Hi Chris,
> <Context path="" docBase="towl" />
If i remove this from server.xml file i have the below error.
Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix
Description The server encountered an unexpected condition that prevented
it from fulfilling the request.
Exception
jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
--> I tried but it didnot work
ok apart from this tpic , we have one more issue found.
Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.
Name: server.lbg.com
Address: 192.168.200.120
Aliases: example.lbg.com
Name: server.lbg.com
Address: 192.168.200.120
Aliases: example-app.lbg.com
which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app
So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com
Both the server.xml files are here
/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything
But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd
May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com
https://server.lbg.com:8443
https://example-lbg.com:8443
<https://example.lbg.com/towl>
<https://server.lbg.com/towl>
https://server.lbg.com:8444
https://example-lbg.com:8444
<https://example.lbg.com/towl-app>
<https://server.lbg.com/towl-app>
kindly suggest us a fix.
Thanks once again for your time
Regards,
Lavanya
On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
[email protected]> wrote:
> Lavanya,
>
> On 5/15/24 04:43, lavanya tech wrote:
> > Though to write you privately, regaridng the tomcat url redirection as
> > the mail chain is getting more big big
>
> It's better to post to the list, so anyone in your situation can learn
> from it.
>
> > Let me know if its fine for you and here is what I did.
> >
> > 1) <Host name="localhost" appBase="webapps" unpackWARs="true"
> > autoDeploy="true">
> > <Context path="" docBase="towl" />
>
> Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
> What you are doing here is double-deploying your "towl" application:
> once as "" (ROOT) and once as "/towl". Remove this from server.xml.
>
> > <!-- Rewrite Valve configuration -->
> > <Valve
> > className="org.apache.catalina.valves.rewrite.RewriteValve" />
>
> Okay.
>
> > 2) I have towl application and towl.war under webapps directory
> > 3) added proxy port and proxyname to connector
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150" SSLEnabled="true">
> > proxyPort="8443" proxyName="server.lbg.com
> > <http://server.lbg.com>">
> > <UpgradeProtocol
> > className="org.apache.coyote.http2.Http2Protocol" />
> > <SSLHostConfig>
> > <Certificate certificateKeystoreFile="/path/to/keystore"
> > certificateKeystorePassword="pass"
> > type="RSA" />
> > </SSLHostConfig>
> > </Connector>
>
> Okay.
>
> > 4) added rewrite.config under conf directory
> > > # Redirect everything that is not server.lbg.com
> > <http://server.lbg.com> to
> > > # server.lbg.com <http://server.lbg.com>. Don't worry about /towl
> yet.
> > > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> > > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
> > <https://server.lbg.com:8443/$1> [L]
> > >
> > > # Redirect anything that isn't already going to /towl
> > > # to go to /towl
> > > RewriteCond %{REQUEST_URI} !^/towl
> > > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
> > <https://server.lbg.com:8443/towl/$1> [L]
> >
> > 5) restarted tomcat
> > 6) can access all the urls https://server.lbg.com:8443
> > <https://server.lbg.com:8443>, https://server.lbg.com
> > <https://server.lbg.com>, https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl>, https://server.lbg.com/towl
> > <https://server.lbg.com/towl>
> > https://example.lbg.com:8443 <https://example.lbg.com:8443>,
> > https://example.lbg.com <https://example.lbg.com>,
> > https://example.lbg.com:8443/towl <https://example.lbg.com:8443/towl>,
> > https://example.lbg.com/towl <https://example.lbg.com/towl>
> >
> > Unfortunately aliasing still doesnot work https://example.lbg.com
> > <https://example.lbg.com> --> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl> and many urls works
>
> The "aliasing" will always be weird. IMO it's better to redirect. If you
> change to redirect, does everything *work*, even if you don't like how
> the browser's URL bar displays?
>
> -chris
>
> > On Tue, May 14, 2024 at 11:38 PM Christopher Schultz
> > <[email protected] <mailto:[email protected]>>
> wrote:
> >
> > Lavanya,
> >
> > On 5/14/24 15:11, lavanya tech wrote:
> > > You are right. We need aliasing here which means the URL in the
> > browser
> > > does not change.
> > > May I know where should I put the below rewrite files ?
> > >
> > > # Redirect everything that is not server.lbg.com
> > <http://server.lbg.com> to
> > > # server.lbg.com <http://server.lbg.com>. Don't worry about /towl
> > yet.
> > > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> > > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
> > <https://server.lbg.com:8443/$1> [R=301,L]
> > >
> > > # Redirect anything that isn't already going to /towl
> > > # to go to /towl
> > > RewriteCond %{REQUEST_URI} !^/towl
> > > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
> > <https://server.lbg.com:8443/towl/$1> [R=301,L]
> >
> > AIUI, you can put all of the above in conf/rewrite.config and
> configure
> > the <Valve> under your <Host> just as you had it before.
> >
> > If you want aliasing and not redirection, then you don't want the [R]
> > flag. IMO, you should really do a redirect. If you don't, then the
> > application and the browser disagree about the base URL and all
> > kinds of
> > things like that.
> >
> > -chris
> >
> > > On Tuesday, May 14, 2024, Christopher Schultz
> > <[email protected] <mailto:[email protected]>>
> > > wrote:
> > >
> > >> Lavanya,
> > >>
> > >> On 5/14/24 09:12, lavanya tech wrote:
> > >>
> > >>> IMHO removing the port number is always the preferred solution
> > — I never
> > >>>> did it
> > >>>>
> > >>>>
> > >>>>> can we achieve this with tomcat or we need to setup an
> > reverse proxy
> > >>>>> here.
> > >>>>>
> > >>>>>
> > >>>> Your application uses whatever internal URLs it wants. Are you
> > building
> > >>>> those yourself, or are you asking Tomcat for the e.g.
> > hostname, etc.? If
> > >>>> it's Tomcat, this is where the proxyName and proxyPort come in.
> > >>>>
> > >>>
> > >>> - Yes, I have not built these UrLs before. It’s was working
> > from the
> > >>> very
> > >>> beginning. As. I mentioned we are not able to reach goal or
> > whatever.
> > >>>
> > >>> Rather than saying redirection, I would say it’s aliasing.
> > >>>
> > >>
> > >> Please be specific. "Aliasing" (to me) means "the URL does to
> > the right
> > >> place but doesn't change in the browser's URL" and "redirection"
> (to
> > >> everybody) means "HTTP 301 or 302 response to a new URL".
> > >>
> > >> Instead of moving applications or changing tomcat configuration
> > it’s easier
> > >>> to achieve with reverse proxy ?
> > >>>
> > >>> https://example.lbg.com/ <https://example.lbg.com/> to
> > https://server.lbg.com:8443/towl <https://server.lbg.com:8443/towl>
> > >>>
> > >>
> > >> This will be a nightmare. Do not try to rewrite URLs using a
> reverse
> > >> proxy. You should redirect users to the right place if
> > necessary. You can
> > >> use a reverse-proxy if you want, but it won't be any less
> > complicated than
> > >> having Tomcat do it.
> > >>
> > >> I think your rewrite.config file just needs a few tweaks:
> > >>
> > >> # Redirect everything that is not server.lbg.com
> > <http://server.lbg.com> to
> > >> # server.lbg.com <http://server.lbg.com>. Don't worry about
> > /towl yet.
> > >> RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> > >> RewriteRule ^/(.*) https://server.lbg.com:8443/$1
> > <https://server.lbg.com:8443/$1> [R=301,L]
> > >>
> > >> # Redirect anything that isn't already going to /towl
> > >> # to go to /towl
> > >> RewriteCond %{REQUEST_URI} !^/towl
> > >> RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
> > <https://server.lbg.com:8443/towl/$1> [R=301,L]
> > >>
> > >> The application should be deployed as towl.war (or towl/
> > directory). You
> > >> should listen on ports 80, 443, and 8443, and you should always
> > end up at
> > >> the right place. You should have proxyPort="8443" and proxyName="
> > >> server.lbg.com <http://server.lbg.com>" in your <Connector>.
> > >>
> > >> You will not need a ROOT context, since the rewrite will take
> > care of that
> > >> for you.
> > >>
> > >> -chris
> > >>
> > >> On Mon, May 13, 2024 at 10:17 PM lavanya tech
> > <[email protected] <mailto:[email protected]>>
> > >>>> wrote:
> > >>>>
> > >>>> Hi Chris,
> > >>>>
> > >>>> Sorry, If I did confuse. It’s important that
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl> is always working. Goal is not to
> > >>>> disable /towl, but just redirect or aliasing
> > >>>>
> > >>>> https//example.lbg.com/ <http://example.lbg.com/> to
> > https://server.lbg.com:8443/towl <https://server.lbg.com:8443/towl>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> Thanks,
> > >>>> Lavanya
> > >>>>
> > >>>> On Monday, May 13, 2024, Christopher Schultz <
> > >>>> [email protected] <mailto:
> [email protected]>
> > >>>>
> > >>>>>
> > >>>>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>> On 5/13/24 05:57, lavanya tech wrote:
> > >>>>
> > >>>> Somehow made it work now i can only access urls as you
> > mentioned before
> > >>>> https://example.lbg.com <https://example.lbg.com> and
> > https://server.lbg.com <https://server.lbg.com> with port 8443 and
> > >>>> with
> > >>>> out
> > >>>>
> > >>>> https://example.lbg.com/towl <https://example.lbg.com/towl>
> > and https://server.lbg.com/towl <https://server.lbg.com/towl> --> I
> > >>>> have an
> > >>>> error now File not found.
> > >>>>
> > >>>> So i think we need to make work https://example.lbg.com/
> > <https://example.lbg.com/> to
> > >>>> https://server.lbg.com/towl <https://server.lbg.com/towl>
> > >>>>
> > >>>>
> > >>>> I'm sorry, I'm still confused as to which way you want things.
> > >>>>
> > >>>> Do you want to redirect /towl -> / or do you want to redirect
> > / - >
> > >>>> /towl?
> > >>>>
> > >>>> Or does it depend upon the hostname? It would really be better
> > if you
> > >>>> could settle on one specific beahvior.
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Mon, May 13, 2024 at 9:41 AM lavanya tech
> > <[email protected] <mailto:[email protected]>>
> > >>>>
> > >>>> wrote:
> > >>>>
> > >>>> Hi Chris,
> > >>>>
> > >>>>
> > >>>> Where are you defining the RewriteValve itself?
> > >>>>
> > >>>> Defined rewritevalve here
> > >>>> <Host name="localhost" appBase="webapps"
> > >>>> unpackWARs="true" autoDeploy="true">
> > >>>>
> > >>>> <Valve
> > >>>> className="org.apache.catalina.valves.rewrite.RewriteValve" />
> > >>>> resource="conf/rewrite.config" />
> > >>>>
> > >>>> 2) reated rewrite.config and added as below under conf/
> > >>>>
> > >>>> RewriteCond %{REQUEST_URI} ^/towl/(.*)
> > >>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1
> > <https://example.lbg.com/%1> [R]
> > >>>>
> > >>>> 3) After renaming towl to ROOT ->
> > /webapps/ROOT/WEB-INF/web.xml ( I
> > >>>> already have this mappings /* in web.xml file)
> > >>>>
> > >>>> <security-constraint>
> > >>>> <web-resource-collection>
> > >>>> <web-resource-name>Logging Area</web-resource-name>
> > >>>> <description>
> > >>>> Authentication for registered users.
> > >>>> </description>
> > >>>> <url-pattern>/*</url-pattern>
> > >>>> <url-pattern>/api/v1/search</url-pattern> <!--
> > protect search
> > >>>> endpoint whitelisted above -->
> > >>>> <url-pattern>/api/v1/suggest/*</url-pattern> <!--
> > protect
> > >>>> suggest
> > >>>> endpoint whitelisted above -->
> > >>>> </web-resource-collection>
> > >>>> <auth-constraint>
> > >>>> <role-name>LDAP_USER</role-name>
> > >>>> <role-name>api</role-name>
> > >>>> </auth-constraint>
> > >>>> </security-constraint>
> > >>>>
> > >>>> 4) Restarted Tomcat, Then I cannot access
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl>
> > >>>> --> Have below error
> > >>>>
> > >>>> Message java.nio.file.NoSuchFileException:
> > >>>>
> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
> > >>>>
> > >>>> Description The server encountered an unexpected condition that
> > >>>> prevented
> > >>>> it from fulfilling the request.
> > >>>>
> > >>>> 5) Also https://example.lbg.com <https://example.lbg.com>
> > doesnot work anymore
> > >>>>
> > >>>> Before you do anything with redirecting, can you just make
> > sure you are
> > >>>> only deploying ROOT.war and nothing else?
> > >>>> How can I do that. I already changed towl.war to
> ROOT.war
> > >>>>
> > >>>> But still both the urls have error as mentioned above.
> > >>>>
> > >>>>
> > >>>> Si I revereted back the changes.
> > >>>> That's weird. Try stopping, deleting the work/ directory and
> > restarting.
> > >>>> --> I have this wierd behavior for some reason, thoudh
> > index.jsp is
> > >>>> located
> > >>>> no changes were made to file. After deleting cookies url works
> > >>>>
> > >>>> where Am I going wrong.
> > >>>>
> > >>>> Thanks,
> > >>>> Lavanya
> > >>>>
> > >>>>
> > >>>> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>>
> > >>>> On 5/10/24 04:37, lavanya tech wrote:
> > >>>>
> > >>>> I tried the below and have the issues.
> > >>>>
> > >>>> 1)proxyPort="443" and proxyName="example.lbg.com
> > <http://example.lbg.com>" to the connector
> > >>>> 2) remanmed towl.war to ROOT.war
> > >>>> 3) created rewrite.config and added as below under conf/
> > >>>>
> > >>>>
> > >>>> Where are you defining the RewriteValve itself?
> > >>>>
> > >>>> RewriteCond %{REQUEST_URI} ^/towl/(.*)
> > >>>>
> > >>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1
> > <https://example.lbg.com/%1> [R]
> > >>>>
> > >>>>
> > >>>> If this is being handled by the ROOT servlet then I think it's
> > right.
> > >>>>
> > >>>> 4) added this in web.xml file of /webapps/towl/web.xml/
> > >>>>
> > >>>>
> > >>>> <!-- Servlet mappings -->
> > >>>> <!-- Add your existing servlet mappings here -->
> > >>>>
> > >>>> <!-- Security constraint to restrict access to /towl
> > path -->
> > >>>> <security-constraint>
> > >>>> <web-resource-collection>
> > >>>> <web-resource-name>Restricted Access to
> > >>>> /towl</web-resource-name>
> > >>>> <url-pattern>/towl/*</url-pattern>
> > >>>>
> > >>>>
> > >>>> No, this is wrong. Since this is the "towl" application and
> > not ROOT,
> > >>>> you want to map /* and not /towl/* because the application
> > will never
> > >>>> see the /towl/ as it's an application/context prefix that
> > Tomcat will
> > >>>> remove.
> > >>>>
> > >>>> </web-resource-collection>
> > >>>>
> > >>>> <auth-constraint>
> > >>>> <!-- Deny access to all roles -->
> > >>>> </auth-constraint>
> > >>>> </security-constraint>
> > >>>>
> > >>>> Also I noticed that even if I rename the towl application to
> ROOT,
> > >>>> when
> > >>>>
> > >>>> i
> > >>>>
> > >>>> call the url with https://example.lbg.com/towl
> > <https://example.lbg.com/towl> --> this towl
> > >>>> directory
> > >>>>
> > >>>> is
> > >>>>
> > >>>> getting created under webapps by default
> > >>>>
> > >>>>
> > >>>> If webapps/towl is being created, then it's happening for some
> > other
> > >>>> reason. Do you have anything under conf/Catalina/*/towl.xml
> which
> > >>>> points
> > >>>> to a WAR file or something? If so, remove that.
> > >>>>
> > >>>> 5) Resarted tomcat and I have the below error and all the urls
> > have the
> > >>>>
> > >>>> same issue
> > >>>>
> > >>>> Message org.apache.jasper.JasperException:
> > >>>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
> > >>>>
> > >>>>
> > >>>> That's weird. Try stopping, deleting the work/ directory and
> > >>>> restarting.
> > >>>>
> > >>>> Description The server encountered an unexpected condition that
> > >>>>
> > >>>>
> > >>>> prevented
> > >>>>
> > >>>> it from fulfilling the request.
> > >>>>
> > >>>> Exception
> > >>>>
> > >>>> org.apache.jasper.JasperException:
> > org.apache.jasper.JasperException:
> > >>>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
> > >>>>
> > >>>>
> > >>>> org.apache.jasper.servlet.JspServletWrapper.handleJspException(
> > >>>> JspServletWrapper.java:578)
> > >>>>
> > >>>>
> > >>>>
> > >>>> org.apache.jasper.servlet.JspServletWrapper.service(
> > >>>> JspServletWrapper.java:422)
> > >>>>
> > >>>>
> > >>>>
> >
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
> > >>>>
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
> > >>>> jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> > >>>> org.apache.tomcat.websocket.se
> > <http://org.apache.tomcat.websocket.se>
> > >>>> rver.WsFilter.doFilter(WsFilter.java:51)
> > >>>>
> > >>>>
> > >>>> Before you do anything with redirecting, can you just make
> > sure you are
> > >>>> only deploying ROOT.war and nothing else?
> > >>>>
> > >>>> This should allow you to reach the application at both
> > >>>> https://example.lbg.com/ <https://example.lbg.com/> and
> > https://server.lbg.com/ <https://server.lbg.com/> as well as both
> > >>>> of
> > >>>> those with port 8443.
> > >>>>
> > >>>> Then use the applications and make sure they are working as
> > expected.
> > >>>> Then, we'll add the /towl handling.
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
> > >>>>
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>>
> > >>>> On 5/9/24 13:48, lavanya tech wrote:
> > >>>>
> > >>>> Thank you so much for your explanation. I will try these
> options.
> > >>>>
> > >>>> Do server and example both resolve to the same IP?
> > >>>> -yes
> > >>>>
> > >>>>
> > >>>> Good, that significantly reduces the complexity required,
> > since you
> > >>>> can
> > >>>> do it will a single process (Tomcat) in a single environment.
> > >>>>
> > >>>> So I need follow both 4a/b and 5a/b steps here or any of them ?
> > >>>>
> > >>>>
> > >>>> If I setup exactly by using below steps , then I should access
> > both
> > >>>>
> > >>>> the
> > >>>>
> > >>>>
> > >>>> urls right ? https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl> and
> > >>>>
> > >>>>
> > >>>> https://example.lbg.com <https://example.lbg.com>
> > >>>>
> > >>>> If you visit either hostname with /towl, you will be
> redirected to
> > >>>> example.lbg.com/ <http://example.lbg.com/> with no port
> > number. example:8443 will still work
> > >>>> and
> > >>>> no redirect will take place... unless you specifically make
> > >>>>
> > >>>> arrangements
> > >>>>
> > >>>>
> > >>>> for that. We can do that later if you really want to.
> > >>>>
> > >>>>
> > >>>> Let's get the other things working, first.
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Thursday, May 9, 2024, Christopher Schultz <
> > >>>>
> > >>>>
> > >>>> [email protected]
> > <mailto:[email protected]>>
> > >>>>
> > >>>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>>
> > >>>> On 5/9/24 02:58, lavanya tech wrote:
> > >>>>
> > >>>> Just giving background again of this topic again.
> > >>>>
> > >>>>
> > >>>> 1) The application team who is working they wanted to access
> the
> > >>>> url
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl> —> which should redirect or
> > >>>> point
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>> https://example.lbg.com <https://example.lbg.com>
> > >>>>
> > >>>>
> > >>>> Is that a typo? You want specifically
> > https://server.lbg.com/towl <https://server.lbg.com/towl>
> > >>>>
> > >>>> and
> > >>>>
> > >>>>
> > >>>> https://example.lbg.com/ <https://example.lbg.com/> to point
> > to your application?
> > >>>>
> > >>>> — It’s not the Typo the requirements are
> > still
> > >>>> the
> > >>>>
> > >>>> same.
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> Okay.
> > >>>>
> > >>>> Do server and example both resolve to the same IP?
> > >>>>
> > >>>> 2) Hence I added firewall rule to redirect port 443 to 8443.
> And
> > >>>> the
> > >>>>
> > >>>> url
> > >>>>
> > >>>>
> > >>>> https://example.lbg.com <https://example.lbg.com> started
> > working but its pointing to
> > >>>>
> > >>>> https://server.lbg.com:8443 <https://server.lbg.com:8443>
> > indeed and not
> > >>>>
> > >>>> https://server.lbg.com:8443/to <https://server.lbg.com:8443/to
> >
> > >>>>
> > >>>>
> > >>>> wl
> > >>>>
> > >>>>
> > >>>> But then they wanted the point 1 to have it. If I understood
> > >>>>
> > >>>> correctly. So
> > >>>>
> > >>>>
> > >>>> basically to achieve this we wanted a reverse proxy setup ?
> > >>>>
> > >>>>
> > >>>> I didnot define any additional host in server.xml file on just
> > >>>> left
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>> default to local host.
> > >>>>
> > >>>>
> > >>>>
> > >>>> Here's what you have to do in order to support this odd
> > >>>>
> > >>>> configuration.
> > >>>>
> > >>>>
> > >>>>
> > >>>> 1. Configure your firewall to route port 443 -> 8443. I suspect
> > >>>> this
> > >>>>
> > >>>> is
> > >>>>
> > >>>>
> > >>>> already done.
> > >>>>
> > >>>>
> > >>>> 2. Deploy Tomcat on server.lbg.com <http://server.lbg.com>
> > with a <Connector> on port
> > >>>> 8443.
> > >>>>
> > >>>> This
> > >>>>
> > >>>>
> > >>>> is the default, so there shouldn't be anything to do. I
> > suspect this
> > >>>>
> > >>>>
> > >>>> is
> > >>>>
> > >>>>
> > >>>> already done. You should set proxyPort="443" and proxyName="
> > >>>>
> > >>>> example.lbg.com <http://example.lbg.com>" in your <Connector>.
> > This will ensure that any
> > >>>> URLs
> > >>>> generated by Tomcat or your application will point to
> > >>>> https://example.lbg.com/ <https://example.lbg.com/> and not to
> > server.lbg.com <http://server.lbg.com> or have a port
> > >>>>
> > >>>> number
> > >>>>
> > >>>>
> > >>>> or whatever.
> > >>>>
> > >>>>
> > >>>> 3. Re-name your application directory or WAR file from towl ->
> > ROOT
> > >>>>
> > >>>> (upper
> > >>>>
> > >>>>
> > >>>> case is important). So if you have tomcat/webapps/towl re-name
> > that
> > >>>>
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war
> re-name
> > >>>>
> > >>>>
> > >>>> that
> > >>>>
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>> tomcat/webapps/ROOT.war.
> > >>>>
> > >>>>
> > >>>> The last thing to do is get /towl to re-direct to /. There are
> a
> > >>>> few
> > >>>>
> > >>>> ways
> > >>>>
> > >>>>
> > >>>> of doing that.
> > >>>>
> > >>>>
> > >>>> 4a. Configure your application (now called ROOT and deployed
> on /
> > >>>> and
> > >>>>
> > >>>> not
> > >>>>
> > >>>>
> > >>>> /towl anymore) to handle the /towl URL and specifically
> redirect
> > >>>>
> > >>>> this
> > >>>>
> > >>>> back
> > >>>>
> > >>>>
> > >>>> to /. This is oddly specific and has the application trying to
> > >>>>
> > >>>>
> > >>>> redirect
> > >>>>
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>> itself which is weird.
> > >>>>
> > >>>>
> > >>>> 4b. Create a new application called towl or towl.war which
> will be
> > >>>> deployed on /towl and have THAT redirect to /. I think this is
> > >>>>
> > >>>> cleaner
> > >>>>
> > >>>>
> > >>>> because you can call the application anything you'd like and
> > it will
> > >>>>
> > >>>>
> > >>>> still
> > >>>>
> > >>>>
> > >>>> work. You don't have to match URL patterns yourself, you just
> > >>>>
> > >>>> re-name
> > >>>>
> > >>>> the
> > >>>>
> > >>>>
> > >>>> WAR file if you suddenly want to use /towl2 instead of /towl.
> > >>>>
> > >>>>
> > >>>> There are several ways to redirect.
> > >>>>
> > >>>> 5a. Use the rewrite valve and map /(*) to (global redirect)
> /\1. A
> > >>>>
> > >>>> few
> > >>>>
> > >>>>
> > >>>> notes: (1) the (*) means "capture this string" and \1 means
> > "put the
> > >>>>
> > >>>>
> > >>>> string
> > >>>>
> > >>>>
> > >>>> back. This allows you to redirect /towl/foo/bar to /foo/bar
> > instead
> > >>>>
> > >>>>
> > >>>> of
> > >>>>
> > >>>>
> > >>>> losing the /foo/bar. This syntax may not be perfect, adapt it
> > to your
> > >>>>
> > >>>> needs. (2) Remember that the towl application is deployed on
> /towl
> > >>>> so
> > >>>>
> > >>>> you
> > >>>>
> > >>>>
> > >>>> don't want to redirect /towl/foo/bar you only want redirect
> > /foo/bar
> > >>>>
> > >>>>
> > >>>> since
> > >>>>
> > >>>>
> > >>>> the URL will be relative to the current context (/towl). Got
> that?
> > >>>>
> > >>>>
> > >>>> Finally,
> > >>>>
> > >>>>
> > >>>> (3) you need to use a global redirect that does *NOT* redirect
> > back
> > >>>>
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>> the
> > >>>>
> > >>>>
> > >>>> /towl application. Normally, if you redirect to /foo you'll
> get an
> > >>>>
> > >>>> application-relative redirect from something like a rewrite
> > >>>> valve/filter/whatever. Take care to redirect relative to the
> > SERVER
> > >>>>
> > >>>> and
> > >>>>
> > >>>>
> > >>>> not
> > >>>>
> > >>>>
> > >>>> to the application.
> > >>>>
> > >>>>
> > >>>> 5b. Write your own servlet to do a specific redirect.
> > >>>>
> > >>>> I hope that helps,
> > >>>> -chris
> > >>>>
> > >>>> On Wednesday, May 8, 2024, Christopher Schultz <
> > >>>>
> > >>>> [email protected]
> > <mailto:[email protected]>>
> > >>>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>>
> > >>>> On 5/8/24 06:48, lavanya tech wrote:
> > >>>>
> > >>>> I figured out how I can it make it work with 443. Now the URls
> > >>>> are
> > >>>>
> > >>>> working.
> > >>>> I added iptables route 443 to 8443 and it started working.
> > >>>>
> > >>>> nslookup example.lbg.com <http://example.lbg.com>
> > >>>>
> > >>>> Non-authoritative answer:
> > >>>> Name: server.lbg.com <http://server.lbg.com>
> > >>>> Address: 192.168.200.105
> > >>>> Aliases: example.lbg.com <http://example.lbg.com>
> > >>>>
> > >>>>
> > >>>> I have some application towl running with apache tomcat. I have
> > >>>>
> > >>>> the
> > >>>>
> > >>>>
> > >>>> below
> > >>>>
> > >>>> URLs working.
> > >>>>
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl>
> > >>>> https://server.lbg.com <https://server.lbg.com>
> > >>>> https://example.lbg.com <https://example.lbg.com>
> > >>>> https://example.lbg.com/towl <https://example.lbg.com/towl>
> > >>>>
> > >>>>
> > >>>> Now i wanted to disable the url https://example.lbg.com/towl
> > <https://example.lbg.com/towl>
> > >>>> and
> > >>>> https://server.lbg.com <https://server.lbg.com> and access
> > only the other remaining two.
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> I would *highly* recommend that you pick either /towl or / and
> not
> > >>>>
> > >>>>
> > >>>> try to
> > >>>>
> > >>>>
> > >>>> do both, unless you want to deploy the application twice
> (which is
> > >>>>
> > >>>>
> > >>>> fine,
> > >>>>
> > >>>>
> > >>>> just deploy towl.war and ROOT.war as copies of each other). If
> you
> > >>>>
> > >>>>
> > >>>> try to
> > >>>>
> > >>>>
> > >>>> re-write /towl to / or / to /towl, you'll find you spend the
> rest
> > >>>>
> > >>>>
> > >>>> of
> > >>>>
> > >>>>
> > >>>> your
> > >>>>
> > >>>>
> > >>>> days tracking-down edge-cases and "fixing" them -- likely
> making
> > >>>>
> > >>>>
> > >>>> things
> > >>>>
> > >>>>
> > >>>> confusing and, probably, worse.
> > >>>>
> > >>>>
> > >>>> In the end our goal to makesure that the links are not always
> > >>>>
> > >>>> dead as
> > >>>>
> > >>>>
> > >>>> soon
> > >>>>
> > >>>>
> > >>>> as the towl is moved to a new machine. Can you pelase assit me
> > >>>>
> > >>>> how
> > >>>>
> > >>>> to do
> > >>>>
> > >>>>
> > >>>> that?
> > >>>>
> > >>>>
> > >>>>
> > >>>> The goal should be that "moving" the application only means
> > >>>>
> > >>>>
> > >>>> changing
> > >>>>
> > >>>>
> > >>>> DNS
> > >>>>
> > >>>>
> > >>>> and everything else works as expected.
> > >>>>
> > >>>>
> > >>>> If you:
> > >>>>
> > >>>> 1. Deploy the application with a single context (e.g. /towl,
> > >>>> which
> > >>>>
> > >>>> I
> > >>>>
> > >>>>
> > >>>> recommend)
> > >>>>
> > >>>>
> > >>>> 2. Re-direct / to /towl (this requires a reverse-proxy or a
> ROOT
> > >>>> application that does nothing but redirect ; my personal
> > >>>>
> > >>>> preference)
> > >>>>
> > >>>>
> > >>>>
> > >>>> 3. Do not define any <Host> other than "localhost" and make it
> > >>>> the
> > >>>> default. Do not bother with any <Alias> elements since they are
> > >>>> not
> > >>>> necessary.
> > >>>>
> > >>>> Moving the application should only require that you:
> > >>>>
> > >>>> 4. Deploy the same application with the same configuration in
> the
> > >>>>
> > >>>> new
> > >>>>
> > >>>>
> > >>>> location
> > >>>>
> > >>>>
> > >>>> 5. Change DNS to point example.lbg.com
> > <http://example.lbg.com> and server.lbg.com <http://server.lbg.com>
> > to the
> > >>>>
> > >>>> new
> > >>>>
> > >>>>
> > >>>> location of the service
> > >>>>
> > >>>>
> > >>>> Hope that helps,
> > >>>> -chris
> > >>>>
> > >>>> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>> On 4/30/24 07:10, lavanya tech wrote:
> > >>>>
> > >>>> Can you tell me how to do the below ? How should I setup Tomcat
> > >>>> in
> > >>>> server.xml ?
> > >>>>
> > >>>>
> > >>>> If you want to use port 443 (the default port for HTTPS) then
> you
> > >>>>
> > >>>> will
> > >>>>
> > >>>>
> > >>>> need to change Tomcat to bind to port 443 (if that's allowed on
> > >>>>
> > >>>>
> > >>>> your
> > >>>>
> > >>>>
> > >>>> OS)
> > >>>>
> > >>>>
> > >>>> or arrange to have port 443 routed to port 8443. You may need
> > >>>>
> > >>>>
> > >>>> additional
> > >>>>
> > >>>>
> > >>>> configuration in Tomcat (specifically: proxyPort) to avoid
> having
> > >>>>
> > >>>>
> > >>>> Tomcat
> > >>>>
> > >>>>
> > >>>> generate URLs with ":8443" in them.
> > >>>>
> > >>>>
> > >>>> Looking forward to your reply.
> > >>>>
> > >>>>
> > >>>> If Tomcat is listening on port 8443 then you will need to
> include
> > >>>>
> > >>>> that
> > >>>>
> > >>>>
> > >>>> in your URL, period. If you want to allow URLs without a port
> > >>>>
> > >>>>
> > >>>> number,
> > >>>>
> > >>>>
> > >>>> you will have to arrange to have something listening on port
> 443.
> > >>>>
> > >>>>
> > >>>> On Windows, Tomcat can listen directly on port 443. On UNIX and
> > >>>> UNIX-like systems, you won't be able to do this without running
> > >>>>
> > >>>> Tomcat
> > >>>>
> > >>>>
> > >>>> as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
> > >>>>
> > >>>>
> > >>>> There are other ways to get port 443 working, but I'll need to
> > >>>> know
> > >>>>
> > >>>> more
> > >>>>
> > >>>>
> > >>>> about your environment. The port issue is "easier" than
> figuring
> > >>>>
> > >>>>
> > >>>> out
> > >>>>
> > >>>>
> > >>>> whatever is going on with your DNS, aliases, etc. so I would
> > >>>>
> > >>>>
> > >>>> recommend
> > >>>>
> > >>>>
> > >>>> we fix one thing at a time.
> > >>>>
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech <
> > >>>>
> > >>>> [email protected] <mailto:[email protected]>>
> > >>>>
> > >>>>
> > >>>> wrote:
> > >>>>
> > >>>>
> > >>>> Hi Chris,
> > >>>>
> > >>>> There is no issues with browser, because I tested with
> different
> > >>>>
> > >>>> browsers
> > >>>>
> > >>>> and it all works fine. I am sure that there is no issue with
> the
> > >>>> certificate.
> > >>>> Because I was able to establish successful
> connections
> > >>>> with
> > >>>>
> > >>>> port
> > >>>>
> > >>>>
> > >>>>
> > >>>> 8443, it
> > >>>>
> > >>>> just doesnot work with out port
> > >>>>
> > >>>> curl https://example.lbg.com/towl
> > <https://example.lbg.com/towl>
> > >>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
> > >>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
> > >>>>
> > >>>>
> > >>>> If you want to use port 443 (the default port for HTTPS) then
> you
> > >>>>
> > >>>> will
> > >>>>
> > >>>>
> > >>>> need to change Tomcat to bind to port 443 (if that's allowed on
> > >>>>
> > >>>>
> > >>>> your
> > >>>>
> > >>>>
> > >>>> OS)
> > >>>>
> > >>>>
> > >>>> or arrange to have port 443 routed to port 8443. You may need
> > >>>>
> > >>>>
> > >>>> additional
> > >>>>
> > >>>>
> > >>>> configuration in Tomcat (specifically: proxyPort) to avoid
> having
> > >>>>
> > >>>>
> > >>>> Tomcat
> > >>>>
> > >>>>
> > >>>> generate URLs with ":8443" in them.
> > >>>>
> > >>>>
> > >>>> <Connector port="443" protocol="HTTP/1.1"
> > >>>> connectionTimeout="20000"
> > >>>> redirectPort="8443"
> > >>>> maxThreads="150"
> > >>>> scheme="https" secure="true"
> SSLEnabled="true"
> > >>>> keystoreFile="path_to_your_keystore_file"
> > >>>> keystorePass="your_keystore_password"
> > >>>> keystoreType="PKCS12"
> > >>>> clientAuth="false" sslProtocol="TLS"
> > >>>> proxyPort="443"/>
> > >>>>
> > >>>> should i use connect port like the above ? But you mentioned
> > >>>>
> > >>>> before
> > >>>>
> > >>>>
> > >>>> we
> > >>>>
> > >>>>
> > >>>> dont need any configuration changes. Please clarify I am not
> able
> > >>>>
> > >>>>
> > >>>> to
> > >>>>
> > >>>>
> > >>>>
> > >>>> figure
> > >>>>
> > >>>> this out and I have this issue many days pending. How to make
> it
> > >>>>
> > >>>> work
> > >>>>
> > >>>>
> > >>>>
> > >>>> with
> > >>>>
> > >>>> port 8443 and with out port
> > >>>>
> > >>>> Also I wanted to use weburl with alias name permanently instead
> > >>>> of
> > >>>>
> > >>>> the
> > >>>>
> > >>>>
> > >>>> hostname. How can I achieve both
> > >>>>
> > >>>>
> > >>>> Thanks,
> > >>>> Lavanya
> > >>>>
> > >>>>
> > >>>> -->
> > >>>>
> > >>>>
> > >>>> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>> On 4/25/24 07:24, lavanya tech wrote:
> > >>>>
> > >>>> Hi Chris,
> > >>>>
> > >>>> One question / doubt:
> > >>>>
> > >>>> As I mentioned earlier, the below URLS already working in the
> > >>>>
> > >>>> browser
> > >>>>
> > >>>>
> > >>>>
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl>
> > >>>> https://example.lbg.com:8443/towl
> > <https://example.lbg.com:8443/towl> -> redirect ( which means
> > >>>> when I
> > >>>>
> > >>>> hit in
> > >>>>
> > >>>> browser) it points to https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl> ---> To
> > >>>> be
> > >>>>
> > >>>> frank,
> > >>>>
> > >>>> even I donot need redirect here, not sure why it redirects.
> > >>>>
> > >>>> My question is why its working even though SAN is not
> registered
> > >>>>
> > >>>> with
> > >>>>
> > >>>>
> > >>>>
> > >>>> the
> > >>>>
> > >>>> certificate ? It doesnot even throw warning in the browser.
> > >>>>
> > >>>>
> > >>>> I'm not sure. Is it possible you have dismissed this error in
> the
> > >>>>
> > >>>> past
> > >>>>
> > >>>>
> > >>>> and the browser is remembering that? Try this with a different
> web
> > >>>>
> > >>>> browser or maybe with curl from the command-line to see what
> > >>>>
> > >>>> happens.
> > >>>>
> > >>>>
> > >>>>
> > >>>> Why https://server.lbg.com/towl <https://server.lbg.com/towl>
> > or https://example.lbg.com/towl <https://example.lbg.com/towl>
> > >>>>
> > >>>> -->
> > >>>>
> > >>>>
> > >>>>
> > >>>> How it
> > >>>>
> > >>>> should work with New SAN certificate ?
> > >>>>
> > >>>>
> > >>>> You don't need to worry about the port number or application
> > >>>> name,
> > >>>>
> > >>>> only
> > >>>>
> > >>>>
> > >>>> the hostname is a part of the SAN.
> > >>>>
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech <
> > >>>>
> > >>>> [email protected] <mailto:[email protected]>
> > >>>>
> > >>>>
> > >>>> wrote:
> > >>>>
> > >>>> Hi Chris,
> > >>>>
> > >>>>
> > >>>> Thanks I will request new certificate with SANs and I will try
> to
> > >>>>
> > >>>> fix
> > >>>>
> > >>>>
> > >>>>
> > >>>> the
> > >>>>
> > >>>> things from our end.
> > >>>>
> > >>>> Best Regards,
> > >>>> Lavanya
> > >>>>
> > >>>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>> On 4/24/24 15:39, lavanya tech wrote:
> > >>>>
> > >>>> Local host means the machine i am logged in to server.lbg.com
> > <http://server.lbg.com>
> > >>>>
> > >>>> You are right, example.lbg.com <http://example.lbg.com> is
> > CNAME record.
> > >>>>
> > >>>>
> > >>>> Okay, thanks for clearing that up.
> > >>>>
> > >>>> I dont have any SAN configured for the certificate. The
> > >>>> certificate
> > >>>>
> > >>>> is
> > >>>>
> > >>>> requested for only server.lbg.com <http://server.lbg.com>
> > >>>>
> > >>>>
> > >>>> You will never be able to make a secure request to anything
> other
> > >>>>
> > >>>> than
> > >>>>
> > >>>> server.lbg.com <http://server.lbg.com> without seeing an
> > error. I highly recommend
> > >>>> adding
> > >>>>
> > >>>> the
> > >>>>
> > >>>> other hostname as a SAN to your certificate if you really want
> to
> > >>>> support this.
> > >>>>
> > >>>> Even if you wanted https://example.lbg.com/whatever
> > <https://example.lbg.com/whatever> to return an
> > >>>>
> > >>>> HTTP
> > >>>>
> > >>>> 302 redirect to https://server.lbg.com/whatever
> > <https://server.lbg.com/whatever>, the user would
> > >>>>
> > >>>> see a
> > >>>>
> > >>>> certificate hostname mismatch error which is ugly. It's best to
> > >>>>
> > >>>> make
> > >>>>
> > >>>>
> > >>>>
> > >>>> it
> > >>>>
> > >>>> work without users seeing ugly things.
> > >>>>
> > >>>> So if i just request new certificate with SAN it should work ?
> If
> > >>>>
> > >>>> yes, I
> > >>>>
> > >>>> will request for it and follow your steps as below suggested.
> > >>>>
> > >>>>
> > >>>> Yes, it should.
> > >>>>
> > >>>> Should i use CName record or DNS? Does it make difference?
> > >>>>
> > >>>>
> > >>>> CNAME *is* DNS.
> > >>>>
> > >>>> Whenever possible, use hostnames and not IP addresses as SANs.
> > >>>> It's
> > >>>>
> > >>>> more
> > >>>>
> > >>>> flexible that way, and users get to see hostnames instead of IP
> > >>>>
> > >>>> addresses.
> > >>>>
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Wednesday, April 24, 2024, Christopher Schultz <
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>> On 4/24/24 07:37, lavanya tech wrote:
> > >>>>
> > >>>> Sorry I understood wrongly here with regards to my environment,
> > >>>>
> > >>>> Let me
> > >>>>
> > >>>> start from the beginning. I donot want to use redirect at all.
> I
> > >>>>
> > >>>> simply
> > >>>>
> > >>>> wanted to force apache tomcat to use both localhost and dns
> name
> > >>>>
> > >>>> of
> > >>>>
> > >>>> the
> > >>>>
> > >>>> localhost via url.
> > >>>>
> > >>>>
> > >>>> When you say "force" what do you mean?
> > >>>>
> > >>>> When you say "use both localhost and DNS name" what do you
> mean?
> > >>>>
> > >>>> When you say "localhost" do you mean 127.0.0.1 or "the machine
> > >>>> I'm
> > >>>> logged-into right now"?
> > >>>>
> > >>>> I have DNS resollution as below.
> > >>>>
> > >>>>
> > >>>> server.lbg.com <http://server.lbg.com> --> localhost
> > >>>>
> > >>>>
> > >>>> Is that a CNAME record?
> > >>>>
> > >>>> nslookup server.lbg.com <http://server.lbg.com> (localhost)
> > >>>>
> > >>>> Name: server.lbg.com <http://server.lbg.com>
> > >>>> Address: 192.168.100.20
> > >>>> alias: example.lbg.com <http://example.lbg.com>
> > >>>>
> > >>>>
> > >>>> That's a weird DNS response. The DNS name "localhost" should
> > >>>>
> > >>>> *always*
> > >>>>
> > >>>> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
> > >>>> 191.168.100.20.
> > >>>>
> > >>>> We have working the below urls working:
> > >>>>
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl>
> > >>>> https://example.lbg.com:8443/towl
> > <https://example.lbg.com:8443/towl> --> redirects to
> > >>>>
> > >>>>
> > >>>> What do you mean "redirect"? Does it return a 30x response that
> > >>>>
> > >>>> causes
> > >>>>
> > >>>> the
> > >>>>
> > >>>> browser to make a new request to \/
> > >>>>
> > >>>> https://server.lbg.com:8443/towl
> > <https://server.lbg.com:8443/towl> --> still works --> we have
> > >>>> SSL
> > >>>>
> > >>>> configured for the same but this SSL certificate doesnot have
> > >>>>
> > >>>> additional
> > >>>>
> > >>>> DNS setup.
> > >>>>
> > >>>>
> > >>>> What SANs are in your certificate? How many certificates do you
> > >>>>
> > >>>> have?
> > >>>>
> > >>>>
> > >>>> But I would need to somehow access https://example.lbg.com
> > <https://example.lbg.com> -->
> > >>>>
> > >>>> which
> > >>>>
> > >>>> means
> > >>>> I would need to access via 443 here ?
> > >>>>
> > >>>>
> > >>>> I'm so confused. What needs to access what?
> > >>>>
> > >>>> I tried to adding the below to server.xml as below, but that
> > >>>>
> > >>>> doesnot
> > >>>>
> > >>>> seems
> > >>>>
> > >>>> to work.
> > >>>>
> > >>>> <Connector port="80"
> > >>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >>>> connectionTimeout="20000"
> > >>>> redirectPort="443" />
> > >>>>
> > >>>>
> > >>>> This will only redirect (HTTP 302) requests to
> > >>>>
> > >>>> http://yourhost/anything <http://yourhost/anything>
> > >>>>
> > >>>> to https://yourhost/anything <https://yourhost/anything> *if
> > the application specifically
> > >>>>
> > >>>> requests
> > >>>>
> > >>>> CONFIDENTIAL transport*. It doesn't just redirect everything by
> > >>>>
> > >>>> default. If
> > >>>>
> > >>>> you want it to redirect everything, you'll need to set that up
> > >>>>
> > >>>> e.g.
> > >>>>
> > >>>> using
> > >>>>
> > >>>> RewriteValve. There are other options, too.
> > >>>>
> > >>>> Do i need additional SSL certificate for the
> > >>>>
> > >>>> https://example.lbg.com <https://example.lbg.com>
> > >>>>
> > >>>> to
> > >>>>
> > >>>> make it work ?
> > >>>>
> > >>>>
> > >>>> If you don't want your browser to complain, you will need at
> > >>>> least
> > >>>>
> > >>>> one
> > >>>>
> > >>>> TLS
> > >>>>
> > >>>> certificate that contains every Subject Alternative Name (SAN)
> > >>>> for
> > >>>>
> > >>>> every
> > >>>>
> > >>>> possible hostname you expect to use with this service. You ca
> do
> > >>>>
> > >>>> it
> > >>>>
> > >>>> with
> > >>>>
> > >>>> multiple certificates as well, but a single cert with multiple
> > >>>>
> > >>>> SANs
> > >>>>
> > >>>> is
> > >>>>
> > >>>> less
> > >>>>
> > >>>> work.
> > >>>>
> > >>>> Do i need to set up an additional web server for this like
> apache
> > >>>>
> > >>>> or
> > >>>>
> > >>>> nginx
> > >>>>
> > >>>> for redirecting requests?
> > >>>>
> > >>>>
> > >>>> No.
> > >>>>
> > >>>> Please stop saying "redirect" because it sounds like you almost
> > >>>>
> > >>>> never
> > >>>>
> > >>>> mean
> > >>>>
> > >>>> "HTTP 30x redirect" and that's confusing everything.
> > >>>>
> > >>>> I *think* you only need the following:
> > >>>>
> > >>>> 1. A TLS certificate with the following SANs:
> > >>>>
> > >>>> * server.lbg.com <http://server.lbg.com>
> > >>>> * example.lbg.com <http://example.lbg.com>
> > >>>> * localhost (you shouldn't do this)
> > >>>>
> > >>>> 2. DNS configured for all hostnames:
> > >>>>
> > >>>> * server.lbg.com <http://server.lbg.com> -> A
> > 192.168.100.20
> > >>>> * example.lgb.com <http://example.lgb.com> -> A
> > 192.168.100.20
> > >>>>
> > >>>> 3. Tomcat configured with a single <Host> which is the default
> > >>>>
> > >>>> virtual
> > >>>>
> > >>>> host. Note that this is the *default Tomcat configuration* and
> > >>>>
> > >>>> doesn't
> > >>>>
> > >>>> need
> > >>>>
> > >>>> to be changed from the default.
> > >>>>
> > >>>> 4. Tomcat configured with your certificate like this:
> > >>>>
> > >>>> <Connector ...
> > >>>> SSLEnabled="true">
> > >>>> <SSLHostConfig>
> > >>>> <Certificate
> > >>>> certificateFile="/path/to/your/cert.crt"
> > >>>>
> > certificateKeyFile="/path/to/your/key.pem" />
> > >>>> <!-- You may need certificateKeyPassword in
> > >>>>
> > >>>> <Certificate>
> > >>>>
> > >>>> -->
> > >>>>
> > >>>> </SSLHostConfig>
> > >>>> </Connector>
> > >>>>
> > >>>> If your SANs are configured properly, this should allow you to
> > >>>>
> > >>>> connect
> > >>>>
> > >>>> using any of these URLs:
> > >>>>
> > >>>> $ curl https://server.lbg.com/towl/login.jsp
> > <https://server.lbg.com/towl/login.jsp>
> > >>>>
> > >>>> (returns login page)
> > >>>>
> > >>>> $ curl https://example.lbg.com/towl/login.jsp
> > <https://example.lbg.com/towl/login.jsp>
> > >>>>
> > >>>> (returns login page)
> > >>>>
> > >>>> If your application's web.xml contains something like this:
> > >>>>
> > >>>> <security-constraint>
> > >>>> <web-resource-collection>
> > >>>> <web-resource-name>theapp</web-resource-name>
> > >>>> <url-pattern>/*</url-pattern>
> > >>>> </web-resource-collection>
> > >>>> <user-data-constraint>
> > >>>>
> > >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >>>>
> > >>>>
> > >>>> </user-data-constraint>
> > >>>>
> > >>>> </security-constraint>
> > >>>>
> > >>>> ... then these URLs insecure HTTP URLs should redirect your
> > >>>>
> > >>>> clients:
> > >>>>
> > >>>>
> > >>>> $ curl http://server.lbg.com/towl/login.jsp
> > <http://server.lbg.com/towl/login.jsp>
> > >>>>
> > >>>> (returns HTTP 302 redirect to
> > >>>>
> > >>>> https://server.lbg.com/towl/login.jsp
> > <https://server.lbg.com/towl/login.jsp>
> > >>>>
> > >>>> )
> > >>>>
> > >>>>
> > >>>> $ curl https://server.lbg.com/towl/login.jsp
> > <https://server.lbg.com/towl/login.jsp>
> > >>>>
> > >>>> (returns HTTP 302 redirect to
> > >>>>
> > >>>> https://example.lbg.com/towl/login.jsp
> > <https://example.lbg.com/towl/login.jsp>)
> > >>>>
> > >>>>
> > >>>> I don't think you need any use of the RewriteValve unless you
> > >>>> want
> > >>>>
> > >>>> to
> > >>>>
> > >>>> handle sending HTTP 302 redirect responses to insecure requests
> > >>>>
> > >>>> without
> > >>>>
> > >>>> specifying the CONFIDENTIAL transport-guarantee in your
> > >>>>
> > >>>> application's
> > >>>>
> > >>>> web.xml file. But I don't see any reason NOT to have that in
> > >>>>
> > >>>> there.
> > >>>>
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
> > >>>>
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Lavanya,
> > >>>>
> > >>>>
> > >>>> On 4/22/24 05:21, lavanya tech wrote:
> > >>>>
> > >>>> Could you please explain, what you exactly mean ? So here
> > >>>>
> > >>>> redirect
> > >>>>
> > >>>> is
> > >>>>
> > >>>>
> > >>>> not a
> > >>>>
> > >>>> solution right ?
> > >>>>
> > >>>>
> > >>>> Redirecting is fine.
> > >>>>
> > >>>> Perhaps you should take a step back and decide: what do you
> > >>>>
> > >>>> actually
> > >>>>
> > >>>> want, here? You might be trying to solve problem X by applying
> > >>>>
> > >>>> solution
> > >>>>
> > >>>> Y, and you've already decided that solution Y is correct so you
> > >>>>
> > >>>> are
> > >>>>
> > >>>> trying to get help with that.
> > >>>>
> > >>>> Perhaps ask for help with Problem X?
> > >>>>
> > >>>> For example, "I don't want users to have to type the name of my
> > >>>> application to reach it so I want example.com/
> > <http://example.com/> to go to my
> > >>>>
> > >>>> application
> > >>>>
> > >>>> instead of example.com/myapp/ <http://example.com/myapp/>".
> > >>>>
> > >>>> Or, "I have multiple domains and I want all of them to redirect
> > >>>>
> > >>>> to
> > >>>>
> > >>>> the
> > >>>>
> > >>>> canonical domain example.com <http://example.com> and to go to
> > me web application
> > >>>>
> > >>>> /myapp
> > >>>>
> > >>>> so
> > >>>>
> > >>>> everything goes to example.com/myapp/
> > <http://example.com/myapp/>".
> > >>>>
> > >>>> "You'd have to use a glob/regex if
> > >>>>
> > >>>> you wanted to check for [anything and maybe nothing.]
> > >>>>
> > >>>> example.com <http://example.com>
> > >>>>
> > >>>> ."
> > >>>>
> > >>>>
> > >>>>
> > >>>> There is nothing in your configuration or question that
> suggests
> > >>>>
> > >>>> that
> > >>>>
> > >>>> the hostname in the request is relevant, but you are making it
> a
> > >>>> *requirement* that the request contains a specific Host header.
> > >>>>
> > >>>> IF
> > >>>>
> > >>>> you
> > >>>>
> > >>>> don't actually need that, why do you have it?
> > >>>>
> > >>>> -chris
> > >>>>
> > >>>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
> > >>>>
> > >>>> [email protected]
> > <mailto:[email protected]>> wrote:
> > >>>>
> > >>>> Ammu,
> > >>>>
> > >>>>
> > >>>> On 4/19/24 08:32, lavanya tech wrote:
> > >>>>
> > >>>> Thank you very much. I removed <Host> for example.com
> > <http://example.com> as
> > >>>>
> > >>>> well
> > >>>>
> > >>>> as
> > >>>>
> > >>>>
> > >>>> adding
> > >>>>
> > >>>>
> > >>>> an
> > >>>>
> > >>>>
> > >>>> <Alias> in server.xml
> > >>>> I copied context.xml file
> > >>>>
> > >>>>
> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
> > >>>>
> > >>>> Removed < in rewrite.config files.
> > >>>>
> > >>>> But still I dont redirect the URL.
> > >>>>
> > >>>>
> > >>>> If you have <Context> in server.xml and also your application
> > >>>>
> > >>>> in
> > >>>>
> > >>>> the
> > >>>>
> > >>>> webapps/ directory, then you will be double-deploying your
> > >>>>
> > >>>> application.
> > >>>>
> > >>>>
> > >>>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
> > >>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are
> > >>>> important)
> > >>>> and remove the <Context> element from your server.xml.
> > >>>>
> > >>>> Then start your server and read the logs.
> > >>>>
> > >>>> *nslookup alias.example.com <http://alias.example.com>
> > <http://alias.example.com <http://alias.example.com>>
> > >>>>
> > >>>> gives-->Non-authoritative answer:Name: www.example.com
> > <http://www.example.com>
> > >>>> <http://www.example.com <http://www.example.com>>Address:
> > 192.168.200.10Aliases:
> > >>>>
> > >>>> alias.example.com <http://alias.example.com>
> > >>>>
> > >>>> <http://alias.example.com <http://alias.example.com>>*
> > >>>>
> > >>>>
> > >>>> Just to give some information here, *www.example.com
> > <http://www.example.com>
> > >>>> <http://www.example.com <http://www.example.com>>* has alias*
> > "alias.example.com <http://alias.example.com>
> > >>>> <http://alias.example.com <http://alias.example.com>>"*
> > >>>> But https://www.example.com:7777/example
> > <https://www.example.com:7777/example> --> works fine with
> > >>>>
> > >>>> out
> > >>>>
> > >>>>
> > >>>> issues
> > >>>>
> > >>>>
> > >>>> but
> > >>>>
> > >>>>
> > >>>> the alias doesnot works (https://alias.example.com
> > <https://alias.example.com>)
> > >>>> So i am not sure if the redirect url helps or if its correct
> > >>>>
> > >>>>
> > >>>> Your rewrite configuration says that you have to be using host
> > >>>> "example.com <http://example.com>" but your request goes to
> > www.example.com <http://www.example.com>. Your
> > >>>> configuration should only redirect a request such as:
> > >>>>
> > >>>> $ curl -v http://example.com:7777/something
> > <http://example.com:7777/something>
> > >>>>
> > >>>> HTTP/1.1 301 Moved Permanently
> > >>>> ...
> > >>>> Location: https://www.example.com:7777/example
> > <https://www.example.com:7777/example>
> > >>>>
> > >>>> If you
> > >>>>
> > >>>>
> > >>>>
> > >>>
> > >>
> > ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: [email protected]
> > <mailto:[email protected]>
> > >> For additional commands, e-mail: [email protected]
> > <mailto:[email protected]>
> > >>
> > >>
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > <mailto:[email protected]>
> > For additional commands, e-mail: [email protected]
> > <mailto:[email protected]>
> >
>
