Hello Chris, Separate server.xml files means that you have to have two separate Tomcat processes. --> ofcourse, we defined two seperate processes for it but still there was some bug with Tomcat as the webpage is fluctuatiting.
The best fix is to deploy the two applications normally without any funny business. Put both applications into webapps/ with no <Context> elements in server.xml and let them deploy. Use the correct URLs to access them. It's obviously some internal thing to your company because nobody is going to use :8443 in the real world. - Definitely, its an internal thing and thats the reason I have posted here for suggestions and I always tried the things that were suggested by you. I'm sorry, but it seems like you are being given arbitrary and weird requirements almost as a game - I have not given requirements as a game, please understand that those are the requirements that one needed to achieve with tomcat.I understood with Tomcat its getting complicated and hence solved it by installing an reverse proxy where my requirements are fulfilled. Thanks for your support. Thanks, Lavanya On Thu, May 16, 2024 at 11:52 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Lavanya, > > On 5/15/24 09:09, lavanya tech wrote: > > Hi Chris, > > > >> <Context path="" docBase="towl" /> > > > > If i remove this from server.xml file i have the below error. > > > > Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix > > > > Description The server encountered an unexpected condition that prevented > > it from fulfilling the request. > > > > Exception > > > > jakarta.servlet.ServletException: java.lang.NoClassDefFoundError: > > org/towl/indexer/web/Prefix > > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333) > > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) > > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > > That smells like a CLASSPATH problem where your application is not > actually packaged properly. It could be something else, but it looks > suspicious. > > > The "aliasing" will always be weird. IMO it's better to redirect. If you > > change to redirect, does everything *work*, even if you don't like how > > the browser's URL bar displays? > > --> I tried but it didnot work > > ok apart from this tpic , we have one more issue found. > > > > > > Actually application team, they are deploying two applications one with > > towl (which you are already aware) the other one is (towl-app) they have > > defined seperate server.xml for both. > > Separate server.xml files means that you have to have two separate > Tomcat processes. > > > Name: server.lbg.com > > Address: 192.168.200.120 > > Aliases: example.lbg.com > > > > > > Name: server.lbg.com > > Address: 192.168.200.120 > > Aliases: example-app.lbg.com > > > > which means we have two aliases for server.lbg.com , earlier we were > > concentrating only on one example.lbg.com , now i wanted to somehow > enable > > access as the same for the other one also > > https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app > > > > So i created iptable rule in the sameway as before redirect 443 to 8444 > and > > i have the urls working same as example.lbg.com > > > > Both the server.xml files are here > > > > /git/towl/apachetomcat/conf/server.xml > > /git/towl-app/apachetomcat/conf/server.xml --> I changed the port of > > connectors and everything > > > > But now when i try to access https://example.lbg.com --> I get webpage > of > > https://example-app.lbg.com and sometimes i get webpage of > > https://example.lbg.com after refresh itself which is wierd > > > > May i know why this is happening. If we fix this then I am thinking to > > disable the unwated urls leaving the required ones. for example the below > > ones. I think that would be easier ? rather than redirecting or > aliasing--> > > Because we noticed that towl application is already pointing with > > https://example.lbg.com > > > > https://server.lbg.com:8443 > > https://example-lbg.com:8443 > > <https://example.lbg.com/towl> > > <https://server.lbg.com/towl> > > https://server.lbg.com:8444 > > https://example-lbg.com:8444 > > <https://example.lbg.com/towl-app> > > <https://server.lbg.com/towl-app> > > > > kindly suggest us a fix. > > The best fix is to deploy the two applications normally without any > funny business. Put both applications into webapps/ with no <Context> > elements in server.xml and let them deploy. Use the correct URLs to > access them. It's obviously some internal thing to your company because > nobody is going to use :8443 in the real world. > > I'm sorry, but it seems like you are being given arbitrary and weird > requirements almost as a game. > > I'm not sure I can help you any further at this point. > > -chris > > > On Wed, May 15, 2024 at 2:16 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Lavanya, > >> > >> On 5/15/24 04:43, lavanya tech wrote: > >>> Though to write you privately, regaridng the tomcat url redirection as > >>> the mail chain is getting more big big > >> > >> It's better to post to the list, so anyone in your situation can learn > >> from it. > >> > >>> Let me know if its fine for you and here is what I did. > >>> > >>> 1) <Host name="localhost" appBase="webapps" unpackWARs="true" > >>> autoDeploy="true"> > >>> <Context path="" docBase="towl" /> > >> > >> Don't do this. Just put towl.war into webapps/ and let it auto-deploy. > >> What you are doing here is double-deploying your "towl" application: > >> once as "" (ROOT) and once as "/towl". Remove this from server.xml. > >> > >>> <!-- Rewrite Valve configuration --> > >>> <Valve > >>> className="org.apache.catalina.valves.rewrite.RewriteValve" /> > >> > >> Okay. > >> > >>> 2) I have towl application and towl.war under webapps directory > >>> 3) added proxy port and proxyname to connector > >>> > >>> <Connector port="8443" > >>> protocol="org.apache.coyote.http11.Http11NioProtocol" > >>> maxThreads="150" SSLEnabled="true"> > >>> proxyPort="8443" proxyName="server.lbg.com > >>> <http://server.lbg.com>"> > >>> <UpgradeProtocol > >>> className="org.apache.coyote.http2.Http2Protocol" /> > >>> <SSLHostConfig> > >>> <Certificate certificateKeystoreFile="/path/to/keystore" > >>> certificateKeystorePassword="pass" > >>> type="RSA" /> > >>> </SSLHostConfig> > >>> </Connector> > >> > >> Okay. > >> > >>> 4) added rewrite.config under conf directory > >>> > # Redirect everything that is not server.lbg.com > >>> <http://server.lbg.com> to > >>> > # server.lbg.com <http://server.lbg.com>. Don't worry about /towl > >> yet. > >>> > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$ > >>> > RewriteRule ^/(.*) https://server.lbg.com:8443/$1 > >>> <https://server.lbg.com:8443/$1> [L] > >>> > > >>> > # Redirect anything that isn't already going to /towl > >>> > # to go to /towl > >>> > RewriteCond %{REQUEST_URI} !^/towl > >>> > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 > >>> <https://server.lbg.com:8443/towl/$1> [L] > >>> > >>> 5) restarted tomcat > >>> 6) can access all the urls https://server.lbg.com:8443 > >>> <https://server.lbg.com:8443>, https://server.lbg.com > >>> <https://server.lbg.com>, https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl>, https://server.lbg.com/towl > >>> <https://server.lbg.com/towl> > >>> https://example.lbg.com:8443 <https://example.lbg.com:8443>, > >>> https://example.lbg.com <https://example.lbg.com>, > >>> https://example.lbg.com:8443/towl <https://example.lbg.com:8443/towl>, > >>> https://example.lbg.com/towl <https://example.lbg.com/towl> > >>> > >>> Unfortunately aliasing still doesnot work https://example.lbg.com > >>> <https://example.lbg.com> --> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> and many urls works > >> > >> The "aliasing" will always be weird. IMO it's better to redirect. If you > >> change to redirect, does everything *work*, even if you don't like how > >> the browser's URL bar displays? > >> > >> -chris > >> > >>> On Tue, May 14, 2024 at 11:38 PM Christopher Schultz > >>> <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>> > >> wrote: > >>> > >>> Lavanya, > >>> > >>> On 5/14/24 15:11, lavanya tech wrote: > >>> > You are right. We need aliasing here which means the URL in the > >>> browser > >>> > does not change. > >>> > May I know where should I put the below rewrite files ? > >>> > > >>> > # Redirect everything that is not server.lbg.com > >>> <http://server.lbg.com> to > >>> > # server.lbg.com <http://server.lbg.com>. Don't worry about > /towl > >>> yet. > >>> > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$ > >>> > RewriteRule ^/(.*) https://server.lbg.com:8443/$1 > >>> <https://server.lbg.com:8443/$1> [R=301,L] > >>> > > >>> > # Redirect anything that isn't already going to /towl > >>> > # to go to /towl > >>> > RewriteCond %{REQUEST_URI} !^/towl > >>> > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 > >>> <https://server.lbg.com:8443/towl/$1> [R=301,L] > >>> > >>> AIUI, you can put all of the above in conf/rewrite.config and > >> configure > >>> the <Valve> under your <Host> just as you had it before. > >>> > >>> If you want aliasing and not redirection, then you don't want the > [R] > >>> flag. IMO, you should really do a redirect. If you don't, then the > >>> application and the browser disagree about the base URL and all > >>> kinds of > >>> things like that. > >>> > >>> -chris > >>> > >>> > On Tuesday, May 14, 2024, Christopher Schultz > >>> <ch...@christopherschultz.net <mailto: > ch...@christopherschultz.net>> > >>> > wrote: > >>> > > >>> >> Lavanya, > >>> >> > >>> >> On 5/14/24 09:12, lavanya tech wrote: > >>> >> > >>> >>> IMHO removing the port number is always the preferred > solution > >>> — I never > >>> >>>> did it > >>> >>>> > >>> >>>> > >>> >>>>> can we achieve this with tomcat or we need to setup an > >>> reverse proxy > >>> >>>>> here. > >>> >>>>> > >>> >>>>> > >>> >>>> Your application uses whatever internal URLs it wants. Are > you > >>> building > >>> >>>> those yourself, or are you asking Tomcat for the e.g. > >>> hostname, etc.? If > >>> >>>> it's Tomcat, this is where the proxyName and proxyPort come > in. > >>> >>>> > >>> >>> > >>> >>> - Yes, I have not built these UrLs before. It’s was > working > >>> from the > >>> >>> very > >>> >>> beginning. As. I mentioned we are not able to reach goal or > >>> whatever. > >>> >>> > >>> >>> Rather than saying redirection, I would say it’s aliasing. > >>> >>> > >>> >> > >>> >> Please be specific. "Aliasing" (to me) means "the URL does to > >>> the right > >>> >> place but doesn't change in the browser's URL" and > "redirection" > >> (to > >>> >> everybody) means "HTTP 301 or 302 response to a new URL". > >>> >> > >>> >> Instead of moving applications or changing tomcat > configuration > >>> it’s easier > >>> >>> to achieve with reverse proxy ? > >>> >>> > >>> >>> https://example.lbg.com/ <https://example.lbg.com/> to > >>> https://server.lbg.com:8443/towl < > https://server.lbg.com:8443/towl> > >>> >>> > >>> >> > >>> >> This will be a nightmare. Do not try to rewrite URLs using a > >> reverse > >>> >> proxy. You should redirect users to the right place if > >>> necessary. You can > >>> >> use a reverse-proxy if you want, but it won't be any less > >>> complicated than > >>> >> having Tomcat do it. > >>> >> > >>> >> I think your rewrite.config file just needs a few tweaks: > >>> >> > >>> >> # Redirect everything that is not server.lbg.com > >>> <http://server.lbg.com> to > >>> >> # server.lbg.com <http://server.lbg.com>. Don't worry about > >>> /towl yet. > >>> >> RewriteCond %{HTTP_HOST} !^server\.lbg\.com$ > >>> >> RewriteRule ^/(.*) https://server.lbg.com:8443/$1 > >>> <https://server.lbg.com:8443/$1> [R=301,L] > >>> >> > >>> >> # Redirect anything that isn't already going to /towl > >>> >> # to go to /towl > >>> >> RewriteCond %{REQUEST_URI} !^/towl > >>> >> RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 > >>> <https://server.lbg.com:8443/towl/$1> [R=301,L] > >>> >> > >>> >> The application should be deployed as towl.war (or towl/ > >>> directory). You > >>> >> should listen on ports 80, 443, and 8443, and you should > always > >>> end up at > >>> >> the right place. You should have proxyPort="8443" and > proxyName=" > >>> >> server.lbg.com <http://server.lbg.com>" in your <Connector>. > >>> >> > >>> >> You will not need a ROOT context, since the rewrite will take > >>> care of that > >>> >> for you. > >>> >> > >>> >> -chris > >>> >> > >>> >> On Mon, May 13, 2024 at 10:17 PM lavanya tech > >>> <lavanyatech...@gmail.com <mailto:lavanyatech...@gmail.com>> > >>> >>>> wrote: > >>> >>>> > >>> >>>> Hi Chris, > >>> >>>> > >>> >>>> Sorry, If I did confuse. It’s important that > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> is always working. Goal is > not to > >>> >>>> disable /towl, but just redirect or aliasing > >>> >>>> > >>> >>>> https//example.lbg.com/ <http://example.lbg.com/> to > >>> https://server.lbg.com:8443/towl < > https://server.lbg.com:8443/towl> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> Thanks, > >>> >>>> Lavanya > >>> >>>> > >>> >>>> On Monday, May 13, 2024, Christopher Schultz < > >>> >>>> ch...@christopherschultz.net <mailto: > >> ch...@christopherschultz.net> > >>> >>>> > >>> >>>>> > >>> >>>>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> On 5/13/24 05:57, lavanya tech wrote: > >>> >>>> > >>> >>>> Somehow made it work now i can only access urls as you > >>> mentioned before > >>> >>>> https://example.lbg.com <https://example.lbg.com> and > >>> https://server.lbg.com <https://server.lbg.com> with port 8443 > and > >>> >>>> with > >>> >>>> out > >>> >>>> > >>> >>>> https://example.lbg.com/towl <https://example.lbg.com/towl> > >>> and https://server.lbg.com/towl <https://server.lbg.com/towl> > --> I > >>> >>>> have an > >>> >>>> error now File not found. > >>> >>>> > >>> >>>> So i think we need to make work https://example.lbg.com/ > >>> <https://example.lbg.com/> to > >>> >>>> https://server.lbg.com/towl <https://server.lbg.com/towl> > >>> >>>> > >>> >>>> > >>> >>>> I'm sorry, I'm still confused as to which way you want > things. > >>> >>>> > >>> >>>> Do you want to redirect /towl -> / or do you want to > redirect > >>> / - > > >>> >>>> /towl? > >>> >>>> > >>> >>>> Or does it depend upon the hostname? It would really be > better > >>> if you > >>> >>>> could settle on one specific beahvior. > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Mon, May 13, 2024 at 9:41 AM lavanya tech > >>> <lavanyatech...@gmail.com <mailto:lavanyatech...@gmail.com>> > >>> >>>> > >>> >>>> wrote: > >>> >>>> > >>> >>>> Hi Chris, > >>> >>>> > >>> >>>> > >>> >>>> Where are you defining the RewriteValve itself? > >>> >>>> > >>> >>>> Defined rewritevalve here > >>> >>>> <Host name="localhost" appBase="webapps" > >>> >>>> unpackWARs="true" autoDeploy="true"> > >>> >>>> > >>> >>>> <Valve > >>> >>>> className="org.apache.catalina.valves.rewrite.RewriteValve" > /> > >>> >>>> resource="conf/rewrite.config" /> > >>> >>>> > >>> >>>> 2) reated rewrite.config and added as below under conf/ > >>> >>>> > >>> >>>> RewriteCond %{REQUEST_URI} ^/towl/(.*) > >>> >>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 > >>> <https://example.lbg.com/%1> [R] > >>> >>>> > >>> >>>> 3) After renaming towl to ROOT -> > >>> /webapps/ROOT/WEB-INF/web.xml ( I > >>> >>>> already have this mappings /* in web.xml file) > >>> >>>> > >>> >>>> <security-constraint> > >>> >>>> <web-resource-collection> > >>> >>>> <web-resource-name>Logging > Area</web-resource-name> > >>> >>>> <description> > >>> >>>> Authentication for registered users. > >>> >>>> </description> > >>> >>>> <url-pattern>/*</url-pattern> > >>> >>>> <url-pattern>/api/v1/search</url-pattern> <!-- > >>> protect search > >>> >>>> endpoint whitelisted above --> > >>> >>>> <url-pattern>/api/v1/suggest/*</url-pattern> > <!-- > >>> protect > >>> >>>> suggest > >>> >>>> endpoint whitelisted above --> > >>> >>>> </web-resource-collection> > >>> >>>> <auth-constraint> > >>> >>>> <role-name>LDAP_USER</role-name> > >>> >>>> <role-name>api</role-name> > >>> >>>> </auth-constraint> > >>> >>>> </security-constraint> > >>> >>>> > >>> >>>> 4) Restarted Tomcat, Then I cannot access > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> > >>> >>>> --> Have below error > >>> >>>> > >>> >>>> Message java.nio.file.NoSuchFileException: > >>> >>>> > >> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar > >>> >>>> > >>> >>>> Description The server encountered an unexpected condition > that > >>> >>>> prevented > >>> >>>> it from fulfilling the request. > >>> >>>> > >>> >>>> 5) Also https://example.lbg.com <https://example.lbg.com> > >>> doesnot work anymore > >>> >>>> > >>> >>>> Before you do anything with redirecting, can you just make > >>> sure you are > >>> >>>> only deploying ROOT.war and nothing else? > >>> >>>> How can I do that. I already changed towl.war to > >> ROOT.war > >>> >>>> > >>> >>>> But still both the urls have error as mentioned above. > >>> >>>> > >>> >>>> > >>> >>>> Si I revereted back the changes. > >>> >>>> That's weird. Try stopping, deleting the work/ directory and > >>> restarting. > >>> >>>> --> I have this wierd behavior for some reason, thoudh > >>> index.jsp is > >>> >>>> located > >>> >>>> no changes were made to file. After deleting cookies url > works > >>> >>>> > >>> >>>> where Am I going wrong. > >>> >>>> > >>> >>>> Thanks, > >>> >>>> Lavanya > >>> >>>> > >>> >>>> > >>> >>>> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz < > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> > >>> >>>> On 5/10/24 04:37, lavanya tech wrote: > >>> >>>> > >>> >>>> I tried the below and have the issues. > >>> >>>> > >>> >>>> 1)proxyPort="443" and proxyName="example.lbg.com > >>> <http://example.lbg.com>" to the connector > >>> >>>> 2) remanmed towl.war to ROOT.war > >>> >>>> 3) created rewrite.config and added as below under conf/ > >>> >>>> > >>> >>>> > >>> >>>> Where are you defining the RewriteValve itself? > >>> >>>> > >>> >>>> RewriteCond %{REQUEST_URI} ^/towl/(.*) > >>> >>>> > >>> >>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 > >>> <https://example.lbg.com/%1> [R] > >>> >>>> > >>> >>>> > >>> >>>> If this is being handled by the ROOT servlet then I think > it's > >>> right. > >>> >>>> > >>> >>>> 4) added this in web.xml file of /webapps/towl/web.xml/ > >>> >>>> > >>> >>>> > >>> >>>> <!-- Servlet mappings --> > >>> >>>> <!-- Add your existing servlet mappings here --> > >>> >>>> > >>> >>>> <!-- Security constraint to restrict access to > /towl > >>> path --> > >>> >>>> <security-constraint> > >>> >>>> <web-resource-collection> > >>> >>>> <web-resource-name>Restricted Access to > >>> >>>> /towl</web-resource-name> > >>> >>>> <url-pattern>/towl/*</url-pattern> > >>> >>>> > >>> >>>> > >>> >>>> No, this is wrong. Since this is the "towl" application and > >>> not ROOT, > >>> >>>> you want to map /* and not /towl/* because the application > >>> will never > >>> >>>> see the /towl/ as it's an application/context prefix that > >>> Tomcat will > >>> >>>> remove. > >>> >>>> > >>> >>>> </web-resource-collection> > >>> >>>> > >>> >>>> <auth-constraint> > >>> >>>> <!-- Deny access to all roles --> > >>> >>>> </auth-constraint> > >>> >>>> </security-constraint> > >>> >>>> > >>> >>>> Also I noticed that even if I rename the towl application to > >> ROOT, > >>> >>>> when > >>> >>>> > >>> >>>> i > >>> >>>> > >>> >>>> call the url with https://example.lbg.com/towl > >>> <https://example.lbg.com/towl> --> this towl > >>> >>>> directory > >>> >>>> > >>> >>>> is > >>> >>>> > >>> >>>> getting created under webapps by default > >>> >>>> > >>> >>>> > >>> >>>> If webapps/towl is being created, then it's happening for > some > >>> other > >>> >>>> reason. Do you have anything under conf/Catalina/*/towl.xml > >> which > >>> >>>> points > >>> >>>> to a WAR file or something? If so, remove that. > >>> >>>> > >>> >>>> 5) Resarted tomcat and I have the below error and all the > urls > >>> have the > >>> >>>> > >>> >>>> same issue > >>> >>>> > >>> >>>> Message org.apache.jasper.JasperException: > >>> >>>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp > >>> >>>> > >>> >>>> > >>> >>>> That's weird. Try stopping, deleting the work/ directory and > >>> >>>> restarting. > >>> >>>> > >>> >>>> Description The server encountered an unexpected condition > that > >>> >>>> > >>> >>>> > >>> >>>> prevented > >>> >>>> > >>> >>>> it from fulfilling the request. > >>> >>>> > >>> >>>> Exception > >>> >>>> > >>> >>>> org.apache.jasper.JasperException: > >>> org.apache.jasper.JasperException: > >>> >>>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp > >>> >>>> > >>> >>>> > >>> >>>> > org.apache.jasper.servlet.JspServletWrapper.handleJspException( > >>> >>>> JspServletWrapper.java:578) > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> org.apache.jasper.servlet.JspServletWrapper.service( > >>> >>>> JspServletWrapper.java:422) > >>> >>>> > >>> >>>> > >>> >>>> > >>> > >> > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380) > >>> >>>> > >> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328) > >>> >>>> > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) > >>> >>>> org.apache.tomcat.websocket.se > >>> <http://org.apache.tomcat.websocket.se> > >>> >>>> rver.WsFilter.doFilter(WsFilter.java:51) > >>> >>>> > >>> >>>> > >>> >>>> Before you do anything with redirecting, can you just make > >>> sure you are > >>> >>>> only deploying ROOT.war and nothing else? > >>> >>>> > >>> >>>> This should allow you to reach the application at both > >>> >>>> https://example.lbg.com/ <https://example.lbg.com/> and > >>> https://server.lbg.com/ <https://server.lbg.com/> as well as both > >>> >>>> of > >>> >>>> those with port 8443. > >>> >>>> > >>> >>>> Then use the applications and make sure they are working as > >>> expected. > >>> >>>> Then, we'll add the /towl handling. > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Thu, May 9, 2024 at 11:20 PM Christopher Schultz < > >>> >>>> > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> > >>> >>>> On 5/9/24 13:48, lavanya tech wrote: > >>> >>>> > >>> >>>> Thank you so much for your explanation. I will try these > >> options. > >>> >>>> > >>> >>>> Do server and example both resolve to the same IP? > >>> >>>> -yes > >>> >>>> > >>> >>>> > >>> >>>> Good, that significantly reduces the complexity required, > >>> since you > >>> >>>> can > >>> >>>> do it will a single process (Tomcat) in a single > environment. > >>> >>>> > >>> >>>> So I need follow both 4a/b and 5a/b steps here or any of > them ? > >>> >>>> > >>> >>>> > >>> >>>> If I setup exactly by using below steps , then I should > access > >>> both > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> > >>> >>>> urls right ? https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> and > >>> >>>> > >>> >>>> > >>> >>>> https://example.lbg.com <https://example.lbg.com> > >>> >>>> > >>> >>>> If you visit either hostname with /towl, you will be > >> redirected to > >>> >>>> example.lbg.com/ <http://example.lbg.com/> with no port > >>> number. example:8443 will still work > >>> >>>> and > >>> >>>> no redirect will take place... unless you specifically make > >>> >>>> > >>> >>>> arrangements > >>> >>>> > >>> >>>> > >>> >>>> for that. We can do that later if you really want to. > >>> >>>> > >>> >>>> > >>> >>>> Let's get the other things working, first. > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Thursday, May 9, 2024, Christopher Schultz < > >>> >>>> > >>> >>>> > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> > >>> >>>> > >>> >>>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> > >>> >>>> On 5/9/24 02:58, lavanya tech wrote: > >>> >>>> > >>> >>>> Just giving background again of this topic again. > >>> >>>> > >>> >>>> > >>> >>>> 1) The application team who is working they wanted to access > >> the > >>> >>>> url > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> —> which should redirect or > >>> >>>> point > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> https://example.lbg.com <https://example.lbg.com> > >>> >>>> > >>> >>>> > >>> >>>> Is that a typo? You want specifically > >>> https://server.lbg.com/towl <https://server.lbg.com/towl> > >>> >>>> > >>> >>>> and > >>> >>>> > >>> >>>> > >>> >>>> https://example.lbg.com/ <https://example.lbg.com/> to > point > >>> to your application? > >>> >>>> > >>> >>>> — It’s not the Typo the requirements > are > >>> still > >>> >>>> the > >>> >>>> > >>> >>>> same. > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> Okay. > >>> >>>> > >>> >>>> Do server and example both resolve to the same IP? > >>> >>>> > >>> >>>> 2) Hence I added firewall rule to redirect port 443 to 8443. > >> And > >>> >>>> the > >>> >>>> > >>> >>>> url > >>> >>>> > >>> >>>> > >>> >>>> https://example.lbg.com <https://example.lbg.com> started > >>> working but its pointing to > >>> >>>> > >>> >>>> https://server.lbg.com:8443 <https://server.lbg.com:8443> > >>> indeed and not > >>> >>>> > >>> >>>> https://server.lbg.com:8443/to < > https://server.lbg.com:8443/to > >>> > >>> >>>> > >>> >>>> > >>> >>>> wl > >>> >>>> > >>> >>>> > >>> >>>> But then they wanted the point 1 to have it. If I understood > >>> >>>> > >>> >>>> correctly. So > >>> >>>> > >>> >>>> > >>> >>>> basically to achieve this we wanted a reverse proxy setup ? > >>> >>>> > >>> >>>> > >>> >>>> I didnot define any additional host in server.xml file on > just > >>> >>>> left > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> default to local host. > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> Here's what you have to do in order to support this odd > >>> >>>> > >>> >>>> configuration. > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> 1. Configure your firewall to route port 443 -> 8443. I > suspect > >>> >>>> this > >>> >>>> > >>> >>>> is > >>> >>>> > >>> >>>> > >>> >>>> already done. > >>> >>>> > >>> >>>> > >>> >>>> 2. Deploy Tomcat on server.lbg.com <http://server.lbg.com> > >>> with a <Connector> on port > >>> >>>> 8443. > >>> >>>> > >>> >>>> This > >>> >>>> > >>> >>>> > >>> >>>> is the default, so there shouldn't be anything to do. I > >>> suspect this > >>> >>>> > >>> >>>> > >>> >>>> is > >>> >>>> > >>> >>>> > >>> >>>> already done. You should set proxyPort="443" and proxyName=" > >>> >>>> > >>> >>>> example.lbg.com <http://example.lbg.com>" in your > <Connector>. > >>> This will ensure that any > >>> >>>> URLs > >>> >>>> generated by Tomcat or your application will point to > >>> >>>> https://example.lbg.com/ <https://example.lbg.com/> and > not to > >>> server.lbg.com <http://server.lbg.com> or have a port > >>> >>>> > >>> >>>> number > >>> >>>> > >>> >>>> > >>> >>>> or whatever. > >>> >>>> > >>> >>>> > >>> >>>> 3. Re-name your application directory or WAR file from towl > -> > >>> ROOT > >>> >>>> > >>> >>>> (upper > >>> >>>> > >>> >>>> > >>> >>>> case is important). So if you have tomcat/webapps/towl > re-name > >>> that > >>> >>>> > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war > >> re-name > >>> >>>> > >>> >>>> > >>> >>>> that > >>> >>>> > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> tomcat/webapps/ROOT.war. > >>> >>>> > >>> >>>> > >>> >>>> The last thing to do is get /towl to re-direct to /. There > are > >> a > >>> >>>> few > >>> >>>> > >>> >>>> ways > >>> >>>> > >>> >>>> > >>> >>>> of doing that. > >>> >>>> > >>> >>>> > >>> >>>> 4a. Configure your application (now called ROOT and deployed > >> on / > >>> >>>> and > >>> >>>> > >>> >>>> not > >>> >>>> > >>> >>>> > >>> >>>> /towl anymore) to handle the /towl URL and specifically > >> redirect > >>> >>>> > >>> >>>> this > >>> >>>> > >>> >>>> back > >>> >>>> > >>> >>>> > >>> >>>> to /. This is oddly specific and has the application trying > to > >>> >>>> > >>> >>>> > >>> >>>> redirect > >>> >>>> > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> itself which is weird. > >>> >>>> > >>> >>>> > >>> >>>> 4b. Create a new application called towl or towl.war which > >> will be > >>> >>>> deployed on /towl and have THAT redirect to /. I think this > is > >>> >>>> > >>> >>>> cleaner > >>> >>>> > >>> >>>> > >>> >>>> because you can call the application anything you'd like and > >>> it will > >>> >>>> > >>> >>>> > >>> >>>> still > >>> >>>> > >>> >>>> > >>> >>>> work. You don't have to match URL patterns yourself, you > just > >>> >>>> > >>> >>>> re-name > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> > >>> >>>> WAR file if you suddenly want to use /towl2 instead of > /towl. > >>> >>>> > >>> >>>> > >>> >>>> There are several ways to redirect. > >>> >>>> > >>> >>>> 5a. Use the rewrite valve and map /(*) to (global redirect) > >> /\1. A > >>> >>>> > >>> >>>> few > >>> >>>> > >>> >>>> > >>> >>>> notes: (1) the (*) means "capture this string" and \1 means > >>> "put the > >>> >>>> > >>> >>>> > >>> >>>> string > >>> >>>> > >>> >>>> > >>> >>>> back. This allows you to redirect /towl/foo/bar to /foo/bar > >>> instead > >>> >>>> > >>> >>>> > >>> >>>> of > >>> >>>> > >>> >>>> > >>> >>>> losing the /foo/bar. This syntax may not be perfect, adapt > it > >>> to your > >>> >>>> > >>> >>>> needs. (2) Remember that the towl application is deployed on > >> /towl > >>> >>>> so > >>> >>>> > >>> >>>> you > >>> >>>> > >>> >>>> > >>> >>>> don't want to redirect /towl/foo/bar you only want redirect > >>> /foo/bar > >>> >>>> > >>> >>>> > >>> >>>> since > >>> >>>> > >>> >>>> > >>> >>>> the URL will be relative to the current context (/towl). Got > >> that? > >>> >>>> > >>> >>>> > >>> >>>> Finally, > >>> >>>> > >>> >>>> > >>> >>>> (3) you need to use a global redirect that does *NOT* > redirect > >>> back > >>> >>>> > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> > >>> >>>> /towl application. Normally, if you redirect to /foo you'll > >> get an > >>> >>>> > >>> >>>> application-relative redirect from something like a rewrite > >>> >>>> valve/filter/whatever. Take care to redirect relative to the > >>> SERVER > >>> >>>> > >>> >>>> and > >>> >>>> > >>> >>>> > >>> >>>> not > >>> >>>> > >>> >>>> > >>> >>>> to the application. > >>> >>>> > >>> >>>> > >>> >>>> 5b. Write your own servlet to do a specific redirect. > >>> >>>> > >>> >>>> I hope that helps, > >>> >>>> -chris > >>> >>>> > >>> >>>> On Wednesday, May 8, 2024, Christopher Schultz < > >>> >>>> > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> > >>> >>>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> > >>> >>>> On 5/8/24 06:48, lavanya tech wrote: > >>> >>>> > >>> >>>> I figured out how I can it make it work with 443. Now the > URls > >>> >>>> are > >>> >>>> > >>> >>>> working. > >>> >>>> I added iptables route 443 to 8443 and it started working. > >>> >>>> > >>> >>>> nslookup example.lbg.com <http://example.lbg.com> > >>> >>>> > >>> >>>> Non-authoritative answer: > >>> >>>> Name: server.lbg.com <http://server.lbg.com> > >>> >>>> Address: 192.168.200.105 > >>> >>>> Aliases: example.lbg.com <http://example.lbg.com> > >>> >>>> > >>> >>>> > >>> >>>> I have some application towl running with apache tomcat. I > have > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> > >>> >>>> below > >>> >>>> > >>> >>>> URLs working. > >>> >>>> > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> > >>> >>>> https://server.lbg.com <https://server.lbg.com> > >>> >>>> https://example.lbg.com <https://example.lbg.com> > >>> >>>> https://example.lbg.com/towl <https://example.lbg.com/towl> > >>> >>>> > >>> >>>> > >>> >>>> Now i wanted to disable the url > https://example.lbg.com/towl > >>> <https://example.lbg.com/towl> > >>> >>>> and > >>> >>>> https://server.lbg.com <https://server.lbg.com> and access > >>> only the other remaining two. > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> I would *highly* recommend that you pick either /towl or / > and > >> not > >>> >>>> > >>> >>>> > >>> >>>> try to > >>> >>>> > >>> >>>> > >>> >>>> do both, unless you want to deploy the application twice > >> (which is > >>> >>>> > >>> >>>> > >>> >>>> fine, > >>> >>>> > >>> >>>> > >>> >>>> just deploy towl.war and ROOT.war as copies of each other). > If > >> you > >>> >>>> > >>> >>>> > >>> >>>> try to > >>> >>>> > >>> >>>> > >>> >>>> re-write /towl to / or / to /towl, you'll find you spend the > >> rest > >>> >>>> > >>> >>>> > >>> >>>> of > >>> >>>> > >>> >>>> > >>> >>>> your > >>> >>>> > >>> >>>> > >>> >>>> days tracking-down edge-cases and "fixing" them -- likely > >> making > >>> >>>> > >>> >>>> > >>> >>>> things > >>> >>>> > >>> >>>> > >>> >>>> confusing and, probably, worse. > >>> >>>> > >>> >>>> > >>> >>>> In the end our goal to makesure that the links are not > always > >>> >>>> > >>> >>>> dead as > >>> >>>> > >>> >>>> > >>> >>>> soon > >>> >>>> > >>> >>>> > >>> >>>> as the towl is moved to a new machine. Can you pelase assit > me > >>> >>>> > >>> >>>> how > >>> >>>> > >>> >>>> to do > >>> >>>> > >>> >>>> > >>> >>>> that? > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> The goal should be that "moving" the application only means > >>> >>>> > >>> >>>> > >>> >>>> changing > >>> >>>> > >>> >>>> > >>> >>>> DNS > >>> >>>> > >>> >>>> > >>> >>>> and everything else works as expected. > >>> >>>> > >>> >>>> > >>> >>>> If you: > >>> >>>> > >>> >>>> 1. Deploy the application with a single context (e.g. /towl, > >>> >>>> which > >>> >>>> > >>> >>>> I > >>> >>>> > >>> >>>> > >>> >>>> recommend) > >>> >>>> > >>> >>>> > >>> >>>> 2. Re-direct / to /towl (this requires a reverse-proxy or a > >> ROOT > >>> >>>> application that does nothing but redirect ; my personal > >>> >>>> > >>> >>>> preference) > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> 3. Do not define any <Host> other than "localhost" and make > it > >>> >>>> the > >>> >>>> default. Do not bother with any <Alias> elements since they > are > >>> >>>> not > >>> >>>> necessary. > >>> >>>> > >>> >>>> Moving the application should only require that you: > >>> >>>> > >>> >>>> 4. Deploy the same application with the same configuration > in > >> the > >>> >>>> > >>> >>>> new > >>> >>>> > >>> >>>> > >>> >>>> location > >>> >>>> > >>> >>>> > >>> >>>> 5. Change DNS to point example.lbg.com > >>> <http://example.lbg.com> and server.lbg.com < > http://server.lbg.com> > >>> to the > >>> >>>> > >>> >>>> new > >>> >>>> > >>> >>>> > >>> >>>> location of the service > >>> >>>> > >>> >>>> > >>> >>>> Hope that helps, > >>> >>>> -chris > >>> >>>> > >>> >>>> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz < > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> On 4/30/24 07:10, lavanya tech wrote: > >>> >>>> > >>> >>>> Can you tell me how to do the below ? How should I setup > Tomcat > >>> >>>> in > >>> >>>> server.xml ? > >>> >>>> > >>> >>>> > >>> >>>> If you want to use port 443 (the default port for HTTPS) > then > >> you > >>> >>>> > >>> >>>> will > >>> >>>> > >>> >>>> > >>> >>>> need to change Tomcat to bind to port 443 (if that's > allowed on > >>> >>>> > >>> >>>> > >>> >>>> your > >>> >>>> > >>> >>>> > >>> >>>> OS) > >>> >>>> > >>> >>>> > >>> >>>> or arrange to have port 443 routed to port 8443. You may > need > >>> >>>> > >>> >>>> > >>> >>>> additional > >>> >>>> > >>> >>>> > >>> >>>> configuration in Tomcat (specifically: proxyPort) to avoid > >> having > >>> >>>> > >>> >>>> > >>> >>>> Tomcat > >>> >>>> > >>> >>>> > >>> >>>> generate URLs with ":8443" in them. > >>> >>>> > >>> >>>> > >>> >>>> Looking forward to your reply. > >>> >>>> > >>> >>>> > >>> >>>> If Tomcat is listening on port 8443 then you will need to > >> include > >>> >>>> > >>> >>>> that > >>> >>>> > >>> >>>> > >>> >>>> in your URL, period. If you want to allow URLs without a > port > >>> >>>> > >>> >>>> > >>> >>>> number, > >>> >>>> > >>> >>>> > >>> >>>> you will have to arrange to have something listening on port > >> 443. > >>> >>>> > >>> >>>> > >>> >>>> On Windows, Tomcat can listen directly on port 443. On UNIX > and > >>> >>>> UNIX-like systems, you won't be able to do this without > running > >>> >>>> > >>> >>>> Tomcat > >>> >>>> > >>> >>>> > >>> >>>> as root WHICH YOU ABSOLUTELY SHOULD NOT DO. > >>> >>>> > >>> >>>> > >>> >>>> There are other ways to get port 443 working, but I'll need > to > >>> >>>> know > >>> >>>> > >>> >>>> more > >>> >>>> > >>> >>>> > >>> >>>> about your environment. The port issue is "easier" than > >> figuring > >>> >>>> > >>> >>>> > >>> >>>> out > >>> >>>> > >>> >>>> > >>> >>>> whatever is going on with your DNS, aliases, etc. so I would > >>> >>>> > >>> >>>> > >>> >>>> recommend > >>> >>>> > >>> >>>> > >>> >>>> we fix one thing at a time. > >>> >>>> > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech < > >>> >>>> > >>> >>>> lavanyatech...@gmail.com <mailto:lavanyatech...@gmail.com>> > >>> >>>> > >>> >>>> > >>> >>>> wrote: > >>> >>>> > >>> >>>> > >>> >>>> Hi Chris, > >>> >>>> > >>> >>>> There is no issues with browser, because I tested with > >> different > >>> >>>> > >>> >>>> browsers > >>> >>>> > >>> >>>> and it all works fine. I am sure that there is no issue with > >> the > >>> >>>> certificate. > >>> >>>> Because I was able to establish successful > >> connections > >>> >>>> with > >>> >>>> > >>> >>>> port > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> 8443, it > >>> >>>> > >>> >>>> just doesnot work with out port > >>> >>>> > >>> >>>> curl https://example.lbg.com/towl > >>> <https://example.lbg.com/towl> > >>> >>>> curl: (56) Received HTTP code 504 from proxy after CONNECT > >>> >>>> curl: (56) Received HTTP code 504 from proxy after CONNECT > >>> >>>> > >>> >>>> > >>> >>>> If you want to use port 443 (the default port for HTTPS) > then > >> you > >>> >>>> > >>> >>>> will > >>> >>>> > >>> >>>> > >>> >>>> need to change Tomcat to bind to port 443 (if that's > allowed on > >>> >>>> > >>> >>>> > >>> >>>> your > >>> >>>> > >>> >>>> > >>> >>>> OS) > >>> >>>> > >>> >>>> > >>> >>>> or arrange to have port 443 routed to port 8443. You may > need > >>> >>>> > >>> >>>> > >>> >>>> additional > >>> >>>> > >>> >>>> > >>> >>>> configuration in Tomcat (specifically: proxyPort) to avoid > >> having > >>> >>>> > >>> >>>> > >>> >>>> Tomcat > >>> >>>> > >>> >>>> > >>> >>>> generate URLs with ":8443" in them. > >>> >>>> > >>> >>>> > >>> >>>> <Connector port="443" protocol="HTTP/1.1" > >>> >>>> connectionTimeout="20000" > >>> >>>> redirectPort="8443" > >>> >>>> maxThreads="150" > >>> >>>> scheme="https" secure="true" > >> SSLEnabled="true" > >>> >>>> > keystoreFile="path_to_your_keystore_file" > >>> >>>> keystorePass="your_keystore_password" > >>> >>>> keystoreType="PKCS12" > >>> >>>> clientAuth="false" sslProtocol="TLS" > >>> >>>> proxyPort="443"/> > >>> >>>> > >>> >>>> should i use connect port like the above ? But you > mentioned > >>> >>>> > >>> >>>> before > >>> >>>> > >>> >>>> > >>> >>>> we > >>> >>>> > >>> >>>> > >>> >>>> dont need any configuration changes. Please clarify I am not > >> able > >>> >>>> > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> figure > >>> >>>> > >>> >>>> this out and I have this issue many days pending. How to > make > >> it > >>> >>>> > >>> >>>> work > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> with > >>> >>>> > >>> >>>> port 8443 and with out port > >>> >>>> > >>> >>>> Also I wanted to use weburl with alias name permanently > instead > >>> >>>> of > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> > >>> >>>> hostname. How can I achieve both > >>> >>>> > >>> >>>> > >>> >>>> Thanks, > >>> >>>> Lavanya > >>> >>>> > >>> >>>> > >>> >>>> --> > >>> >>>> > >>> >>>> > >>> >>>> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz < > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> On 4/25/24 07:24, lavanya tech wrote: > >>> >>>> > >>> >>>> Hi Chris, > >>> >>>> > >>> >>>> One question / doubt: > >>> >>>> > >>> >>>> As I mentioned earlier, the below URLS already working in > the > >>> >>>> > >>> >>>> browser > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> > >>> >>>> https://example.lbg.com:8443/towl > >>> <https://example.lbg.com:8443/towl> -> redirect ( which means > >>> >>>> when I > >>> >>>> > >>> >>>> hit in > >>> >>>> > >>> >>>> browser) it points to https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> ---> To > >>> >>>> be > >>> >>>> > >>> >>>> frank, > >>> >>>> > >>> >>>> even I donot need redirect here, not sure why it redirects. > >>> >>>> > >>> >>>> My question is why its working even though SAN is not > >> registered > >>> >>>> > >>> >>>> with > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> certificate ? It doesnot even throw warning in the browser. > >>> >>>> > >>> >>>> > >>> >>>> I'm not sure. Is it possible you have dismissed this error > in > >> the > >>> >>>> > >>> >>>> past > >>> >>>> > >>> >>>> > >>> >>>> and the browser is remembering that? Try this with a > different > >> web > >>> >>>> > >>> >>>> browser or maybe with curl from the command-line to see what > >>> >>>> > >>> >>>> happens. > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> Why https://server.lbg.com/towl < > https://server.lbg.com/towl> > >>> or https://example.lbg.com/towl <https://example.lbg.com/towl> > >>> >>>> > >>> >>>> --> > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> How it > >>> >>>> > >>> >>>> should work with New SAN certificate ? > >>> >>>> > >>> >>>> > >>> >>>> You don't need to worry about the port number or application > >>> >>>> name, > >>> >>>> > >>> >>>> only > >>> >>>> > >>> >>>> > >>> >>>> the hostname is a part of the SAN. > >>> >>>> > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech < > >>> >>>> > >>> >>>> lavanyatech...@gmail.com <mailto:lavanyatech...@gmail.com> > >>> >>>> > >>> >>>> > >>> >>>> wrote: > >>> >>>> > >>> >>>> Hi Chris, > >>> >>>> > >>> >>>> > >>> >>>> Thanks I will request new certificate with SANs and I will > try > >> to > >>> >>>> > >>> >>>> fix > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> things from our end. > >>> >>>> > >>> >>>> Best Regards, > >>> >>>> Lavanya > >>> >>>> > >>> >>>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> On 4/24/24 15:39, lavanya tech wrote: > >>> >>>> > >>> >>>> Local host means the machine i am logged in to > server.lbg.com > >>> <http://server.lbg.com> > >>> >>>> > >>> >>>> You are right, example.lbg.com <http://example.lbg.com> is > >>> CNAME record. > >>> >>>> > >>> >>>> > >>> >>>> Okay, thanks for clearing that up. > >>> >>>> > >>> >>>> I dont have any SAN configured for the certificate. The > >>> >>>> certificate > >>> >>>> > >>> >>>> is > >>> >>>> > >>> >>>> requested for only server.lbg.com <http://server.lbg.com> > >>> >>>> > >>> >>>> > >>> >>>> You will never be able to make a secure request to anything > >> other > >>> >>>> > >>> >>>> than > >>> >>>> > >>> >>>> server.lbg.com <http://server.lbg.com> without seeing an > >>> error. I highly recommend > >>> >>>> adding > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> other hostname as a SAN to your certificate if you really > want > >> to > >>> >>>> support this. > >>> >>>> > >>> >>>> Even if you wanted https://example.lbg.com/whatever > >>> <https://example.lbg.com/whatever> to return an > >>> >>>> > >>> >>>> HTTP > >>> >>>> > >>> >>>> 302 redirect to https://server.lbg.com/whatever > >>> <https://server.lbg.com/whatever>, the user would > >>> >>>> > >>> >>>> see a > >>> >>>> > >>> >>>> certificate hostname mismatch error which is ugly. It's > best to > >>> >>>> > >>> >>>> make > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> it > >>> >>>> > >>> >>>> work without users seeing ugly things. > >>> >>>> > >>> >>>> So if i just request new certificate with SAN it should > work ? > >> If > >>> >>>> > >>> >>>> yes, I > >>> >>>> > >>> >>>> will request for it and follow your steps as below > suggested. > >>> >>>> > >>> >>>> > >>> >>>> Yes, it should. > >>> >>>> > >>> >>>> Should i use CName record or DNS? Does it make difference? > >>> >>>> > >>> >>>> > >>> >>>> CNAME *is* DNS. > >>> >>>> > >>> >>>> Whenever possible, use hostnames and not IP addresses as > SANs. > >>> >>>> It's > >>> >>>> > >>> >>>> more > >>> >>>> > >>> >>>> flexible that way, and users get to see hostnames instead > of IP > >>> >>>> > >>> >>>> addresses. > >>> >>>> > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Wednesday, April 24, 2024, Christopher Schultz < > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> On 4/24/24 07:37, lavanya tech wrote: > >>> >>>> > >>> >>>> Sorry I understood wrongly here with regards to my > environment, > >>> >>>> > >>> >>>> Let me > >>> >>>> > >>> >>>> start from the beginning. I donot want to use redirect at > all. > >> I > >>> >>>> > >>> >>>> simply > >>> >>>> > >>> >>>> wanted to force apache tomcat to use both localhost and dns > >> name > >>> >>>> > >>> >>>> of > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> localhost via url. > >>> >>>> > >>> >>>> > >>> >>>> When you say "force" what do you mean? > >>> >>>> > >>> >>>> When you say "use both localhost and DNS name" what do you > >> mean? > >>> >>>> > >>> >>>> When you say "localhost" do you mean 127.0.0.1 or "the > machine > >>> >>>> I'm > >>> >>>> logged-into right now"? > >>> >>>> > >>> >>>> I have DNS resollution as below. > >>> >>>> > >>> >>>> > >>> >>>> server.lbg.com <http://server.lbg.com> --> localhost > >>> >>>> > >>> >>>> > >>> >>>> Is that a CNAME record? > >>> >>>> > >>> >>>> nslookup server.lbg.com <http://server.lbg.com> (localhost) > >>> >>>> > >>> >>>> Name: server.lbg.com <http://server.lbg.com> > >>> >>>> Address: 192.168.100.20 > >>> >>>> alias: example.lbg.com <http://example.lbg.com> > >>> >>>> > >>> >>>> > >>> >>>> That's a weird DNS response. The DNS name "localhost" should > >>> >>>> > >>> >>>> *always* > >>> >>>> > >>> >>>> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't > return > >>> >>>> 191.168.100.20. > >>> >>>> > >>> >>>> We have working the below urls working: > >>> >>>> > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> > >>> >>>> https://example.lbg.com:8443/towl > >>> <https://example.lbg.com:8443/towl> --> redirects to > >>> >>>> > >>> >>>> > >>> >>>> What do you mean "redirect"? Does it return a 30x response > that > >>> >>>> > >>> >>>> causes > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> browser to make a new request to \/ > >>> >>>> > >>> >>>> https://server.lbg.com:8443/towl > >>> <https://server.lbg.com:8443/towl> --> still works --> we have > >>> >>>> SSL > >>> >>>> > >>> >>>> configured for the same but this SSL certificate doesnot > have > >>> >>>> > >>> >>>> additional > >>> >>>> > >>> >>>> DNS setup. > >>> >>>> > >>> >>>> > >>> >>>> What SANs are in your certificate? How many certificates do > you > >>> >>>> > >>> >>>> have? > >>> >>>> > >>> >>>> > >>> >>>> But I would need to somehow access https://example.lbg.com > >>> <https://example.lbg.com> --> > >>> >>>> > >>> >>>> which > >>> >>>> > >>> >>>> means > >>> >>>> I would need to access via 443 here ? > >>> >>>> > >>> >>>> > >>> >>>> I'm so confused. What needs to access what? > >>> >>>> > >>> >>>> I tried to adding the below to server.xml as below, but > that > >>> >>>> > >>> >>>> doesnot > >>> >>>> > >>> >>>> seems > >>> >>>> > >>> >>>> to work. > >>> >>>> > >>> >>>> <Connector port="80" > >>> >>>> protocol="org.apache.coyote.http11.Http11NioProtocol" > >>> >>>> connectionTimeout="20000" > >>> >>>> redirectPort="443" /> > >>> >>>> > >>> >>>> > >>> >>>> This will only redirect (HTTP 302) requests to > >>> >>>> > >>> >>>> http://yourhost/anything <http://yourhost/anything> > >>> >>>> > >>> >>>> to https://yourhost/anything <https://yourhost/anything> > *if > >>> the application specifically > >>> >>>> > >>> >>>> requests > >>> >>>> > >>> >>>> CONFIDENTIAL transport*. It doesn't just redirect > everything by > >>> >>>> > >>> >>>> default. If > >>> >>>> > >>> >>>> you want it to redirect everything, you'll need to set that > up > >>> >>>> > >>> >>>> e.g. > >>> >>>> > >>> >>>> using > >>> >>>> > >>> >>>> RewriteValve. There are other options, too. > >>> >>>> > >>> >>>> Do i need additional SSL certificate for the > >>> >>>> > >>> >>>> https://example.lbg.com <https://example.lbg.com> > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> make it work ? > >>> >>>> > >>> >>>> > >>> >>>> If you don't want your browser to complain, you will need at > >>> >>>> least > >>> >>>> > >>> >>>> one > >>> >>>> > >>> >>>> TLS > >>> >>>> > >>> >>>> certificate that contains every Subject Alternative Name > (SAN) > >>> >>>> for > >>> >>>> > >>> >>>> every > >>> >>>> > >>> >>>> possible hostname you expect to use with this service. You > ca > >> do > >>> >>>> > >>> >>>> it > >>> >>>> > >>> >>>> with > >>> >>>> > >>> >>>> multiple certificates as well, but a single cert with > multiple > >>> >>>> > >>> >>>> SANs > >>> >>>> > >>> >>>> is > >>> >>>> > >>> >>>> less > >>> >>>> > >>> >>>> work. > >>> >>>> > >>> >>>> Do i need to set up an additional web server for this like > >> apache > >>> >>>> > >>> >>>> or > >>> >>>> > >>> >>>> nginx > >>> >>>> > >>> >>>> for redirecting requests? > >>> >>>> > >>> >>>> > >>> >>>> No. > >>> >>>> > >>> >>>> Please stop saying "redirect" because it sounds like you > almost > >>> >>>> > >>> >>>> never > >>> >>>> > >>> >>>> mean > >>> >>>> > >>> >>>> "HTTP 30x redirect" and that's confusing everything. > >>> >>>> > >>> >>>> I *think* you only need the following: > >>> >>>> > >>> >>>> 1. A TLS certificate with the following SANs: > >>> >>>> > >>> >>>> * server.lbg.com <http://server.lbg.com> > >>> >>>> * example.lbg.com <http://example.lbg.com> > >>> >>>> * localhost (you shouldn't do this) > >>> >>>> > >>> >>>> 2. DNS configured for all hostnames: > >>> >>>> > >>> >>>> * server.lbg.com <http://server.lbg.com> -> A > >>> 192.168.100.20 > >>> >>>> * example.lgb.com <http://example.lgb.com> -> > A > >>> 192.168.100.20 > >>> >>>> > >>> >>>> 3. Tomcat configured with a single <Host> which is the > default > >>> >>>> > >>> >>>> virtual > >>> >>>> > >>> >>>> host. Note that this is the *default Tomcat configuration* > and > >>> >>>> > >>> >>>> doesn't > >>> >>>> > >>> >>>> need > >>> >>>> > >>> >>>> to be changed from the default. > >>> >>>> > >>> >>>> 4. Tomcat configured with your certificate like this: > >>> >>>> > >>> >>>> <Connector ... > >>> >>>> SSLEnabled="true"> > >>> >>>> <SSLHostConfig> > >>> >>>> <Certificate > >>> >>>> > certificateFile="/path/to/your/cert.crt" > >>> >>>> > >>> certificateKeyFile="/path/to/your/key.pem" /> > >>> >>>> <!-- You may need certificateKeyPassword > in > >>> >>>> > >>> >>>> <Certificate> > >>> >>>> > >>> >>>> --> > >>> >>>> > >>> >>>> </SSLHostConfig> > >>> >>>> </Connector> > >>> >>>> > >>> >>>> If your SANs are configured properly, this should allow you > to > >>> >>>> > >>> >>>> connect > >>> >>>> > >>> >>>> using any of these URLs: > >>> >>>> > >>> >>>> $ curl https://server.lbg.com/towl/login.jsp > >>> <https://server.lbg.com/towl/login.jsp> > >>> >>>> > >>> >>>> (returns login page) > >>> >>>> > >>> >>>> $ curl https://example.lbg.com/towl/login.jsp > >>> <https://example.lbg.com/towl/login.jsp> > >>> >>>> > >>> >>>> (returns login page) > >>> >>>> > >>> >>>> If your application's web.xml contains something like this: > >>> >>>> > >>> >>>> <security-constraint> > >>> >>>> <web-resource-collection> > >>> >>>> > <web-resource-name>theapp</web-resource-name> > >>> >>>> <url-pattern>/*</url-pattern> > >>> >>>> </web-resource-collection> > >>> >>>> <user-data-constraint> > >>> >>>> > >>> >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> > >>> >>>> > >>> >>>> > >>> >>>> </user-data-constraint> > >>> >>>> > >>> >>>> </security-constraint> > >>> >>>> > >>> >>>> ... then these URLs insecure HTTP URLs should redirect your > >>> >>>> > >>> >>>> clients: > >>> >>>> > >>> >>>> > >>> >>>> $ curl http://server.lbg.com/towl/login.jsp > >>> <http://server.lbg.com/towl/login.jsp> > >>> >>>> > >>> >>>> (returns HTTP 302 redirect to > >>> >>>> > >>> >>>> https://server.lbg.com/towl/login.jsp > >>> <https://server.lbg.com/towl/login.jsp> > >>> >>>> > >>> >>>> ) > >>> >>>> > >>> >>>> > >>> >>>> $ curl https://server.lbg.com/towl/login.jsp > >>> <https://server.lbg.com/towl/login.jsp> > >>> >>>> > >>> >>>> (returns HTTP 302 redirect to > >>> >>>> > >>> >>>> https://example.lbg.com/towl/login.jsp > >>> <https://example.lbg.com/towl/login.jsp>) > >>> >>>> > >>> >>>> > >>> >>>> I don't think you need any use of the RewriteValve unless > you > >>> >>>> want > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> handle sending HTTP 302 redirect responses to insecure > requests > >>> >>>> > >>> >>>> without > >>> >>>> > >>> >>>> specifying the CONFIDENTIAL transport-guarantee in your > >>> >>>> > >>> >>>> application's > >>> >>>> > >>> >>>> web.xml file. But I don't see any reason NOT to have that in > >>> >>>> > >>> >>>> there. > >>> >>>> > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz < > >>> >>>> > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Lavanya, > >>> >>>> > >>> >>>> > >>> >>>> On 4/22/24 05:21, lavanya tech wrote: > >>> >>>> > >>> >>>> Could you please explain, what you exactly mean ? So here > >>> >>>> > >>> >>>> redirect > >>> >>>> > >>> >>>> is > >>> >>>> > >>> >>>> > >>> >>>> not a > >>> >>>> > >>> >>>> solution right ? > >>> >>>> > >>> >>>> > >>> >>>> Redirecting is fine. > >>> >>>> > >>> >>>> Perhaps you should take a step back and decide: what do you > >>> >>>> > >>> >>>> actually > >>> >>>> > >>> >>>> want, here? You might be trying to solve problem X by > applying > >>> >>>> > >>> >>>> solution > >>> >>>> > >>> >>>> Y, and you've already decided that solution Y is correct so > you > >>> >>>> > >>> >>>> are > >>> >>>> > >>> >>>> trying to get help with that. > >>> >>>> > >>> >>>> Perhaps ask for help with Problem X? > >>> >>>> > >>> >>>> For example, "I don't want users to have to type the name > of my > >>> >>>> application to reach it so I want example.com/ > >>> <http://example.com/> to go to my > >>> >>>> > >>> >>>> application > >>> >>>> > >>> >>>> instead of example.com/myapp/ <http://example.com/myapp/>". > >>> >>>> > >>> >>>> Or, "I have multiple domains and I want all of them to > redirect > >>> >>>> > >>> >>>> to > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> canonical domain example.com <http://example.com> and to > go to > >>> me web application > >>> >>>> > >>> >>>> /myapp > >>> >>>> > >>> >>>> so > >>> >>>> > >>> >>>> everything goes to example.com/myapp/ > >>> <http://example.com/myapp/>". > >>> >>>> > >>> >>>> "You'd have to use a glob/regex if > >>> >>>> > >>> >>>> you wanted to check for [anything and maybe nothing.] > >>> >>>> > >>> >>>> example.com <http://example.com> > >>> >>>> > >>> >>>> ." > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>>> There is nothing in your configuration or question that > >> suggests > >>> >>>> > >>> >>>> that > >>> >>>> > >>> >>>> the hostname in the request is relevant, but you are making > it > >> a > >>> >>>> *requirement* that the request contains a specific Host > header. > >>> >>>> > >>> >>>> IF > >>> >>>> > >>> >>>> you > >>> >>>> > >>> >>>> don't actually need that, why do you have it? > >>> >>>> > >>> >>>> -chris > >>> >>>> > >>> >>>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz < > >>> >>>> > >>> >>>> ch...@christopherschultz.net > >>> <mailto:ch...@christopherschultz.net>> wrote: > >>> >>>> > >>> >>>> Ammu, > >>> >>>> > >>> >>>> > >>> >>>> On 4/19/24 08:32, lavanya tech wrote: > >>> >>>> > >>> >>>> Thank you very much. I removed <Host> for example.com > >>> <http://example.com> as > >>> >>>> > >>> >>>> well > >>> >>>> > >>> >>>> as > >>> >>>> > >>> >>>> > >>> >>>> adding > >>> >>>> > >>> >>>> > >>> >>>> an > >>> >>>> > >>> >>>> > >>> >>>> <Alias> in server.xml > >>> >>>> I copied context.xml file > >>> >>>> > >>> >>>> > >> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml > >>> >>>> > >>> >>>> Removed < in rewrite.config files. > >>> >>>> > >>> >>>> But still I dont redirect the URL. > >>> >>>> > >>> >>>> > >>> >>>> If you have <Context> in server.xml and also your > application > >>> >>>> > >>> >>>> in > >>> >>>> > >>> >>>> the > >>> >>>> > >>> >>>> webapps/ directory, then you will be double-deploying your > >>> >>>> > >>> >>>> application. > >>> >>>> > >>> >>>> > >>> >>>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be > >>> >>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals > are > >>> >>>> important) > >>> >>>> and remove the <Context> element from your server.xml. > >>> >>>> > >>> >>>> Then start your server and read the logs. > >>> >>>> > >>> >>>> *nslookup alias.example.com <http://alias.example.com> > >>> <http://alias.example.com <http://alias.example.com>> > >>> >>>> > >>> >>>> gives-->Non-authoritative answer:Name: www.example.com > >>> <http://www.example.com> > >>> >>>> <http://www.example.com <http://www.example.com>>Address: > >>> 192.168.200.10Aliases: > >>> >>>> > >>> >>>> alias.example.com <http://alias.example.com> > >>> >>>> > >>> >>>> <http://alias.example.com <http://alias.example.com>>* > >>> >>>> > >>> >>>> > >>> >>>> Just to give some information here, *www.example.com > >>> <http://www.example.com> > >>> >>>> <http://www.example.com <http://www.example.com>>* has > alias* > >>> "alias.example.com <http://alias.example.com> > >>> >>>> <http://alias.example.com <http://alias.example.com>>"* > >>> >>>> But https://www.example.com:7777/example > >>> <https://www.example.com:7777/example> --> works fine with > >>> >>>> > >>> >>>> out > >>> >>>> > >>> >>>> > >>> >>>> issues > >>> >>>> > >>> >>>> > >>> >>>> but > >>> >>>> > >>> >>>> > >>> >>>> the alias doesnot works (https://alias.example.com > >>> <https://alias.example.com>) > >>> >>>> So i am not sure if the redirect url helps or if its correct > >>> >>>> > >>> >>>> > >>> >>>> Your rewrite configuration says that you have to be using > host > >>> >>>> "example.com <http://example.com>" but your request goes to > >>> www.example.com <http://www.example.com>. Your > >>> >>>> configuration should only redirect a request such as: > >>> >>>> > >>> >>>> $ curl -v http://example.com:7777/something > >>> <http://example.com:7777/something> > >>> >>>> > >>> >>>> HTTP/1.1 301 Moved Permanently > >>> >>>> ... > >>> >>>> Location: https://www.example.com:7777/example > >>> <https://www.example.com:7777/example> > >>> >>>> > >>> >>>> If you > >>> >>>> > >>> >>>> > >>> >>>> > >>> >>> > >>> >> > >>> > --------------------------------------------------------------------- > >>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> <mailto:users-unsubscr...@tomcat.apache.org> > >>> >> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> <mailto:users-h...@tomcat.apache.org> > >>> >> > >>> >> > >>> > > >>> > >>> > >>> > --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> <mailto:users-unsubscr...@tomcat.apache.org> > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> <mailto:users-h...@tomcat.apache.org> > >>> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
