Re: [External] Re: Supporting Proxy Protocol in Tomcat

[Christopher Schultz]

Amit,

On 5/10/23 12:59, Amit Pande wrote:

Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency
 which supports the proxy protocol.

Since there is not much action on this 
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830, does it imply that most 
of the times Tomcat is running behind HTTP proxies and not TCP proxies?
Or does it mean that, Tomcat or applications running in Tomcat does not need 
the remote client address information?


I can't speak for anybody else, but I use Apache httpd as my 
reverse-proxy and I do terminate TLS. I also use it for 
load-balancing/fail-over, caching, some authorization, etc. I wouldn't 
be able to use a TCP load-balancer because I hide multiple services 
behind my reverse-proxy which run in different places. It's not just s 
dumb pass-through.


Hope that helps,
-chris


-Original Message-
From: Christopher Schultz 
Sent: Monday, May 8, 2023 3:40 PM
To: users@tomcat.apache.org
Subject: [External] Re: Supporting Proxy Protocol in Tomcat

Amit,

On 5/4/23 16:07, Amit Pande wrote:

We have a similar requirement as mentioned in the below enhancement request.

https://bz.a/
pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit.P
ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422c4c
55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZsb3
d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
C3000%7C%7C%7C&sdata=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D&re
served=0

Is there any plan to add this support in Tomcat in future releases?


Nothing at the moment that I know of.

I thought that markt had looked at this a while back and said it didn't look 
too difficult. It does require Tomcat to handle the stream directly and not 
just rely on Java's SSLServerSocket. I thought that had been done at some 
point, but it may not have. Handling the stream directly may have some other 
advantages as well, though it definitely makes the code more complicated.


Also, since this was requested long time back and there is no update,
are there any other alternatives to pass the client information from
load balancer to Tomcat in situations where there is no SSL
termination at load balancer?

You mean like a network load balancer where the lb is just proxying bytes and 
not looking at the data at all? The PROXY protocol really is the best way to do 
that, honestly.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Setting service parameters not work in Tomcat 8.5.85+

[Gilles Maurice]

Hello,

Our product currently uses Tomcat 8.5.83. We wanted to upgrade to Tomcat 8.5.88 
but our product fails to start up with this version.

>From my research I was able to determine the following facts:
- Upgrade to 8.5.84 works fine
- Upgrade to 8.5.85+ fails
- Our product uses "tomcat8.exe //US/vlm" to update the service parameters (vlm 
is the internal name of our product)
- with 8.5.85, calling the following command works fine: tomcat8.exe //US/vlm 
--Description myDescription
- setting java parameters don't work however, for example this command fails: 
tomcat8.exe //US/vlm --JvmMs 128
- when running the command above, tomcat8.exe does not display an error but the 
service is not updated
- the documentation at 
https://tomcat.apache.org/tomcat-8.5-doc/windows-service-howto.html indicates 
that the java update parameters are not set when in exe mode but ours is in jvm 
mode. For example, the following command will not set the JvmMs value: 
tomcat8.exe //US/vlm --Jvm auto --StartMode jvm --StopMode jvm --JvmMs 128

Does anyone have any info on how to get around this?
Otherwise, can someone direct me to the source code for tomcat8.exe so I can 
see if I can find the cause of this issue myself?

Thank-you,

Gilles Maurice

Software Designer

gilles.maur...@snowsoftware.com



[cid:f79d4ed5-1f86-4f32-b4e2-4badac630540]
Snow Software | 515 Legget Dr #300, Kanata, ON K2K 3G4
www.snowsoftware.com

RE: [External] Re: Supporting Proxy Protocol in Tomcat

[Amit Pande]

Thank you, Chris, for the inputs.

Yes, we intended to have Tomcat run behind a (transparent) TCP proxy e.g.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency
 which supports the proxy protocol.

Since there is not much action on this 
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830, does it imply that most 
of the times Tomcat is running behind HTTP proxies and not TCP proxies?
Or does it mean that, Tomcat or applications running in Tomcat does not need 
the remote client address information?

Thanks,
Amit


-Original Message-
From: Christopher Schultz 
Sent: Monday, May 8, 2023 3:40 PM
To: users@tomcat.apache.org
Subject: [External] Re: Supporting Proxy Protocol in Tomcat

Amit,

On 5/4/23 16:07, Amit Pande wrote:
> We have a similar requirement as mentioned in the below enhancement request.
>
> https://bz.a/
> pache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D57830&data=05%7C01%7CAmit.P
> ande%40veritas.com%7Cab789327b86845e8ad7208db50046f55%7Cfc8e13c0422c4c
> 55b3eaca318e6cac32%7C0%7C0%7C638191752206669206%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
> C3000%7C%7C%7C&sdata=6TXyKzlyjY3AIi6zQMFn2j9BhtwYo6Jkrd1V3nOl4mY%3D&re
> served=0
>
> Is there any plan to add this support in Tomcat in future releases?

Nothing at the moment that I know of.

I thought that markt had looked at this a while back and said it didn't look 
too difficult. It does require Tomcat to handle the stream directly and not 
just rely on Java's SSLServerSocket. I thought that had been done at some 
point, but it may not have. Handling the stream directly may have some other 
advantages as well, though it definitely makes the code more complicated.

> Also, since this was requested long time back and there is no update,
> are there any other alternatives to pass the client information from
> load balancer to Tomcat in situations where there is no SSL
> termination at load balancer?
You mean like a network load balancer where the lb is just proxying bytes and 
not looking at the data at all? The PROXY protocol really is the best way to do 
that, honestly.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.75 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.75.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.75 is a bugfix and feature release. The notable
changes compared to 9.0.74 include:

- Many improvements to the json access log valve.

- Deprecate support for the HTTP Connector settings
rejectIllegalHeader and allowHostHeaderMismatch.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Fwd: Call for Presentations, Community Over Code 2023

[Christopher Schultz]

All,

Please see below for the Call for Presentations (CFP) for the upcoming 
Community Over Code (formerly ApacheCon) Conference.


While it's great to hear from committers and PMC members from Tomcat, I 
prefer to see presentations that come from *outside* of that group.


So if you are doing something interesting with Tomcat (or really 
anything else on the list below, or anything semi-related to any ASF 
project), please don't hesitate to submit a proposal. You don't even 
have to write the presentation until you find our if it's been selected, 
so if you just have an idea, feel free to submit it.


Thanks,
-chris

 Forwarded Message 
Subject: Call for Presentations, Community Over Code 2023
Date: Tue, 09 May 2023 14:24:09 -0700
From: Rich Bowen 
Reply-To: plann...@apachecon.com
To: plann...@apachecon.com

(Note: You are receiving this because you are subscribed to the dev@
list for one or more Apache Software Foundation projects.)

The Call for Presentations (CFP) for Community Over Code (formerly
Apachecon) 2023 is open at
https://communityovercode.org/call-for-presentations/, and will close
Thu, 13 Jul 2023 23:59:59 GMT.

The event will be held in Halifax, Canada, October 7-10, 2023.

We welcome submissions on any topic related to the Apache Software
Foundation, Apache projects, or the communities around those projects.
We are specifically looking for presentations in the following
catetegories:

Fintech
Search
Big Data, Storage
Big Data, Compute
Internet of Things
Groovy
Incubator
Community
Data Engineering
Performance Engineering
Geospatial
API/Microservices
Frameworks
Content Wrangling
Tomcat and httpd
Cloud and Runtime
Streaming
Sustainability


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org