Re: HTTPS / URLs with no port number / Tomcat only
On 10/28/2014 5:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Terence, On 10/28/14 5:49 PM, Terence M. Bandoian wrote: On 10/28/2014 8:55 AM, Léa Massiot wrote: Christopher Schultz-2 wrote A bit of warning: when modifying iptables, you need to be very careful that you don't wipe-out any rules that allow you to gain remote access to the server. For instance, if you have a default rule to DROP all packets and an exception that allows port 22 (ssh) traffic, then flushing all the rules in a table can make it impossible for you to revert the change without remote-rebooting (or, worse yet, paying someone to walk into the cage and push the reset button). Yes right, fortunately I wasn't working on a remote machine. On Debian Wheezy, the following set of commands actually disables the firewall: --- iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT --- Best regards. Hi, Léa- Ideally, I think you'd want to permanently modify the iptables rules to enable traffic over the desired port. Doing so would keep the existing safety measures in place and all of the rules would survive a reboot. However, if you just want to temporarily disable iptables, I believe service iptables stop would do so. Debian Wheezy doesn't use "service", instead it still uses /etc/init.d. Oddly enough, there is no /etc/init.d/iptables script for Debian[1]. We deploy on Debian in most environments and have simply rolled our own iptables script that runs on boot. Nasty. I like service interface available on Red Hat and CentOS. On Debian/Ubuntu, it looks like the ufw package might be helpful. -Terence Permanently disabling iptables would require a little more work as, in my experience, it is typically configured to start when the system is booted. Yes, and it's not really a good idea for production: you want your firewall configured properly instead of in "by any means necessary" mode. Configuring a server in anger usually ends up with an insecure configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUUB/IAAoJEBzwKT+lPKRYN64P/2JjyqfMDQMSp8OopxpQjF4K cSOrJ1YbYRkw79gYJpg5XNP5DcAYu8INcYsZ8r685aLHgkCl8a7IWC0gKJQX2TfO QGy5pN9NvZrO+U+ont+9egEFcHNKqWMy522CTkpIp5tKLazG2iSjEw0kGePBftOp UETb82wzy1EfiBDArQSzMfLgxVXhB5bPUJmdV2DzEN0m6fuF8oaWmqQNy06+L//V ESieL0ovf9dRQFde8J4fxDT4b36l/yMjNSHvrKQMsiHfYiq2iqfA1xZUYv+hQtUh S+Ezs/sIu3CnYqK+5mPX/+ET333DNXLz4IRaFpHlnI0Z2xuPaG5Gf6Dd2SUz5zxD ag/u552Uo7KAYdp/17bifktpNJgRRgx0O6Zt0mr3+imFwQg6Ve5pMo/F59AepYtB 9awhri3lCw1urNLOrLOTwWZDGij1DtUlAbfcfKZ58kU2Iadb0h5mgos5NjKkljNv x3a8IDqg8R8dB6A0I0ZjjOJH0xlIvH3hFh1gn9t7Wd5Wd61jtH7cpVGVRVW79JY/ qsjRGqUw6LtF1xYdYVsbfaRQpEbvz5TCBc/TBJXztszC0+f1akQZL3uBByxrlUZL aukqEmxgTK9/PFaLtb7xM8JryNfwog9ETXmhx1dbKBr58GoOWAMN3OSd7mgKVkXV J/GmKKtJ+2AKE2aCaVMt =ZYjC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Terence, On 10/28/14 5:49 PM, Terence M. Bandoian wrote: > On 10/28/2014 8:55 AM, Léa Massiot wrote: >> Christopher Schultz-2 wrote >>> A bit of warning: when modifying iptables, you need to be very >>> careful that you don't wipe-out any rules that allow you to >>> gain remote access to the server. For instance, if you have a >>> default rule to DROP all packets and an exception that allows >>> port 22 (ssh) traffic, then flushing all the rules in a table >>> can make it impossible for you to revert the change without >>> remote-rebooting (or, worse yet, paying someone to walk into >>> the cage and push the reset button). >> Yes right, fortunately I wasn't working on a remote machine. >> >> On Debian Wheezy, the following set of commands actually disables >> the firewall: >> --- iptables >> -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t >> mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables >> -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT >> --- >> >> Best regards. > > > Hi, Léa- > > Ideally, I think you'd want to permanently modify the iptables > rules to enable traffic over the desired port. Doing so would keep > the existing safety measures in place and all of the rules would > survive a reboot. However, if you just want to temporarily disable > iptables, I believe > > service iptables stop > > would do so. Debian Wheezy doesn't use "service", instead it still uses /etc/init.d. Oddly enough, there is no /etc/init.d/iptables script for Debian[1]. We deploy on Debian in most environments and have simply rolled our own iptables script that runs on boot. > Permanently disabling iptables would require a little more work as, > in my experience, it is typically configured to start when the > system is booted. Yes, and it's not really a good idea for production: you want your firewall configured properly instead of in "by any means necessary" mode. Configuring a server in anger usually ends up with an insecure configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUUB/IAAoJEBzwKT+lPKRYN64P/2JjyqfMDQMSp8OopxpQjF4K cSOrJ1YbYRkw79gYJpg5XNP5DcAYu8INcYsZ8r685aLHgkCl8a7IWC0gKJQX2TfO QGy5pN9NvZrO+U+ont+9egEFcHNKqWMy522CTkpIp5tKLazG2iSjEw0kGePBftOp UETb82wzy1EfiBDArQSzMfLgxVXhB5bPUJmdV2DzEN0m6fuF8oaWmqQNy06+L//V ESieL0ovf9dRQFde8J4fxDT4b36l/yMjNSHvrKQMsiHfYiq2iqfA1xZUYv+hQtUh S+Ezs/sIu3CnYqK+5mPX/+ET333DNXLz4IRaFpHlnI0Z2xuPaG5Gf6Dd2SUz5zxD ag/u552Uo7KAYdp/17bifktpNJgRRgx0O6Zt0mr3+imFwQg6Ve5pMo/F59AepYtB 9awhri3lCw1urNLOrLOTwWZDGij1DtUlAbfcfKZ58kU2Iadb0h5mgos5NjKkljNv x3a8IDqg8R8dB6A0I0ZjjOJH0xlIvH3hFh1gn9t7Wd5Wd61jtH7cpVGVRVW79JY/ qsjRGqUw6LtF1xYdYVsbfaRQpEbvz5TCBc/TBJXztszC0+f1akQZL3uBByxrlUZL aukqEmxgTK9/PFaLtb7xM8JryNfwog9ETXmhx1dbKBr58GoOWAMN3OSd7mgKVkXV J/GmKKtJ+2AKE2aCaVMt =ZYjC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
On 10/28/2014 8:55 AM, Léa Massiot wrote: Christopher Schultz-2 wrote A bit of warning: when modifying iptables, you need to be very careful that you don't wipe-out any rules that allow you to gain remote access to the server. For instance, if you have a default rule to DROP all packets and an exception that allows port 22 (ssh) traffic, then flushing all the rules in a table can make it impossible for you to revert the change without remote-rebooting (or, worse yet, paying someone to walk into the cage and push the reset button). Yes right, fortunately I wasn't working on a remote machine. On Debian Wheezy, the following set of commands actually disables the firewall: --- iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT --- Best regards. Hi, Léa- Ideally, I think you'd want to permanently modify the iptables rules to enable traffic over the desired port. Doing so would keep the existing safety measures in place and all of the rules would survive a reboot. However, if you just want to temporarily disable iptables, I believe service iptables stop would do so. Permanently disabling iptables would require a little more work as, in my experience, it is typically configured to start when the system is booted. -Terence Bandoian -- View this message in context: http://tomcat.10.x6.nabble.com/HTTPS-URLs-with-no-port-number-Tomcat-only-tp5024482p5024571.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/28/14 9:55 AM, Léa Massiot wrote: > Christopher Schultz-2 wrote >> A bit of warning: when modifying iptables, you need to be very >> careful that you don't wipe-out any rules that allow you to gain >> remote access to the server. For instance, if you have a default >> rule to DROP all packets and an exception that allows port 22 >> (ssh) traffic, then flushing all the rules in a table can make it >> impossible for you to revert the change without remote-rebooting >> (or, worse yet, paying someone to walk into the cage and push the >> reset button). > > Yes right, fortunately I wasn't working on a remote machine. > > On Debian Wheezy, the following set of commands actually disables > the firewall: > --- iptables > -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t > mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables > -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT > --- You don't need that much complexity. Usually, OUTPUT is left mostly unconstrained so you only need to adjust INPUT. You should set up an exception to INPUT instead of actually flushing the whole table. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUT8AGAAoJEBzwKT+lPKRYm5MQAKB95mU/1E8b5jE/0a4tnIej /jeF1FDo5pHlhxHI4X9s+wnr9RqMBSSUKwkhcp6U/pj0LRoB+0VetE2+zHJyKfJ1 6gpp1OVDU9PZ/GpLGHQr3Bxu+X6iRTpNQe+YOh+cH6UJHZ+PvuiWzNJJhN1zRjgd iPSbXnXJ4FJNYnJuCCLGutO8Kk+gucBIl5+feBA8zwHEJIi40sexmHKfJX3IBFHU WmMJXuuIvLRNR21+S0ZUfryg0xzzIhIjNtQSF+2UgwgGar+tgj/Qw6yH2VEpwXPG UWUnqj+2LDON0OCaMghhppYMz5vwAB72AZHoDbnUJgjzIGG5ciYSaGaFudfwcKNl 5yBPLj6WH3I1j9FFBoac+YP/1BSCXHFkuIUQ2v6H0Lv2pkdQj8V+Klbn1jwh4T5N ibtszwUyQI1Ya4E9zHnuUC9UOl7CG8/a8z6DR/wB4WQKVoktGigRlYXG6niHZeiL Pj9NW8Rm/HJqLaDLrJVENdzBRNHai+v9SA28ptqyqOTnzdHGHTBnY1++z2QCwIgK A/MBK00YoM1iwuMZ61eu9fA0Pa19CqOiUk7meS7lrDDgX4nFm9NrvVVZLeyc4H7f 8jWR7qkiV3uvVe6etfBm3/C/H9vP2LQkCSAdLzZM64EYQxKUiRZ1OO203sq+wZWZ ULAinTYeyxtVQjGsfafB =LKr7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
Christopher Schultz-2 wrote > A bit of warning: when modifying iptables, you need to be very careful > that you don't wipe-out any rules that allow you to gain remote access > to the server. For instance, if you have a default rule to DROP all > packets and an exception that allows port 22 (ssh) traffic, then > flushing all the rules in a table can make it impossible for you to > revert the change without remote-rebooting (or, worse yet, paying > someone to walk into the cage and push the reset button). Yes right, fortunately I wasn't working on a remote machine. On Debian Wheezy, the following set of commands actually disables the firewall: --- iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT --- Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/HTTPS-URLs-with-no-port-number-Tomcat-only-tp5024482p5024571.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Léa, On 10/27/14 3:19 PM, Léa Massiot wrote: > Thank you for you answer. > > It was the firewall. I thought about it and I thought I was > disabling it temporarily by flushing iptables (iptables -F). But > apparently it's not enough... Do you know the command for disabling > the firewall completely (and temporarily) without having to > reboot? iptables modifications never require a reboot. Read the man page for iptables, which is quite complete. A bit of warning: when modifying iptables, you need to be very careful that you don't wipe-out any rules that allow you to gain remote access to the server. For instance, if you have a default rule to DROP all packets and an exception that allows port 22 (ssh) traffic, then flushing all the rules in a table can make it impossible for you to revert the change without remote-rebooting (or, worse yet, paying someone to walk into the cage and push the reset button). > I just added an exception for port 443. It looks like it's working > now. Remember to add that to your permanent configuration to be reloaded after reboot. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUT4DTAAoJEBzwKT+lPKRYHdYP/im3cAM63RqhSUtPvcnHdRwz 2VmagOFkfm3jWHbAGtQPXYQ9zhFVxqEgc4tCdPuLhPdgRlUrzqeseFIdZ48n1nFa zFS19wBUG7g51ZTOzARzVVwRrNKNe7rqhp2GmRpyPsALEsVB9eFJHX1o8PzoDzVX FrXf9yfHRBmkRZd35uaRWmNbpTM43acRIaWr8w5wBZvOg7y53TK959j6OsD9vpv3 GkpLbH3ZYMM10NPx5DCoCAxq+llq4uhV3j4/A6SMdNktQYb7t5jxT3rhxByAkGbj CniGGW91Tia8VcQYA8wgoOKK00he6BB/UbS+JKuoOv5s28L7PsnxioRgy9oH/aX3 sYZfnCErdi9VIRkDLQXCXrvegArxaBjJXfnvY07i6HvDKdlPDUD9RK/1bRYxnbEy 2RwC+s9Re5o40NfBw9i7WZisr6hD84AdZ+VWyobT6fNYY6fpArybqDIwZq4cM5eh Dk0qtY9hvyBoGG+eoB2qjN2gwFoP8L1lIg2yKmQLMBmRhVN9cizyBmH66IpNh3wf GTrpDTpYOb4XPBQJFWwAGlptMJ9kbaRtwvpWfVP+IJUgwmOMbd69Q692H21awYsf jEfCF+1y+hwqYihkfDtrtGUD6YrDvxfPg3iTPDiOyH4jLH7/rF3zrTiSd4EcqNuE LM0wSSJJ0oqqUrGbqFy+ =Woej -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
Thank you for you answer. It was the firewall. I thought about it and I thought I was disabling it temporarily by flushing iptables (iptables -F). But apparently it's not enough... Do you know the command for disabling the firewall completely (and temporarily) without having to reboot? I just added an exception for port 443. It looks like it's working now. Cheers. -- View this message in context: http://tomcat.10.x6.nabble.com/HTTPS-URLs-with-no-port-number-Tomcat-only-tp5024482p5024506.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
On Mon, Oct 27, 2014 at 10:47 AM, Léa Massiot wrote: > I tried exactly the same modification in "server.xml" on a Debian Wheezy > machine and it doesn't work... Presumably with appropriate changes to the keystore path :-) > The browser only says that "The webpage is not available". > I can't see anything in the log files but maybe I should... You should paste (or gist) the log from a Tomcat start that shows the connector initialization, at least. Is there any entry in the log for your attempt to connect? Do you have iptables set up to allow access to port 443? > I am using "jsvc" to start Tomcat as a non-root user. > I couldn't find any information in "RUNNING.txt". The last part of that file is a section "Apache Commons Daemon" which references info on setting up jsvc properly. -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
Hello and thank you for your answer. I followed your first advice. I edited "server.xml" ending up with the following connectors: --- --- This configuration works on Windows meaning: http://localhost/my_webapp/a_page.jsp automatically redirects to: https://localhost/my_webapp/a_page.jsp without any port number in the URL. I tried exactly the same modification in "server.xml" on a Debian Wheezy machine and it doesn't work... The browser only says that "The webpage is not available". I can't see anything in the log files but maybe I should... I am using "jsvc" to start Tomcat as a non-root user. I couldn't find any information in "RUNNING.txt". I'm sorry I'm not more precise... Can you help me? Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/HTTPS-URLs-with-no-port-number-Tomcat-only-tp5024482p5024501.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTPS / URLs with no port number / Tomcat only
On Sun, Oct 26, 2014 at 9:04 AM, Léa Massiot wrote: > Now, in all possible cases, I would like to have this URL instead: > https://localhost/my_webapp/a_page.jsp > (which doesn't work presently). > > Can this be achieved with Tomcat ONLY? And how? Configure your https connector to use port 443 and start with jsvc -- see the "Apache Commons Daemon" section of the RUNNING.txt file in the distribution. You *could* run as root, but that's definitely NOT RECOMMENDED :-) Alternatively, use iptables to route port 443 requests to your current port 8443 connector. HTH, -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HTTPS / URLs with no port number / Tomcat only
Hello and thank you for reading my post. I was willing to run only a Tomcat server and not a Tomcat server + an Apache HTTP server. Mostly because: - an article like this one: http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7 says, if I understand properly, that Tomcat is secure enough with what it basically implements, - and because, if possible, I don't want to have to secure an Apache HTTP server in addition to the rest of the architecture... (Actually I already made a solution work with an Apache server but I was wondering if I could do without it). So, I am willing to serve HTTPS pages only with Tomcat and with URLs not including a port number. I did some config (mostly taken from http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html and http://java.dzone.com/articles/setting-ssl-tomcat-5-minutes) I could make this work: https://localhost:8443/my_webapp/a_page.jsp And this: http://localhost/my_webapp/a_page.jsp automatically redirects to: https://localhost:8443/my_webapp/a_page.jsp Now, in all possible cases, I would like to have this URL instead: https://localhost/my_webapp/a_page.jsp (which doesn't work presently). Can this be achieved with Tomcat ONLY? And how? Best regards. -- View this message in context: http://tomcat.10.x6.nabble.com/HTTPS-URLs-with-no-port-number-Tomcat-only-tp5024482.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org