>>>>> configured for the same but this SSL certificate doesnot have
> >>>>>>
> >>>>>> additional
> >>>>>>
> >>>>>> DNS setup.
> >>>>>>
> >>>>>>
> >>>>>> What SANs are in your certificate? How many certificates do you
> >>>>>>
> >>>>>> have?
> >>>>>>
> >>>>>>
> >>>>>> But I would need to somehow access https://example.lbg.com -->
> >>>>>>
> >>>>>> which
> >>>>>>
> >>>>>> means
> >>>>>> I would need to access via 443 here ?
> >>>>>>
> >>>>>>
> >>>>>> I'm so confused. What needs to access what?
> >>>>>>
> >>>>>> I tried to adding the below to server.xml as below, but that
> >>>>>>
> >>>>>> doesnot
> >>>>>>
> >>>>>> seems
> >>>>>>
> >>>>>> to work.
> >>>>>>
> >>>>>> <Connector port="80"
> >>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
> >>>>>> connectionTimeout="20000"
> >>>>>> redirectPort="443" />
> >>>>>>
> >>>>>>
> >>>>>> This will only redirect (HTTP 302) requests to
> >>>>>>
> >>>>>> http://yourhost/anything
> >>>>>>
> >>>>>> to https://yourhost/anything *if the application specifically
> >>>>>>
> >>>>>> requests
> >>>>>>
> >>>>>> CONFIDENTIAL transport*. It doesn't just redirect everything by
> >>>>>>
> >>>>>> default. If
> >>>>>>
> >>>>>> you want it to redirect everything, you'll need to set that up
> >>>>>>
> >>>>>> e.g.
> >>>>>>
> >>>>>> using
> >>>>>>
> >>>>>> RewriteValve. There are other options, too.
> >>>>>>
> >>>>>> Do i need additional SSL certificate for the
> >>>>>>
> >>>>>> https://example.lbg.com
> >>>>>>
> >>>>>> to
> >>>>>>
> >>>>>> make it work ?
> >>>>>>
> >>>>>>
> >>>>>> If you don't want your browser to complain, you will need at least
> >>>>>>
> >>>>>> one
> >>>>>>
> >>>>>> TLS
> >>>>>>
> >>>>>> certificate that contains every Subject Alternative Name (SAN) for
> >>>>>>
> >>>>>> every
> >>>>>>
> >>>>>> possible hostname you expect to use with this service. You ca do
> >>>>>>
> >>>>>> it
> >>>>>>
> >>>>>> with
> >>>>>>
> >>>>>> multiple certificates as well, but a single cert with multiple
> >>>>>>
> >>>>>> SANs
> >>>>>>
> >>>>>> is
> >>>>>>
> >>>>>> less
> >>>>>>
> >>>>>> work.
> >>>>>>
> >>>>>> Do i need to set up an additional web server for this like apache
> >>>>>>
> >>>>>> or
> >>>>>>
> >>>>>> nginx
> >>>>>>
> >>>>>> for redirecting requests?
> >>>>>>
> >>>>>>
> >>>>>> No.
> >>>>>>
> >>>>>> Please stop saying "redirect" because it sounds like you almost
> >>>>>>
> >>>>>> never
> >>>>>>
> >>>>>> mean
> >>>>>>
> >>>>>> "HTTP 30x redirect" and that's confusing everything.
> >>>>>>
> >>>>>> I *think* you only need the following:
> >>>>>>
> >>>>>> 1. A TLS certificate with the following SANs:
> >>>>>>
> >>>>>> * server.lbg.com
> >>>>>> * example.lbg.com
> >>>>>> * localhost (you shouldn't do this)
> >>>>>>
> >>>>>> 2. DNS configured for all hostnames:
> >>>>>>
> >>>>>> * server.lbg.com -> A 192.168.100.20
> >>>>>> * example.lgb.com -> A 192.168.100.20
> >>>>>>
> >>>>>> 3. Tomcat configured with a single <Host> which is the default
> >>>>>>
> >>>>>> virtual
> >>>>>>
> >>>>>> host. Note that this is the *default Tomcat configuration* and
> >>>>>>
> >>>>>> doesn't
> >>>>>>
> >>>>>> need
> >>>>>>
> >>>>>> to be changed from the default.
> >>>>>>
> >>>>>> 4. Tomcat configured with your certificate like this:
> >>>>>>
> >>>>>> <Connector ...
> >>>>>> SSLEnabled="true">
> >>>>>> <SSLHostConfig>
> >>>>>> <Certificate
> >>>>>> certificateFile="/path/to/your/cert.crt"
> >>>>>> certificateKeyFile="/path/to/your/key.pem" />
> >>>>>> <!-- You may need certificateKeyPassword in
> >>>>>>
> >>>>>> <Certificate>
> >>>>>>
> >>>>>> -->
> >>>>>>
> >>>>>> </SSLHostConfig>
> >>>>>> </Connector>
> >>>>>>
> >>>>>> If your SANs are configured properly, this should allow you to
> >>>>>>
> >>>>>> connect
> >>>>>>
> >>>>>> using any of these URLs:
> >>>>>>
> >>>>>> $ curl https://server.lbg.com/towl/login.jsp
> >>>>>>
> >>>>>> (returns login page)
> >>>>>>
> >>>>>> $ curl https://example.lbg.com/towl/login.jsp
> >>>>>>
> >>>>>> (returns login page)
> >>>>>>
> >>>>>> If your application's web.xml contains something like this:
> >>>>>>
> >>>>>> <security-constraint>
> >>>>>> <web-resource-collection>
> >>>>>> <web-resource-name>theapp</web-resource-name>
> >>>>>> <url-pattern>/*</url-pattern>
> >>>>>> </web-resource-collection>
> >>>>>> <user-data-constraint>
> >>>>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >>>>>> </user-data-constraint>
> >>>>>> </security-constraint>
> >>>>>>
> >>>>>> ... then these URLs insecure HTTP URLs should redirect your
> >>>>>>
> >>>>>> clients:
> >>>>>>
> >>>>>>
> >>>>>> $ curl http://server.lbg.com/towl/login.jsp
> >>>>>>
> >>>>>> (returns HTTP 302 redirect to
> >>>>>>
> >>>>>> https://server.lbg.com/towl/login.jsp
> >>>>>>
> >>>>>> )
> >>>>>>
> >>>>>>
> >>>>>> $ curl https://server.lbg.com/towl/login.jsp
> >>>>>>
> >>>>>> (returns HTTP 302 redirect to
> >>>>>>
> >>>>>> https://example.lbg.com/towl/login.jsp)
> >>>>>>
> >>>>>>
> >>>>>> I don't think you need any use of the RewriteValve unless you want
> >>>>>>
> >>>>>> to
> >>>>>>
> >>>>>> handle sending HTTP 302 redirect responses to insecure requests
> >>>>>>
> >>>>>> without
> >>>>>>
> >>>>>> specifying the CONFIDENTIAL transport-guarantee in your
> >>>>>>
> >>>>>> application's
> >>>>>>
> >>>>>> web.xml file. But I don't see any reason NOT to have that in
> >>>>>>
> >>>>>> there.
> >>>>>>
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
> >>>>>>
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Lavanya,
> >>>>>>
> >>>>>>
> >>>>>> On 4/22/24 05:21, lavanya tech wrote:
> >>>>>>
> >>>>>> Could you please explain, what you exactly mean ? So here
> >>>>>>
> >>>>>> redirect
> >>>>>>
> >>>>>> is
> >>>>>>
> >>>>>>
> >>>>>> not a
> >>>>>>
> >>>>>> solution right ?
> >>>>>>
> >>>>>>
> >>>>>> Redirecting is fine.
> >>>>>>
> >>>>>> Perhaps you should take a step back and decide: what do you
> >>>>>>
> >>>>>> actually
> >>>>>>
> >>>>>> want, here? You might be trying to solve problem X by applying
> >>>>>>
> >>>>>> solution
> >>>>>>
> >>>>>> Y, and you've already decided that solution Y is correct so you
> >>>>>>
> >>>>>> are
> >>>>>>
> >>>>>> trying to get help with that.
> >>>>>>
> >>>>>> Perhaps ask for help with Problem X?
> >>>>>>
> >>>>>> For example, "I don't want users to have to type the name of my
> >>>>>> application to reach it so I want example.com/ to go to my
> >>>>>>
> >>>>>> application
> >>>>>>
> >>>>>> instead of example.com/myapp/".
> >>>>>>
> >>>>>> Or, "I have multiple domains and I want all of them to redirect
> >>>>>>
> >>>>>> to
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> canonical domain example.com and to go to me web application
> >>>>>>
> >>>>>> /myapp
> >>>>>>
> >>>>>> so
> >>>>>>
> >>>>>> everything goes to example.com/myapp/".
> >>>>>>
> >>>>>> "You'd have to use a glob/regex if
> >>>>>>
> >>>>>> you wanted to check for [anything and maybe nothing.]
> >>>>>>
> >>>>>> example.com
> >>>>>>
> >>>>>> ."
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> There is nothing in your configuration or question that suggests
> >>>>>>
> >>>>>> that
> >>>>>>
> >>>>>> the hostname in the request is relevant, but you are making it a
> >>>>>> *requirement* that the request contains a specific Host header.
> >>>>>>
> >>>>>> IF
> >>>>>>
> >>>>>> you
> >>>>>>
> >>>>>> don't actually need that, why do you have it?
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
> >>>>>>
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Ammu,
> >>>>>>
> >>>>>>
> >>>>>> On 4/19/24 08:32, lavanya tech wrote:
> >>>>>>
> >>>>>> Thank you very much. I removed <Host> for example.com as
> >>>>>>
> >>>>>> well
> >>>>>>
> >>>>>> as
> >>>>>>
> >>>>>>
> >>>>>> adding
> >>>>>>
> >>>>>>
> >>>>>> an
> >>>>>>
> >>>>>>
> >>>>>> <Alias> in server.xml
> >>>>>> I copied context.xml file
> >>>>>>
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
> >>>>>>
> >>>>>> Removed < in rewrite.config files.
> >>>>>>
> >>>>>> But still I dont redirect the URL.
> >>>>>>
> >>>>>>
> >>>>>> If you have <Context> in server.xml and also your application
> >>>>>>
> >>>>>> in
> >>>>>>
> >>>>>> the
> >>>>>>
> >>>>>> webapps/ directory, then you will be double-deploying your
> >>>>>>
> >>>>>> application.
> >>>>>>
> >>>>>>
> >>>>>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are
> >>>>>> important)
> >>>>>> and remove the <Context> element from your server.xml.
> >>>>>>
> >>>>>> Then start your server and read the logs.
> >>>>>>
> >>>>>> *nslookup alias.example.com <http://alias.example.com>
> >>>>>>
> >>>>>> gives-->Non-authoritative answer:Name: www.example.com
> >>>>>> <http://www.example.com>Address: 192.168.200.10Aliases:
> >>>>>>
> >>>>>> alias.example.com
> >>>>>>
> >>>>>> <http://alias.example.com>*
> >>>>>>
> >>>>>>
> >>>>>> Just to give some information here, *www.example.com
> >>>>>> <http://www.example.com>* has alias* "alias.example.com
> >>>>>> <http://alias.example.com>"*
> >>>>>> But https://www.example.com:7777/example --> works fine with
> >>>>>>
> >>>>>> out
> >>>>>>
> >>>>>>
> >>>>>> issues
> >>>>>>
> >>>>>>
> >>>>>> but
> >>>>>>
> >>>>>>
> >>>>>> the alias doesnot works (https://alias.example.com)
> >>>>>> So i am not sure if the redirect url helps or if its correct
> >>>>>>
> >>>>>>
> >>>>>> Your rewrite configuration says that you have to be using host
> >>>>>> "example.com" but your request goes to www.example.com. Your
> >>>>>> configuration should only redirect a request such as:
> >>>>>>
> >>>>>> $ curl -v http://example.com:7777/something
> >>>>>>
> >>>>>> HTTP/1.1 301 Moved Permanently
> >>>>>> ...
> >>>>>> Location: https://www.example.com:7777/example
> >>>>>>
> >>>>>> If you make a request like:
> >>>>>>
> >>>>>> $ curl -v http://www.example.com:7777/something
> >>>>>>
> >>>>>> I wouldn't expect a redirect because of your "host" condition.
> >>>>>>
> >>>>>> The
> >>>>>>
> >>>>>> "%{HTTP_HOST} example.com" looks at the entire Host header
> >>>>>>
> >>>>>> and
> >>>>>>
> >>>>>> not
> >>>>>>
> >>>>>> just
> >>>>>> anything that ends in "example.com". You'd have to use a
> >>>>>>
> >>>>>> glob/regex if
> >>>>>>
> >>>>>> you wanted to check for [anything and maybe nothing.]
> >>>>>>
> >>>>>> example.com.
> >>>>>>
> >>>>>>
> >>>>>> You'd also have to make sure that your application is serving
> >>>>>>
> >>>>>> responses
> >>>>>>
> >>>>>> to requests to / which is why I'm recommending you use the
> >>>>>>
> >>>>>> ROOT
> >>>>>>
> >>>>>> web
> >>>>>>
> >>>>>> application name instead of "towl".
> >>>>>>
> >>>>>> -chris
> >>>>>>
> >>>>>> On Fri, Apr 19, 2024 at 1:21 PM Christopher Schultz <
> >>>>>>
> >>>>>> ch...@christopherschultz.net> wrote:
> >>>>>>
> >>>>>> Ammu,
> >>>>>>
> >>>>>>
> >>>>>> On 4/18/24 09:34, lavanya tech wrote:
> >>>>>>
> >>>>>> I am attaching server.xml and context.xml and
> >>>>>>
> >>>>>> rewrite.config
> >>>>>>
> >>>>>> files.
> >>>>>>
> >>>>>> The paths are
> >>>>>>
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/context.xml
> >>>>>> <Context>
> >>>>>> <Valve
> >>>>>>
> >>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve"
> >>>>>>
> >>>>>>
> >>>>>> />
> >>>>>>
> >>>>>>
> >>>>>> <!-- Other context configuration -->
> >>>>>> </Context>
> >>>>>>
> >>>>>>
> >>>>>> This file ^^^ is in the wrong place. It should be in
> >>>>>>
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl/WEB-INF/rewrite.config
> >>>>>>
> >>>>>>
> >>>>>> <RewriteCond %{HTTP_HOST} example.com [NC]
> >>>>>> <RewriteRule ^/(.*)$ https://www.example.com:7777/example
> >>>>>>
> >>>>>> [R=301,L]
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Why do you have < symbols at the beginning of these lines?
> >>>>>>
> >>>>>> server.xml
> >>>>>>
> >>>>>>
> >>>>>> > [...]
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> <Host name="example.com" appBase="webapps"
> >>>>>>
> >>>>>> unpackWARs="true"
> >>>>>>
> >>>>>>
> >>>>>> autoDeploy="true">
> >>>>>>
> >>>>>> <Context path="" docBase="towl" />
> >>>>>>
> >>>>>>
> >>>>>> It's best not to define any <Context> in server.xml. I would
> >>>>>>
> >>>>>> remove
> >>>>>>
> >>>>>>
> >>>>>> this
> >>>>>>
> >>>>>>
> >>>>>> <Context> entirely and allow Tomcat to auto-reploy from your
> >>>>>>
> >>>>>> webapps/towl directory. If you need this application to be
> >>>>>>
> >>>>>> deployed
> >>>>>>
> >>>>>> as
> >>>>>> the ROOT context (on / and not /towl) then you should
> >>>>>>
> >>>>>> re-name
> >>>>>>
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/towl to
> >>>>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT
> >>>>>>
> >>>>>> You also don't need a <Host> for example.com as well as
> >>>>>>
> >>>>>> adding
> >>>>>>
> >>>>>> an
> >>>>>>
> >>>>>> <Alias> for the same domain (though this is probably to
> >>>>>>
> >>>>>> anonymize the
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>
> >>>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
