Comments are embedded below with: ---- Comment ---- some stuff ---- Comment ----
----- Original Message ----- > From: Assaf Urieli <assaf.uri...@gmail.com> > To: Tomcat Users List <users@tomcat.apache.org> > Cc: > Sent: Friday, June 15, 2012 3:33 AM > Subject: Re: IP-based virtual hosting with useIPVHosts=true always goes to > default host > > Hi Chris, > >> >> On 6/8/12 11:12 AM, Assaf Urieli wrote: >> > Ok, this is strange. I created a test.jsp page that prints >> > request.getLocalName(), request.getServerName(), and >> > request.getLocalAddr(). I tried various scenarios in the browser: >> > http://domain1.com, http://www.domain1.com, http:/1.2.3.4, >> > http://domain2.com, http://www.domain2.com, http://5.6.7.8, as well >> > as all of the above with https. >> >> What /real/ URLs are you using to hit your server? I dont see a port >> number anywhere. >> > > Sorry, I was trying to keep it generic up to now to see if I was simply > doing something stupid, but I'll go ahead and publish my real domains/IPs. > ---- Comment ---- First of all, my environment: Fedora 15 (have to upgrade soon - EOL is at the end of this month) JDK/JRE 1.6.0_32 Tomcat 6.0.35 Firewall off for this exercise As I've written up previously, in order to have multiple IP addresses on a single interface with Linux, you need to create a second (third, fourth, etc.) file with the name ifcfg-eth0:n, where "n" starts at 0. This is assuming that your primary interface is eth0. The files will be found in /etc/sysconfig/network-scripts. You MUST set NM_CONTROLLED=no in each interface file, otherwise the virtual interface will not come up. In your /etc/hosts file, you need to have an entry for each interface. Mine looks like: 192.168.0.254 phoenix phoenix.mdeggers.org 192.168.0.253 phobos phobos.mdeggers.org In order to access this from another machine (Windows 7), I've placed the entries in that machine's host file. ---- Comment ---- > So, my test page code is: > <p>Java Version:<%= System.getProperty( "java.version" ) > %> > <p>Local name:<%= request.getLocalName() %> > <p>Server name:<%= request.getServerName() %> > <p>Local IP:<%= request.getLocalAddr() %> > ---- Comment ---- My code is similar, except I put it in a list. I created a simple web application called WhoAmI and dropped the WAR file into my environment. More on what my Tomcat configuration looks like below. On my second host (phobos.mdeggers.org), I also have a small verification application running as ROOT. This just lets me know that a Tomcat virtual host is set up properly and working. ---- Comment ---- > So, the addresses to test are: > http://www.joli-ciel.com/test.jsp > http://www.moyshele.com/test.jsp > http://178.79.152.69/test.jsp > http://176.58.107.88/test.jsp > > And exactly the same four, but with HTTPS: > https://www.joli-ciel.com/test.jsp > https://www.moyshele.com/test.jsp > https://178.79.152.69/test.jsp > https://176.58.107.88/test.jsp > > Now, every single one of these gives the exact same values for > request.getLocalName() and request.getLocalAddr(). > request.getLocalName(): www.joli-ciel.com > request.getLocalAddr(): 178.79.152.69 > And this is why, even when useIPVHosts=true, I always get the HTTPS > Connector corresponding to 178.79.152.69, which gives the wrong SSL > certificate for https://www.moyshele.com ---- Comment ---- When I run the tests from a remote host using HTTP (didn't set up HTTPS), I get the expected results. Going to phoenix.mdeggers.org:8080/WhoAmI/ produces the following: Java version: 1.6.0_32 Local name: phoenix.mdeggers.org Local IP: 192.168.0.254 Server name: phoenix.mdeggers.org Going to phobos.mdeggers.org:8080/WhoAmI/ produces the following: Java version: 1.6.0_32 Local name: phobos.mdeggers.org Local IP: 192.168.0.253 Server name: phobos.mdeggers.org ---- Comment ---- > > For info, my /etc/network/interfaces file: > ************************************************ > auto lo > iface lo inet loopback > > auto eth0 eth0:0 > > iface eth0 inet static > address 178.79.152.69 > netmask 255.255.255.0 > gateway 178.79.152.1 > pre-up iptables-restore < /etc/iptables.conf > > iface eth0:0 inet static > address 176.58.107.88 > netmask 255.255.255.0 > pre-up iptables-restore < /etc/iptables.conf > ************************************************ > ---- Comment ---- And here's your first problem. You need to specifically state NM_CONTROLLED=no. Also, you need to add ONPARENT=yes to the eth0:0 interface file. I've included copies of the interface files in a previous message ---- Comment ---- > Note (in case it's relevent) that /etc/iptables.conf is mapping port 8080 > to port 80 and port 8443 to port 443 - relevent portions below: > ************************************************ > *nat > :PREROUTING ACCEPT [11:3512] > :POSTROUTING ACCEPT [13:844] > :OUTPUT ACCEPT [13:844] > -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 > -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 > -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 > COMMIT > ************************************************ > > My /etc/hosts file: > ************************************************ > 127.0.0.1 localhost.localdomain localhost > 178.79.152.69 www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com > www.aplikaterm.com joli-ciel.com bilbo > 176.58.107.88 www.moyshele.com www.flyingpencil.com moyshele.com > flyingpencil.com moyshele > > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > ff02::3 ip6-allhosts > ************************************************ > > The relevent portions of my server.xml file: > ************************************************ > <Service name="Catalina"> > <Connector port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > URIEncoding="UTF-8" > redirectPort="8443" /> > ---- Comment ---- So you're listening everywhere on port 8080? I'm not sure how this will work. I suspect that you have a default interface and everything will come through that. Given that you're having problems, could you add two HTTP connectors, one listening on each interface? For example, my portion of the server.xml file looks like this: <Connector port="8080" protocol="HTTP/1.1" address="192.168.0.254" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" /> <Connector port="8080" protocol="HTTP/1.1" address="192.168.0.253" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" /> ---- Comment ---- > <Connector port="8443" protocol="HTTP/1.1" > SSLEnabled="true" > address="178.79.152.69" > keystoreFile="/home/tomcat6/.keystore1" > keystorePass="********" > maxThreads="150" scheme="https" > secure="true" > clientAuth="false" sslProtocol="TLS" > URIEncoding="UTF-8" /> > > <Connector port="8443" protocol="HTTP/1.1" > SSLEnabled="true" > address="176.58.107.88" > keystoreFile="/home/tomcat6/.keystore2" > keystorePass="********" > maxThreads="150" scheme="https" > secure="true" > clientAuth="false" sslProtocol="TLS" > URIEncoding="UTF-8" /> > > <Engine name="Catalina" defaultHost="localhost"> > <Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > > <Host name="localhost" appBase="webapps" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" > xmlNamespaceAware="false"> > <Alias>178.79.152.69</Alias> > <Alias>aplikaterm.com</Alias> > <Alias>www.aplikaterm.com</Alias> > <Alias>joli-ciel.com</Alias> > <Alias>www.joli-ciel.com</Alias> > > <Valve > className="org.apache.catalina.valves.AccessLogValve" > directory="/home/tomcat6/logs/joliciel" > prefix="joliciel_access_log." suffix=".log" > pattern="%A %h > %l %u %t '%r' %s %b" resolveHosts="false"/> > </Host> > <Host name="moyshele.com" > appBase="/usr/share/moyshele" > unpackWARs="true" autoDeploy="true" > xmlValidation="false" > xmlNamespaceAware="false"> > <Alias>176.58.107.88</Alias> > <Alias>moyshele.com</Alias> > <Alias>www.moyshele.com</Alias> > <Context path="" docBase="."/> > <Valve > className="org.apache.catalina.valves.AccessLogValve" > directory="/home/tomcat6/logs/moyshele" > prefix="moyshele_access_log." suffix=".log" > pattern="%A %h > %l %u %t '%r' %s %b" resolveHosts="false"/> > </Host> > </Engine> > </Service> > ************************************************ ---- Comment ---- My Host elements are a bit cleaner. I suggest that you make yours a bit cleaner until you get things worked out. Here are mine: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Alias>phoenix.mdeggers.org</Alias> <Alias>192.168.0.254</Alias> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="phoenix_access." suffix=".log" pattern="common" resolveHosts="false"/> </Host> <!-- not a good place for a virtual host webapps directory --> <Host name="phobos" appBase="phobos/webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <Alias>phobos.mdeggers.org</Alias> <Alias>192.168.0.253</Alias> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="phobos_access." suffix=".log" pattern="common" resolveHosts="false"/> </Host> ---- Comment ---- > > By the way, if I run netstat (with or without useIPVHosts=true), I get: > ************************************************ > sudo netstat -ntlp > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN 1967/sshd > tcp 0 0 127.0.0.1:5432 0.0.0.0:* > LISTEN 2082/postgres > tcp6 0 0 127.0.0.1:8005 :::* > LISTEN 16815/java > tcp6 0 0 :::8080 :::* > LISTEN 16815/java > tcp6 0 0 :::22 :::* > LISTEN 1967/sshd > tcp6 0 0 176.58.107.88:8443 :::* > LISTEN 16815/java > tcp6 0 0 178.79.152.69:8443 :::* > LISTEN 16815/java > ************************************************ > ---- Comment ---- My netstat, grepping for 8080: netstat -an | grep 8080 tcp 0 0 192.168.0.253:8080 0.0.0.0:* LISTEN tcp 0 0 192.168.0.254:8080 0.0.0.0:* LISTEN In short, this works as expected. I suspect that SSL would work the same way. I didn't set up SSL, since I normally terminate SSL on a front end Apache HTTPD server. I have multiple named virtual hosts (with a SAN certificate) as well as some IP virtual hosts with virtual interfaces and separate certificates. From a configuration standpoint, it's a bit ugly (although includes and directories help with the organization). From an operational standpoint, it all works as expected. ---- Comment ---- . . . . just my two cents. /mde/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
