Re: Let's Encrypt with Tomcat?
Chris & James, Sorry for topposting. Is Tomcat really the SSL endpoint that takes the cert? Then it wouldn’t matter if there is a loadbalancer or the like. Maybe it’s just authbind or iptables natting? that would be a common way to have a non-root service to listen externally on 443. If not and there is a proxy like apache or nginx, the way to handle certbot would be completely different, right? Like James said before he uses the cert also on apache! But how do you separate 443 for the services you have on apache and tomcat? However, we still need the port 80 endpoint to deploy the acme-challenge to! No way around that without DNS-01 or TLS-ALPN-01, which are only complicating the process! if httpd is serving your hostname on port 80 and you are able to write to httpd-webroot, point certbot’s —webroot to that directory. if httpd is not on port 80, you could do the same that you did for 443 forwarding to redirect 80 to tomcat port 8080. IIKS, hope I was not too confusing??? Peter Peter Kreuser > Am 30.12.2019 um 20:01 schrieb Christopher Schultz > : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > James, > > On 12/27/19 17:07, James H. H. Lampert wrote: As it happens, one way or another (and I'm not entirely sure *which* way; I'd have to look at my notes), we *do* have Tomcat listening directly on 443 (but not 80; nothing there is currently listening on 80) on that particular EC2 instance (and I'm pretty sure we have HTTPD running on a *different* port, for the SVN and Trac sharing the box). >> Hmm. It seems I was mistaken about two things: (1) that the Tomcat >> server under discussion is listening *directly* on 443, and (2) >> that I could find my notes on how I set the box up. >> What I can find is the server.xml file, and the active connector >> definition: >> > protocol="org.apache.coyote.http11.Http11NioProtocol" . . . >> clientAuth="false" sslProtocol="TLS" /> >> The thing that catches my eye is port="8443" proxyPort="443" >> I hope that indicates how it is I'm getting this to look like port >> 443 to the outside world, because I honestly can't remember what I >> did (even though it looks like it's only been six months since I >> did it). > > This means that you are listening on port 443, but when Tomcat builds > URLs for redirection, etc. the port 443 will be used (and, actually, > as likely secure="true", then the port will be omitted because the > default port for https is 443 of course). > > There is no proxying going on in Tomcat; this configuration is named > for the use-case: you must have a reverse-proxy somewhere which is > terminating TLS (and likely re-establishing a separate secure link > with Tomcat, since sslProtocol="TLS" in your config). It's probably a > load-balancer which is essentially synonymous with a reverse-proxy in > this context. It's possible to have one without the other, but they > are often performing both functions. > > netstat on *NIX should give you the IP(s) of the clients, so you can > probably pretty easily see the IP address of the reverse proxy. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4KSWsACgkQHPApP6U8 > pFhgpA/+PVIwacQPcjbaHMPwEz+JfVMzZubjzQDxM6u0gSRTpH3z8PRHPvm/DPZN > FJhNHEZhpbdXVA5ypsg5LIHShqIOh716Rp/mIObIWn2Z+NK2x5uLytBhIOt6w1fZ > Qsqy4f+jFUesRp3Y5/wWu6plIvB5y3c+RzGVt7Q4fX5XKTMKuP5DueHC57qaY6LL > V28qwyRQCBPMJV89pb3rKICzQEf8uSCVFjV/xKU7/0IamHKh3MfVXrUikFJB8/ex > CiHLsmc2FGSxERHvHOPxnKaGA/EFa3Lu3p0VrdSbczsmtS/cCmlrBUz0pmcqQLQ/ > wm0OOfQ2aTvU42E0E3bgc014dOsrC2zugrjGNrZTQqyCXbBN065iZoi9RT3Hl8vN > lAfS83rF0E4eTNlB2E3qRZTFVGPSaNS5MPnl4RXC8F9c2/vukIY0Xb9DWi4Hf6f+ > 8tSZHer24uD8nR928p78mbiqoI1NMZaM9CwIN0XhJzjb2XzhZF9pgfmjAvbdV8vo > AtWauUHw1BictxXdVtmZ2xY3dYsK0RDPqX/K9u053rPOfweYTCCVn5lcRUzhITmr > sf8pP/8vRiXQAIyH0JjvCXJIUIIJGo7xofJQcs2RPA8qt+aukQC3OpB7UdpKOHv0 > P/7zx+mWDyCH5A9fIfT16H6kgRfxoyUi19X6pFMPuzXNpiZP2zU= > =9vaq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Let's Encrypt with Tomcat?
James, > Am 28.12.2019 um 00:33 schrieb James H. H. Lampert : > > >>> >>> Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" and >>> ".key" files directly, instead of the Java Keystore file? Correct! > If so, then that could potentially simplify things: if I have HTTPD listen on > 80, and Tomcat sharing the same actual certificate and private key *files* > that HTTPD uses, then the only other thing I have to automate would be a cron > job to either restart Tomcat, or just do a programmatic "re-read TLS > configuration," whenever the regular Let's Encrypt job for HTTPD completes. > > Does any of this make any sense at all, or am I sucking antimatter? > > -- > James H. H. Lampert > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andrew, On 12/27/19 17:23, Andrew Stanton wrote: > Hi All, > > If possible, I think it's better to let 443 (https) requests > hitting an instance be redirected to 80 so you don't have to > configure an SSL locally in the instance itself. It's very > cumbersome to do it that way. > > You can also use a single instance behind an AWS LB if you only > have one instance to use. There isn't any such thing as a secure network. IMHO, all network connections should be encrypted. TLS just isn't that tricky and, honestly, the more you do it the better you'll get at doing it. - -chris > On Fri, Dec 27, 2019 at 2:08 PM James H. H. Lampert < > jam...@touchtonecorp.com> wrote: > As it happens, one way or another (and I'm not entirely sure *which* way; I'd have to look at my notes), we *do* have Tomcat listening directly on 443 (but not 80; nothing there is currently listening on 80) on that particular EC2 instance (and I'm pretty sure we have HTTPD running on a *different* port, for the SVN and Trac sharing the box). >> >> Hmm. It seems I was mistaken about two things: (1) that the >> Tomcat server under discussion is listening *directly* on 443, >> and (2) that I could find my notes on how I set the box up. >> >> What I can find is the server.xml file, and the active connector >> definition: >> >> > protocol="org.apache.coyote.http11.Http11NioProtocol" . . . >> clientAuth="false" sslProtocol="TLS" /> >> >> The thing that catches my eye is port="8443" proxyPort="443" >> >> I hope that indicates how it is I'm getting this to look like >> port 443 to the outside world, because I honestly can't remember >> what I did (even though it looks like it's only been six months >> since I did it). >> >> -- James H. H. Lampert >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4KSaUACgkQHPApP6U8 pFjZew/9FWTFhMx3Zx8aVdxgxMJytTDdiffxCrpv2vqUpbIS3qlxjJl8B6D8DEYW uie+KUyFrHu/DQrRYIRK+VUYUj8RJalDRAtPAkWryD4tq6Qneqfph7TGRlpJtbAI efPg3HFMDczTqeOPf93gzvx3NjSGlql+f6iCtNB8ttIlnFaS2DLWWIsYvU7Skryy k8UMycWFIh0zIex6tpwYLmTs6OsueJqMqFkuKxIRSyGiRRvsDVU1Qs8/SbKoTdA8 c30roHB0Z5jwWkfb2jDbRPYKOzTnrnCFUF7INO94/px96vrtnfNwB8aWkcM903WP KSvU4WRb9S8dDMXRXcVYIl4LvyKwMwEAlhSuNRCAXcGKsCKwoVufy63ND1v0cQKa Tc+Va5oxDBvFGVN0zWyyGi/hVlDp2ezRhdczDM/IlpKvo5v23W5sw1m0jccHCKmb IS3o9s+hhqrdzIoEVqViSK3QntEeCCm7dksjCD4JRyCtUDY7b+Qqi9cbQxg6C/PK V93BhswbLUzgfHkLvFhdDAoMJtv4rXf6woPlGV53zEwJW6YRYQu0xbBLRl1RdFYG KSalgVc6YWBfsPy7ulYdhsL66AEyGGOLjNNIrPvb+/Pkoh3eiQZj4HQb+MHxkJn2 dL9cpUQsl2clultPWj4U9c5bCGAZzWTG+Z1ZLEB2aKkGJBC4lg8= =4wzn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 12/27/19 17:07, James H. H. Lampert wrote: >>> As it happens, one way or another (and I'm not entirely sure >>> *which* way; I'd have to look at my notes), we *do* have >>> Tomcat listening directly on 443 (but not 80; nothing there is >>> currently listening on 80) on that particular EC2 instance (and >>> I'm pretty sure we have HTTPD running on a *different* port, >>> for the SVN and Trac sharing the box). > > Hmm. It seems I was mistaken about two things: (1) that the Tomcat > server under discussion is listening *directly* on 443, and (2) > that I could find my notes on how I set the box up. > > What I can find is the server.xml file, and the active connector > definition: > > protocol="org.apache.coyote.http11.Http11NioProtocol" . . . > clientAuth="false" sslProtocol="TLS" /> > > The thing that catches my eye is port="8443" proxyPort="443" > > I hope that indicates how it is I'm getting this to look like port > 443 to the outside world, because I honestly can't remember what I > did (even though it looks like it's only been six months since I > did it). This means that you are listening on port 443, but when Tomcat builds URLs for redirection, etc. the port 443 will be used (and, actually, as likely secure="true", then the port will be omitted because the default port for https is 443 of course). There is no proxying going on in Tomcat; this configuration is named for the use-case: you must have a reverse-proxy somewhere which is terminating TLS (and likely re-establishing a separate secure link with Tomcat, since sslProtocol="TLS" in your config). It's probably a load-balancer which is essentially synonymous with a reverse-proxy in this context. It's possible to have one without the other, but they are often performing both functions. netstat on *NIX should give you the IP(s) of the clients, so you can probably pretty easily see the IP address of the reverse proxy. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4KSWsACgkQHPApP6U8 pFhgpA/+PVIwacQPcjbaHMPwEz+JfVMzZubjzQDxM6u0gSRTpH3z8PRHPvm/DPZN FJhNHEZhpbdXVA5ypsg5LIHShqIOh716Rp/mIObIWn2Z+NK2x5uLytBhIOt6w1fZ Qsqy4f+jFUesRp3Y5/wWu6plIvB5y3c+RzGVt7Q4fX5XKTMKuP5DueHC57qaY6LL V28qwyRQCBPMJV89pb3rKICzQEf8uSCVFjV/xKU7/0IamHKh3MfVXrUikFJB8/ex CiHLsmc2FGSxERHvHOPxnKaGA/EFa3Lu3p0VrdSbczsmtS/cCmlrBUz0pmcqQLQ/ wm0OOfQ2aTvU42E0E3bgc014dOsrC2zugrjGNrZTQqyCXbBN065iZoi9RT3Hl8vN lAfS83rF0E4eTNlB2E3qRZTFVGPSaNS5MPnl4RXC8F9c2/vukIY0Xb9DWi4Hf6f+ 8tSZHer24uD8nR928p78mbiqoI1NMZaM9CwIN0XhJzjb2XzhZF9pgfmjAvbdV8vo AtWauUHw1BictxXdVtmZ2xY3dYsK0RDPqX/K9u053rPOfweYTCCVn5lcRUzhITmr sf8pP/8vRiXQAIyH0JjvCXJIUIIJGo7xofJQcs2RPA8qt+aukQC3OpB7UdpKOHv0 P/7zx+mWDyCH5A9fIfT16H6kgRfxoyUi19X6pFMPuzXNpiZP2zU= =9vaq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re[2]: How to set apache load balancer for send request to 6 tomcat server
Hi Chris, to avoid any kind of overload, I would like every single request to be forwarded to a backend server. I attach the files again hoping you can view them correctly. I await your suggestions. Best regards. Giancarlo -- Messaggio originale -- Da: "Christopher Schultz" A: users@tomcat.apache.org Inviato: 27/12/2019 16:29:28 Oggetto: Re: How to set apache load balancer for send request to 6 tomcat server Firma ha problemi -BEGIN PGP SIGNED MESSAGE-Hash: SHA256/>Giancarlo,On 12/23/19 12:45, Giancarlo Celli wrote:/> Hi, I need to configure a load balancer with apache connector on a jelastic server that redirects requests to 6 server workers with tomcat 7 installed. Atteched you can find extract from httpd.conf and workers.properties. I need to send single request to tomcat server individually, so I set sticky_session to 0.So you want your clients to switch servers even when they don't have to? Could you tell me if parameters are configured correctly? Is the collector able to handle all requests? Could you give me some further advice? Each tomcat server is configured with the following parameters: Connector port="80" protocol="HTTP/1.1" maxThreads="400" connectionTimeout="2" redirectPort="8443" / /> The balancer has the following configuration: Server version:/> Apache/2.4.39 (codeit) Server built: Apr 3 2019 18:54:14 /> Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count)/>Your attachments were stripped. Can you please post an example workerand your JkMounts from httpd.conf? We don't need the whole httpd.conf.- -chris-BEGIN PGP SIGNATURE-/>Comment: Using GnuPG with Thunderbird - https://www.enigmail.net//>/>iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GI1cACgkQHPApP6U8/>pFjHPhAAyDpqNcDm5AIe+QcsF/dB0rEfWSrfXY3DFZUjvJVTLfeqhUxS+gKNbHBf/>iXhbxnXiFVMkHqgWxcMlrsQMGK5wWL00HCOrlijGbJYa52QCn2aLFJ6buf5kU+Cy/>SAXOIBbpz4x12QEU6x2LJGAEXa8fMx96xyTXl0SAiWQqQ/EtVw/0y+b5h97Zpej5/>kxR04IyOMDfqyEMVeKUVQNr46yZmscHE3r9Bo49mVqmLjD8a/tzHZybTuFVeW6xj/>lILNuPwBL+cMz5ImqfW3qQUKyKLC6Bo9gdeamIXYg4z/66XwFmBUTP/mcTf0Up67/>rbaJWgg8Si2exZhRJeB5z51hZiEXGWldkBljvwUjevZcjo9dEqvFCY7KtxdkuA/b/>ZWAyxaTJkRvzusJrRItdV6m66q5aLUKehPTeIe5zm0V10Ttfc6qOpncfULQh0d1N/>Ic719F1UKYOecqZXVqJJ+mDHhdMsulvWlV18if29riQe2mu+VUGlkjFYuxgm7TCp/>zKGzdDAI3v/9b5lLtKYqCDaIFjH0MnBjGo+x9gTvpvQRIrdC4OGPTiw8W3Urveln/>ZycUWihsb26vqaog7jJn6SLMJ/N8nVyw64Uc/slN3tCAIwHvzpu6dTVBEoXI6Jsx/>29Nqyx6B1tSXrSYXDN0PO7PmpBffS7LDEd1luYXqAtcUilgsb4Q==KK92/>-END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org worker.list=loadbalancer worker.maintain=300 worker.node1.port=8009 worker.node1.host=XX.XX.XX.01 worker.node1.type=ajp13 worker.node1.ping_mode=P worker.node1.ping_timeout=1 worker.node1.lbfactor=1 worker.node1.socket_timeout=30 worker.node1.connection_pool_timeout=20 worker.node1.recover_time=5 worker.node2.reference=worker.node1 worker.node2.host=XX.XX.XX.02 worker.node3.reference=worker.node1 worker.node3.host=XX.XX.XX.03 worker.node4.reference=worker.node1 worker.node4.host=XX.XX.XX.04 worker.node5.reference=worker.node1 worker.node5.host=XX.XX.XX.05 worker.node6.reference=worker.node1 worker.node6.host=XX.XX.XX.06 worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=node1,node2,node3,node4,node5,node6 worker.loadbalancer.sticky_session=0 worker.loadbalancer.method=B StartServers   1 MinSpareServers  1 MaxSpareServers  3 # ServerLimit   13 ServerLimit   13 # MaxRequestWorkers 13 MaxRequestWorkers 13 MaxConnectionsPerChild   500 StartServers   1 ServerLimit   13 MaxRequestWorkers   25 MinSpareThreads   25 MaxSpareThreads   75 ThreadsPerChild   25 MaxConnectionsPerChild   500 StartServers   2 # ServerLimit   13 ServerLimit   13 MaxRequestWorkers   325 ThreadsPerChild   25 AsyncRequestWorkerFactor  2 MaxConnectionsPerChild   500 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secureRandom... using [SHA1PRNG] ..took (up to) 20 minutes
apt-get install haveged update-rc.d haveged defaults Increases entropy pool and there for reduces start up time for Tomcat. Markus Am 30.12.19 um 11:22 schrieb Rainer Jung: > It depends a bit on the major Java version you are using, but have a > look at this page: > > https://cwiki.apache.org/confluence/display/TOMCAT/HowTo+FasterStartUp#HowToFasterStartUp-EntropySource > > > Regards, > > Rainer > > Am 30.12.2019 um 05:01 schrieb Vince Stewart: >> I started recently using my my java app with embedded Tomcat / 8.0.28 >> on a >> debian VPS (DigitalOcean). >> >> Unfortunately, it can take up to 20 minutes to launch into action >> from the >> time you start execution. The issue relates to "Creation of SecureRandom >> instance ... using SHA1PRNG". Slowness has been described and >> explained in >> Stackoverflow. >> >> My tomcat has otherwise been so reliable that I have had no >> motivation to >> keep it upgraded. Can anyone advise if some change will apply if I >> upgrade >> to the latest version 8. >> >> Otherwise, is there a configuration change I could employ. >> >> Many thanks, > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: secureRandom... using [SHA1PRNG] ..took (up to) 20 minutes
It depends a bit on the major Java version you are using, but have a look at this page: https://cwiki.apache.org/confluence/display/TOMCAT/HowTo+FasterStartUp#HowToFasterStartUp-EntropySource Regards, Rainer Am 30.12.2019 um 05:01 schrieb Vince Stewart: I started recently using my my java app with embedded Tomcat / 8.0.28 on a debian VPS (DigitalOcean). Unfortunately, it can take up to 20 minutes to launch into action from the time you start execution. The issue relates to "Creation of SecureRandom instance ... using SHA1PRNG". Slowness has been described and explained in Stackoverflow. My tomcat has otherwise been so reliable that I have had no motivation to keep it upgraded. Can anyone advise if some change will apply if I upgrade to the latest version 8. Otherwise, is there a configuration change I could employ. Many thanks, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org