-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 1/7/20 12:28 PM, James H. H. Lampert wrote: > On 1/7/20 7:32 AM, Christopher Schultz wrote: >> Hah, sorry about that. Nobody thought of specifying that only >> root can view the iptables stuff. :) > > Not your fault, nor that of anybody else here; I blame the author > of iptables and iptables-save: it should either (a) allow *anybody* > to *see* the information, or (b) *tell* the user that he/she is > not authorized to see it. > > While I occasionally use "quiet failure" myself, when writing code > to protect database fields from unauthorized modification, I > generally do so only when it actually makes sense, and the user can > actually *see* that his or her attempt to change the value(s) was > quietly ignored. > > *** > > But I'm still puzzled about the "output redirect" specified in the > presentation, but absent from this installation (and yet it still > works just fine). iptables doesn't work on pipes, it works on packets. So you have to redirect both incoming AND outgoing packets. That's why you have the "output redirect" as well as the (more obvious) "input redirect". > Does the "proxyPort" clause on the connector have something to do > with it "working just fine" without the "output redirect"? The proxyPort is just a configuration option which overrides the port that will be used when Tomcat is building URLs that point back to itself (e.g. Location: for redirects). If Tomcat is listening on port 8443, then, obviously, port 8443 should be used. But if there is a reverse-proxy in the way (or some other hand-wavy magic like iptables), then you want to use the port that the CLIENT needs to use to get back to you, regardless of the actual port being bound to by Tomcat. It's just like setting the virtual host hostname: you can't just take-over "microsoft.com" by setting your <VirtualHost>'s hostname to "microsoft.com". But if you don't do that, your users might be sent to "node-1-6-2-4-6-32-34.binhost.net" which isn't quite what you want. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VH60ACgkQHPApP6U8 pFiW/g//VnCbgnHs/fbsxKANfdIwNGSZP37SEkfLMOzQxBK9eC6nb6LQeWHw5FQd 8yVFVP1LnbvM0ey+UDhWME7Chbm9iyLfpMO09BqAuzcJWopODk9JYQOn0YFJsiVh kcKeoUGLV1nw4I3qPdh0fjVRV6GDwSpt9XXZvwOZdIbqBUrS+rGuobBDJU5SaA8y SSVzTYKqoHryJAt7yNiPkulrqpS7rgmiLbm/RvDfF5VFnaYMfh3/Mz7kmBhcvDDC lkG2+Zs29g/mQ3YyCoKCKLfs0m7bS3WHlxv9qwsZkJzx0Rql2LJ1PSgPnO9vh4VH LecAk9/6rQGySVuDY4f8r265Gm/jDAn5z+WWT8mv6FsbZZckYbm4f+8DYhxzWjh0 jYJNJf0dOorjjUY7hIQKw9k+QQgBKdufKtfHpDK5u1MIYsC8pdrzyjN9LFl566ad ESEtlXjnFCzCr9wobi7YJAJLXc9rFsd/IoN988Oui69RIroqZWL6Jjxetj4fDr+8 RiJiTiSl8yWXZuSpkHrQuIrD4eLSpdoOWkrNJOOzDExuJbTpPpFABjapqSrWDEV/ BP0+xAKzeH4RMHLyUciVzw4czRe8DB/0mOBIxSv5z2LXKlef07McFzg8ACOsMCS2 oCG7vXqh7iZbNdB+AKhFs0+TIxJNcBe8bT75t0LF7xgcD0nyXf4= =67mG -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org