Hi Chris,
You are right. We need aliasing here which means the URL in the browser
does not change.
May I know where should I put the below rewrite files ?
# Redirect everything that is not server.lbg.com to
# server.lbg.com. Don't worry about /towl yet.
RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]
# Redirect anything that isn't already going to /towl
# to go to /towl
RewriteCond %{REQUEST_URI} !^/towl
RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]
Thanks,
Lavanya
On Tuesday, May 14, 2024, Christopher Schultz <ch...@christopherschultz.net>
wrote:
> Lavanya,
>
> On 5/14/24 09:12, lavanya tech wrote:
>
>> IMHO removing the port number is always the preferred solution — I never
>>> did it
>>>
>>>
>>>> can we achieve this with tomcat or we need to setup an reverse proxy
>>>> here.
>>>>
>>>>
>>> Your application uses whatever internal URLs it wants. Are you building
>>> those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If
>>> it's Tomcat, this is where the proxyName and proxyPort come in.
>>>
>>
>> - Yes, I have not built these UrLs before. It’s was working from the
>> very
>> beginning. As. I mentioned we are not able to reach goal or whatever.
>>
>> Rather than saying redirection, I would say it’s aliasing.
>>
>
> Please be specific. "Aliasing" (to me) means "the URL does to the right
> place but doesn't change in the browser's URL" and "redirection" (to
> everybody) means "HTTP 301 or 302 response to a new URL".
>
> Instead of moving applications or changing tomcat configuration it’s easier
>> to achieve with reverse proxy ?
>>
>> https://example.lbg.com/ to https://server.lbg.com:8443/towl
>>
>
> This will be a nightmare. Do not try to rewrite URLs using a reverse
> proxy. You should redirect users to the right place if necessary. You can
> use a reverse-proxy if you want, but it won't be any less complicated than
> having Tomcat do it.
>
> I think your rewrite.config file just needs a few tweaks:
>
> # Redirect everything that is not server.lbg.com to
> # server.lbg.com. Don't worry about /towl yet.
> RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]
>
> # Redirect anything that isn't already going to /towl
> # to go to /towl
> RewriteCond %{REQUEST_URI} !^/towl
> RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]
>
> The application should be deployed as towl.war (or towl/ directory). You
> should listen on ports 80, 443, and 8443, and you should always end up at
> the right place. You should have proxyPort="8443" and proxyName="
> server.lbg.com" in your <Connector>.
>
> You will not need a ROOT context, since the rewrite will take care of that
> for you.
>
> -chris
>
> On Mon, May 13, 2024 at 10:17 PM lavanya tech <lavanyatech...@gmail.com>
>>> wrote:
>>>
>>> Hi Chris,
>>>
>>> Sorry, If I did confuse. It’s important that
>>> https://server.lbg.com:8443/towl is always working. Goal is not to
>>> disable /towl, but just redirect or aliasing
>>>
>>> https//example.lbg.com/ to https://server.lbg.com:8443/towl
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Lavanya
>>>
>>> On Monday, May 13, 2024, Christopher Schultz <
>>> ch...@christopherschultz.net
>>>
>>>>
>>>> wrote:
>>>
>>> Lavanya,
>>>
>>> On 5/13/24 05:57, lavanya tech wrote:
>>>
>>> Somehow made it work now i can only access urls as you mentioned before
>>> https://example.lbg.com and https://server.lbg.com with port 8443 and
>>> with
>>> out
>>>
>>> https://example.lbg.com/towl and https://server.lbg.com/towl --> I
>>> have an
>>> error now File not found.
>>>
>>> So i think we need to make work https://example.lbg.com/ to
>>> https://server.lbg.com/towl
>>>
>>>
>>> I'm sorry, I'm still confused as to which way you want things.
>>>
>>> Do you want to redirect /towl -> / or do you want to redirect / - >
>>> /towl?
>>>
>>> Or does it depend upon the hostname? It would really be better if you
>>> could settle on one specific beahvior.
>>>
>>> -chris
>>>
>>> On Mon, May 13, 2024 at 9:41 AM lavanya tech <lavanyatech...@gmail.com>
>>>
>>> wrote:
>>>
>>> Hi Chris,
>>>
>>>
>>> Where are you defining the RewriteValve itself?
>>>
>>> Defined rewritevalve here
>>> <Host name="localhost" appBase="webapps"
>>> unpackWARs="true" autoDeploy="true">
>>>
>>> <Valve
>>> className="org.apache.catalina.valves.rewrite.RewriteValve" />
>>> resource="conf/rewrite.config" />
>>>
>>> 2) reated rewrite.config and added as below under conf/
>>>
>>> RewriteCond %{REQUEST_URI} ^/towl/(.*)
>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>>>
>>> 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
>>> already have this mappings /* in web.xml file)
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Logging Area</web-resource-name>
>>> <description>
>>> Authentication for registered users.
>>> </description>
>>> <url-pattern>/*</url-pattern>
>>> <url-pattern>/api/v1/search</url-pattern> <!-- protect search
>>> endpoint whitelisted above -->
>>> <url-pattern>/api/v1/suggest/*</url-pattern> <!-- protect
>>> suggest
>>> endpoint whitelisted above -->
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>LDAP_USER</role-name>
>>> <role-name>api</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> 4) Restarted Tomcat, Then I cannot access
>>> https://server.lbg.com:8443/towl
>>> --> Have below error
>>>
>>> Message java.nio.file.NoSuchFileException:
>>> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
>>>
>>> Description The server encountered an unexpected condition that
>>> prevented
>>> it from fulfilling the request.
>>>
>>> 5) Also https://example.lbg.com doesnot work anymore
>>>
>>> Before you do anything with redirecting, can you just make sure you are
>>> only deploying ROOT.war and nothing else?
>>> How can I do that. I already changed towl.war to ROOT.war
>>>
>>> But still both the urls have error as mentioned above.
>>>
>>>
>>> Si I revereted back the changes.
>>> That's weird. Try stopping, deleting the work/ directory and restarting.
>>> --> I have this wierd behavior for some reason, thoudh index.jsp is
>>> located
>>> no changes were made to file. After deleting cookies url works
>>>
>>> where Am I going wrong.
>>>
>>> Thanks,
>>> Lavanya
>>>
>>>
>>> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>>
>>> On 5/10/24 04:37, lavanya tech wrote:
>>>
>>> I tried the below and have the issues.
>>>
>>> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
>>> 2) remanmed towl.war to ROOT.war
>>> 3) created rewrite.config and added as below under conf/
>>>
>>>
>>> Where are you defining the RewriteValve itself?
>>>
>>> RewriteCond %{REQUEST_URI} ^/towl/(.*)
>>>
>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>>>
>>>
>>> If this is being handled by the ROOT servlet then I think it's right.
>>>
>>> 4) added this in web.xml file of /webapps/towl/web.xml/
>>>
>>>
>>> <!-- Servlet mappings -->
>>> <!-- Add your existing servlet mappings here -->
>>>
>>> <!-- Security constraint to restrict access to /towl path -->
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Restricted Access to
>>> /towl</web-resource-name>
>>> <url-pattern>/towl/*</url-pattern>
>>>
>>>
>>> No, this is wrong. Since this is the "towl" application and not ROOT,
>>> you want to map /* and not /towl/* because the application will never
>>> see the /towl/ as it's an application/context prefix that Tomcat will
>>> remove.
>>>
>>> </web-resource-collection>
>>>
>>> <auth-constraint>
>>> <!-- Deny access to all roles -->
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> Also I noticed that even if I rename the towl application to ROOT,
>>> when
>>>
>>> i
>>>
>>> call the url with https://example.lbg.com/towl --> this towl
>>> directory
>>>
>>> is
>>>
>>> getting created under webapps by default
>>>
>>>
>>> If webapps/towl is being created, then it's happening for some other
>>> reason. Do you have anything under conf/Catalina/*/towl.xml which
>>> points
>>> to a WAR file or something? If so, remove that.
>>>
>>> 5) Resarted tomcat and I have the below error and all the urls have the
>>>
>>> same issue
>>>
>>> Message org.apache.jasper.JasperException:
>>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>>>
>>>
>>> That's weird. Try stopping, deleting the work/ directory and
>>> restarting.
>>>
>>> Description The server encountered an unexpected condition that
>>>
>>>
>>> prevented
>>>
>>> it from fulfilling the request.
>>>
>>> Exception
>>>
>>> org.apache.jasper.JasperException: org.apache.jasper.JasperException:
>>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>>>
>>>
>>> org.apache.jasper.servlet.JspServletWrapper.handleJspException(
>>> JspServletWrapper.java:578)
>>>
>>>
>>>
>>> org.apache.jasper.servlet.JspServletWrapper.service(
>>> JspServletWrapper.java:422)
>>>
>>>
>>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
>>> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
>>> jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
>>> org.apache.tomcat.websocket.se
>>> rver.WsFilter.doFilter(WsFilter.java:51)
>>>
>>>
>>> Before you do anything with redirecting, can you just make sure you are
>>> only deploying ROOT.war and nothing else?
>>>
>>> This should allow you to reach the application at both
>>> https://example.lbg.com/ and https://server.lbg.com/ as well as both
>>> of
>>> those with port 8443.
>>>
>>> Then use the applications and make sure they are working as expected.
>>> Then, we'll add the /towl handling.
>>>
>>> -chris
>>>
>>> On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
>>>
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>>
>>> On 5/9/24 13:48, lavanya tech wrote:
>>>
>>> Thank you so much for your explanation. I will try these options.
>>>
>>> Do server and example both resolve to the same IP?
>>> -yes
>>>
>>>
>>> Good, that significantly reduces the complexity required, since you
>>> can
>>> do it will a single process (Tomcat) in a single environment.
>>>
>>> So I need follow both 4a/b and 5a/b steps here or any of them ?
>>>
>>>
>>> If I setup exactly by using below steps , then I should access both
>>>
>>> the
>>>
>>>
>>> urls right ? https://server.lbg.com:8443/towl and
>>>
>>>
>>> https://example.lbg.com
>>>
>>> If you visit either hostname with /towl, you will be redirected to
>>> example.lbg.com/ with no port number. example:8443 will still work
>>> and
>>> no redirect will take place... unless you specifically make
>>>
>>> arrangements
>>>
>>>
>>> for that. We can do that later if you really want to.
>>>
>>>
>>> Let's get the other things working, first.
>>>
>>> -chris
>>>
>>> On Thursday, May 9, 2024, Christopher Schultz <
>>>
>>>
>>> ch...@christopherschultz.net>
>>>
>>> wrote:
>>>
>>> Lavanya,
>>>
>>>
>>> On 5/9/24 02:58, lavanya tech wrote:
>>>
>>> Just giving background again of this topic again.
>>>
>>>
>>> 1) The application team who is working they wanted to access the
>>> url
>>> https://server.lbg.com:8443/towl —> which should redirect or
>>> point
>>>
>>> to
>>>
>>>
>>> https://example.lbg.com
>>>
>>>
>>> Is that a typo? You want specifically https://server.lbg.com/towl
>>>
>>> and
>>>
>>>
>>> https://example.lbg.com/ to point to your application?
>>>
>>> — It’s not the Typo the requirements are still
>>> the
>>>
>>> same.
>>>
>>>
>>>
>>>
>>> Okay.
>>>
>>> Do server and example both resolve to the same IP?
>>>
>>> 2) Hence I added firewall rule to redirect port 443 to 8443. And
>>> the
>>>
>>> url
>>>
>>>
>>> https://example.lbg.com started working but its pointing to
>>>
>>> https://server.lbg.com:8443 indeed and not
>>>
>>> https://server.lbg.com:8443/to
>>>
>>>
>>> wl
>>>
>>>
>>> But then they wanted the point 1 to have it. If I understood
>>>
>>> correctly. So
>>>
>>>
>>> basically to achieve this we wanted a reverse proxy setup ?
>>>
>>>
>>> I didnot define any additional host in server.xml file on just
>>> left
>>>
>>> to
>>>
>>>
>>> default to local host.
>>>
>>>
>>>
>>> Here's what you have to do in order to support this odd
>>>
>>> configuration.
>>>
>>>
>>>
>>> 1. Configure your firewall to route port 443 -> 8443. I suspect
>>> this
>>>
>>> is
>>>
>>>
>>> already done.
>>>
>>>
>>> 2. Deploy Tomcat on server.lbg.com with a <Connector> on port
>>> 8443.
>>>
>>> This
>>>
>>>
>>> is the default, so there shouldn't be anything to do. I suspect this
>>>
>>>
>>> is
>>>
>>>
>>> already done. You should set proxyPort="443" and proxyName="
>>>
>>> example.lbg.com" in your <Connector>. This will ensure that any
>>> URLs
>>> generated by Tomcat or your application will point to
>>> https://example.lbg.com/ and not to server.lbg.com or have a port
>>>
>>> number
>>>
>>>
>>> or whatever.
>>>
>>>
>>> 3. Re-name your application directory or WAR file from towl -> ROOT
>>>
>>> (upper
>>>
>>>
>>> case is important). So if you have tomcat/webapps/towl re-name that
>>>
>>>
>>> to
>>>
>>>
>>> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name
>>>
>>>
>>> that
>>>
>>>
>>> to
>>>
>>>
>>> tomcat/webapps/ROOT.war.
>>>
>>>
>>> The last thing to do is get /towl to re-direct to /. There are a
>>> few
>>>
>>> ways
>>>
>>>
>>> of doing that.
>>>
>>>
>>> 4a. Configure your application (now called ROOT and deployed on /
>>> and
>>>
>>> not
>>>
>>>
>>> /towl anymore) to handle the /towl URL and specifically redirect
>>>
>>> this
>>>
>>> back
>>>
>>>
>>> to /. This is oddly specific and has the application trying to
>>>
>>>
>>> redirect
>>>
>>>
>>> to
>>>
>>>
>>> itself which is weird.
>>>
>>>
>>> 4b. Create a new application called towl or towl.war which will be
>>> deployed on /towl and have THAT redirect to /. I think this is
>>>
>>> cleaner
>>>
>>>
>>> because you can call the application anything you'd like and it will
>>>
>>>
>>> still
>>>
>>>
>>> work. You don't have to match URL patterns yourself, you just
>>>
>>> re-name
>>>
>>> the
>>>
>>>
>>> WAR file if you suddenly want to use /towl2 instead of /towl.
>>>
>>>
>>> There are several ways to redirect.
>>>
>>> 5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A
>>>
>>> few
>>>
>>>
>>> notes: (1) the (*) means "capture this string" and \1 means "put the
>>>
>>>
>>> string
>>>
>>>
>>> back. This allows you to redirect /towl/foo/bar to /foo/bar instead
>>>
>>>
>>> of
>>>
>>>
>>> losing the /foo/bar. This syntax may not be perfect, adapt it to your
>>>
>>> needs. (2) Remember that the towl application is deployed on /towl
>>> so
>>>
>>> you
>>>
>>>
>>> don't want to redirect /towl/foo/bar you only want redirect /foo/bar
>>>
>>>
>>> since
>>>
>>>
>>> the URL will be relative to the current context (/towl). Got that?
>>>
>>>
>>> Finally,
>>>
>>>
>>> (3) you need to use a global redirect that does *NOT* redirect back
>>>
>>>
>>> to
>>>
>>>
>>> the
>>>
>>>
>>> /towl application. Normally, if you redirect to /foo you'll get an
>>>
>>> application-relative redirect from something like a rewrite
>>> valve/filter/whatever. Take care to redirect relative to the SERVER
>>>
>>> and
>>>
>>>
>>> not
>>>
>>>
>>> to the application.
>>>
>>>
>>> 5b. Write your own servlet to do a specific redirect.
>>>
>>> I hope that helps,
>>> -chris
>>>
>>> On Wednesday, May 8, 2024, Christopher Schultz <
>>>
>>> ch...@christopherschultz.net>
>>> wrote:
>>>
>>> Lavanya,
>>>
>>>
>>> On 5/8/24 06:48, lavanya tech wrote:
>>>
>>> I figured out how I can it make it work with 443. Now the URls
>>> are
>>>
>>> working.
>>> I added iptables route 443 to 8443 and it started working.
>>>
>>> nslookup example.lbg.com
>>>
>>> Non-authoritative answer:
>>> Name: server.lbg.com
>>> Address: 192.168.200.105
>>> Aliases: example.lbg.com
>>>
>>>
>>> I have some application towl running with apache tomcat. I have
>>>
>>> the
>>>
>>>
>>> below
>>>
>>> URLs working.
>>>
>>> https://server.lbg.com:8443/towl
>>> https://server.lbg.com
>>> https://example.lbg.com
>>> https://example.lbg.com/towl
>>>
>>>
>>> Now i wanted to disable the url https://example.lbg.com/towl
>>> and
>>> https://server.lbg.com and access only the other remaining two.
>>>
>>>
>>>
>>>
>>>
>>> I would *highly* recommend that you pick either /towl or / and not
>>>
>>>
>>> try to
>>>
>>>
>>> do both, unless you want to deploy the application twice (which is
>>>
>>>
>>> fine,
>>>
>>>
>>> just deploy towl.war and ROOT.war as copies of each other). If you
>>>
>>>
>>> try to
>>>
>>>
>>> re-write /towl to / or / to /towl, you'll find you spend the rest
>>>
>>>
>>> of
>>>
>>>
>>> your
>>>
>>>
>>> days tracking-down edge-cases and "fixing" them -- likely making
>>>
>>>
>>> things
>>>
>>>
>>> confusing and, probably, worse.
>>>
>>>
>>> In the end our goal to makesure that the links are not always
>>>
>>> dead as
>>>
>>>
>>> soon
>>>
>>>
>>> as the towl is moved to a new machine. Can you pelase assit me
>>>
>>> how
>>>
>>> to do
>>>
>>>
>>> that?
>>>
>>>
>>>
>>> The goal should be that "moving" the application only means
>>>
>>>
>>> changing
>>>
>>>
>>> DNS
>>>
>>>
>>> and everything else works as expected.
>>>
>>>
>>> If you:
>>>
>>> 1. Deploy the application with a single context (e.g. /towl,
>>> which
>>>
>>> I
>>>
>>>
>>> recommend)
>>>
>>>
>>> 2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT
>>> application that does nothing but redirect ; my personal
>>>
>>> preference)
>>>
>>>
>>>
>>> 3. Do not define any <Host> other than "localhost" and make it
>>> the
>>> default. Do not bother with any <Alias> elements since they are
>>> not
>>> necessary.
>>>
>>> Moving the application should only require that you:
>>>
>>> 4. Deploy the same application with the same configuration in the
>>>
>>> new
>>>
>>>
>>> location
>>>
>>>
>>> 5. Change DNS to point example.lbg.com and server.lbg.com to the
>>>
>>> new
>>>
>>>
>>> location of the service
>>>
>>>
>>> Hope that helps,
>>> -chris
>>>
>>> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>> On 4/30/24 07:10, lavanya tech wrote:
>>>
>>> Can you tell me how to do the below ? How should I setup Tomcat
>>> in
>>> server.xml ?
>>>
>>>
>>> If you want to use port 443 (the default port for HTTPS) then you
>>>
>>> will
>>>
>>>
>>> need to change Tomcat to bind to port 443 (if that's allowed on
>>>
>>>
>>> your
>>>
>>>
>>> OS)
>>>
>>>
>>> or arrange to have port 443 routed to port 8443. You may need
>>>
>>>
>>> additional
>>>
>>>
>>> configuration in Tomcat (specifically: proxyPort) to avoid having
>>>
>>>
>>> Tomcat
>>>
>>>
>>> generate URLs with ":8443" in them.
>>>
>>>
>>> Looking forward to your reply.
>>>
>>>
>>> If Tomcat is listening on port 8443 then you will need to include
>>>
>>> that
>>>
>>>
>>> in your URL, period. If you want to allow URLs without a port
>>>
>>>
>>> number,
>>>
>>>
>>> you will have to arrange to have something listening on port 443.
>>>
>>>
>>> On Windows, Tomcat can listen directly on port 443. On UNIX and
>>> UNIX-like systems, you won't be able to do this without running
>>>
>>> Tomcat
>>>
>>>
>>> as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
>>>
>>>
>>> There are other ways to get port 443 working, but I'll need to
>>> know
>>>
>>> more
>>>
>>>
>>> about your environment. The port issue is "easier" than figuring
>>>
>>>
>>> out
>>>
>>>
>>> whatever is going on with your DNS, aliases, etc. so I would
>>>
>>>
>>> recommend
>>>
>>>
>>> we fix one thing at a time.
>>>
>>>
>>> -chris
>>>
>>> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech <
>>>
>>> lavanyatech...@gmail.com>
>>>
>>>
>>> wrote:
>>>
>>>
>>> Hi Chris,
>>>
>>> There is no issues with browser, because I tested with different
>>>
>>> browsers
>>>
>>> and it all works fine. I am sure that there is no issue with the
>>> certificate.
>>> Because I was able to establish successful connections
>>> with
>>>
>>> port
>>>
>>>
>>>
>>> 8443, it
>>>
>>> just doesnot work with out port
>>>
>>> curl https://example.lbg.com/towl
>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
>>>
>>>
>>> If you want to use port 443 (the default port for HTTPS) then you
>>>
>>> will
>>>
>>>
>>> need to change Tomcat to bind to port 443 (if that's allowed on
>>>
>>>
>>> your
>>>
>>>
>>> OS)
>>>
>>>
>>> or arrange to have port 443 routed to port 8443. You may need
>>>
>>>
>>> additional
>>>
>>>
>>> configuration in Tomcat (specifically: proxyPort) to avoid having
>>>
>>>
>>> Tomcat
>>>
>>>
>>> generate URLs with ":8443" in them.
>>>
>>>
>>> <Connector port="443" protocol="HTTP/1.1"
>>> connectionTimeout="20000"
>>> redirectPort="8443"
>>> maxThreads="150"
>>> scheme="https" secure="true" SSLEnabled="true"
>>> keystoreFile="path_to_your_keystore_file"
>>> keystorePass="your_keystore_password"
>>> keystoreType="PKCS12"
>>> clientAuth="false" sslProtocol="TLS"
>>> proxyPort="443"/>
>>>
>>> should i use connect port like the above ? But you mentioned
>>>
>>> before
>>>
>>>
>>> we
>>>
>>>
>>> dont need any configuration changes. Please clarify I am not able
>>>
>>>
>>> to
>>>
>>>
>>>
>>> figure
>>>
>>> this out and I have this issue many days pending. How to make it
>>>
>>> work
>>>
>>>
>>>
>>> with
>>>
>>> port 8443 and with out port
>>>
>>> Also I wanted to use weburl with alias name permanently instead
>>> of
>>>
>>> the
>>>
>>>
>>> hostname. How can I achieve both
>>>
>>>
>>> Thanks,
>>> Lavanya
>>>
>>>
>>> -->
>>>
>>>
>>> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>> On 4/25/24 07:24, lavanya tech wrote:
>>>
>>> Hi Chris,
>>>
>>> One question / doubt:
>>>
>>> As I mentioned earlier, the below URLS already working in the
>>>
>>> browser
>>>
>>>
>>>
>>> https://server.lbg.com:8443/towl
>>> https://example.lbg.com:8443/towl -> redirect ( which means
>>> when I
>>>
>>> hit in
>>>
>>> browser) it points to https://server.lbg.com:8443/towl ---> To
>>> be
>>>
>>> frank,
>>>
>>> even I donot need redirect here, not sure why it redirects.
>>>
>>> My question is why its working even though SAN is not registered
>>>
>>> with
>>>
>>>
>>>
>>> the
>>>
>>> certificate ? It doesnot even throw warning in the browser.
>>>
>>>
>>> I'm not sure. Is it possible you have dismissed this error in the
>>>
>>> past
>>>
>>>
>>> and the browser is remembering that? Try this with a different web
>>>
>>> browser or maybe with curl from the command-line to see what
>>>
>>> happens.
>>>
>>>
>>>
>>> Why https://server.lbg.com/towl or https://example.lbg.com/towl
>>>
>>> -->
>>>
>>>
>>>
>>> How it
>>>
>>> should work with New SAN certificate ?
>>>
>>>
>>> You don't need to worry about the port number or application
>>> name,
>>>
>>> only
>>>
>>>
>>> the hostname is a part of the SAN.
>>>
>>>
>>> -chris
>>>
>>> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech <
>>>
>>> lavanyatech...@gmail.com
>>>
>>>
>>> wrote:
>>>
>>> Hi Chris,
>>>
>>>
>>> Thanks I will request new certificate with SANs and I will try to
>>>
>>> fix
>>>
>>>
>>>
>>> the
>>>
>>> things from our end.
>>>
>>> Best Regards,
>>> Lavanya
>>>
>>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>> On 4/24/24 15:39, lavanya tech wrote:
>>>
>>> Local host means the machine i am logged in to server.lbg.com
>>>
>>> You are right, example.lbg.com is CNAME record.
>>>
>>>
>>> Okay, thanks for clearing that up.
>>>
>>> I dont have any SAN configured for the certificate. The
>>> certificate
>>>
>>> is
>>>
>>> requested for only server.lbg.com
>>>
>>>
>>> You will never be able to make a secure request to anything other
>>>
>>> than
>>>
>>> server.lbg.com without seeing an error. I highly recommend
>>> adding
>>>
>>> the
>>>
>>> other hostname as a SAN to your certificate if you really want to
>>> support this.
>>>
>>> Even if you wanted https://example.lbg.com/whatever to return an
>>>
>>> HTTP
>>>
>>> 302 redirect to https://server.lbg.com/whatever, the user would
>>>
>>> see a
>>>
>>> certificate hostname mismatch error which is ugly. It's best to
>>>
>>> make
>>>
>>>
>>>
>>> it
>>>
>>> work without users seeing ugly things.
>>>
>>> So if i just request new certificate with SAN it should work ? If
>>>
>>> yes, I
>>>
>>> will request for it and follow your steps as below suggested.
>>>
>>>
>>> Yes, it should.
>>>
>>> Should i use CName record or DNS? Does it make difference?
>>>
>>>
>>> CNAME *is* DNS.
>>>
>>> Whenever possible, use hostnames and not IP addresses as SANs.
>>> It's
>>>
>>> more
>>>
>>> flexible that way, and users get to see hostnames instead of IP
>>>
>>> addresses.
>>>
>>>
>>> -chris
>>>
>>> On Wednesday, April 24, 2024, Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>> On 4/24/24 07:37, lavanya tech wrote:
>>>
>>> Sorry I understood wrongly here with regards to my environment,
>>>
>>> Let me
>>>
>>> start from the beginning. I donot want to use redirect at all. I
>>>
>>> simply
>>>
>>> wanted to force apache tomcat to use both localhost and dns name
>>>
>>> of
>>>
>>> the
>>>
>>> localhost via url.
>>>
>>>
>>> When you say "force" what do you mean?
>>>
>>> When you say "use both localhost and DNS name" what do you mean?
>>>
>>> When you say "localhost" do you mean 127.0.0.1 or "the machine
>>> I'm
>>> logged-into right now"?
>>>
>>> I have DNS resollution as below.
>>>
>>>
>>> server.lbg.com --> localhost
>>>
>>>
>>> Is that a CNAME record?
>>>
>>> nslookup server.lbg.com (localhost)
>>>
>>> Name: server.lbg.com
>>> Address: 192.168.100.20
>>> alias: example.lbg.com
>>>
>>>
>>> That's a weird DNS response. The DNS name "localhost" should
>>>
>>> *always*
>>>
>>> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
>>> 191.168.100.20.
>>>
>>> We have working the below urls working:
>>>
>>> https://server.lbg.com:8443/towl
>>> https://example.lbg.com:8443/towl --> redirects to
>>>
>>>
>>> What do you mean "redirect"? Does it return a 30x response that
>>>
>>> causes
>>>
>>> the
>>>
>>> browser to make a new request to \/
>>>
>>> https://server.lbg.com:8443/towl --> still works --> we have
>>> SSL
>>>
>>> configured for the same but this SSL certificate doesnot have
>>>
>>> additional
>>>
>>> DNS setup.
>>>
>>>
>>> What SANs are in your certificate? How many certificates do you
>>>
>>> have?
>>>
>>>
>>> But I would need to somehow access https://example.lbg.com -->
>>>
>>> which
>>>
>>> means
>>> I would need to access via 443 here ?
>>>
>>>
>>> I'm so confused. What needs to access what?
>>>
>>> I tried to adding the below to server.xml as below, but that
>>>
>>> doesnot
>>>
>>> seems
>>>
>>> to work.
>>>
>>> <Connector port="80"
>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> connectionTimeout="20000"
>>> redirectPort="443" />
>>>
>>>
>>> This will only redirect (HTTP 302) requests to
>>>
>>> http://yourhost/anything
>>>
>>> to https://yourhost/anything *if the application specifically
>>>
>>> requests
>>>
>>> CONFIDENTIAL transport*. It doesn't just redirect everything by
>>>
>>> default. If
>>>
>>> you want it to redirect everything, you'll need to set that up
>>>
>>> e.g.
>>>
>>> using
>>>
>>> RewriteValve. There are other options, too.
>>>
>>> Do i need additional SSL certificate for the
>>>
>>> https://example.lbg.com
>>>
>>> to
>>>
>>> make it work ?
>>>
>>>
>>> If you don't want your browser to complain, you will need at
>>> least
>>>
>>> one
>>>
>>> TLS
>>>
>>> certificate that contains every Subject Alternative Name (SAN)
>>> for
>>>
>>> every
>>>
>>> possible hostname you expect to use with this service. You ca do
>>>
>>> it
>>>
>>> with
>>>
>>> multiple certificates as well, but a single cert with multiple
>>>
>>> SANs
>>>
>>> is
>>>
>>> less
>>>
>>> work.
>>>
>>> Do i need to set up an additional web server for this like apache
>>>
>>> or
>>>
>>> nginx
>>>
>>> for redirecting requests?
>>>
>>>
>>> No.
>>>
>>> Please stop saying "redirect" because it sounds like you almost
>>>
>>> never
>>>
>>> mean
>>>
>>> "HTTP 30x redirect" and that's confusing everything.
>>>
>>> I *think* you only need the following:
>>>
>>> 1. A TLS certificate with the following SANs:
>>>
>>> * server.lbg.com
>>> * example.lbg.com
>>> * localhost (you shouldn't do this)
>>>
>>> 2. DNS configured for all hostnames:
>>>
>>> * server.lbg.com -> A 192.168.100.20
>>> * example.lgb.com -> A 192.168.100.20
>>>
>>> 3. Tomcat configured with a single <Host> which is the default
>>>
>>> virtual
>>>
>>> host. Note that this is the *default Tomcat configuration* and
>>>
>>> doesn't
>>>
>>> need
>>>
>>> to be changed from the default.
>>>
>>> 4. Tomcat configured with your certificate like this:
>>>
>>> <Connector ...
>>> SSLEnabled="true">
>>> <SSLHostConfig>
>>> <Certificate
>>> certificateFile="/path/to/your/cert.crt"
>>> certificateKeyFile="/path/to/your/key.pem" />
>>> <!-- You may need certificateKeyPassword in
>>>
>>> <Certificate>
>>>
>>> -->
>>>
>>> </SSLHostConfig>
>>> </Connector>
>>>
>>> If your SANs are configured properly, this should allow you to
>>>
>>> connect
>>>
>>> using any of these URLs:
>>>
>>> $ curl https://server.lbg.com/towl/login.jsp
>>>
>>> (returns login page)
>>>
>>> $ curl https://example.lbg.com/towl/login.jsp
>>>
>>> (returns login page)
>>>
>>> If your application's web.xml contains something like this:
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>theapp</web-resource-name>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <user-data-constraint>
>>>
>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>
>>>
>>> </user-data-constraint>
>>>
>>> </security-constraint>
>>>
>>> ... then these URLs insecure HTTP URLs should redirect your
>>>
>>> clients:
>>>
>>>
>>> $ curl http://server.lbg.com/towl/login.jsp
>>>
>>> (returns HTTP 302 redirect to
>>>
>>> https://server.lbg.com/towl/login.jsp
>>>
>>> )
>>>
>>>
>>> $ curl https://server.lbg.com/towl/login.jsp
>>>
>>> (returns HTTP 302 redirect to
>>>
>>> https://example.lbg.com/towl/login.jsp)
>>>
>>>
>>> I don't think you need any use of the RewriteValve unless you
>>> want
>>>
>>> to
>>>
>>> handle sending HTTP 302 redirect responses to insecure requests
>>>
>>> without
>>>
>>> specifying the CONFIDENTIAL transport-guarantee in your
>>>
>>> application's
>>>
>>> web.xml file. But I don't see any reason NOT to have that in
>>>
>>> there.
>>>
>>>
>>> -chris
>>>
>>> On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
>>>
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,
>>>
>>>
>>> On 4/22/24 05:21, lavanya tech wrote:
>>>
>>> Could you please explain, what you exactly mean ? So here
>>>
>>> redirect
>>>
>>> is
>>>
>>>
>>> not a
>>>
>>> solution right ?
>>>
>>>
>>> Redirecting is fine.
>>>
>>> Perhaps you should take a step back and decide: what do you
>>>
>>> actually
>>>
>>> want, here? You might be trying to solve problem X by applying
>>>
>>> solution
>>>
>>> Y, and you've already decided that solution Y is correct so you
>>>
>>> are
>>>
>>> trying to get help with that.
>>>
>>> Perhaps ask for help with Problem X?
>>>
>>> For example, "I don't want users to have to type the name of my
>>> application to reach it so I want example.com/ to go to my
>>>
>>> application
>>>
>>> instead of example.com/myapp/".
>>>
>>> Or, "I have multiple domains and I want all of them to redirect
>>>
>>> to
>>>
>>> the
>>>
>>> canonical domain example.com and to go to me web application
>>>
>>> /myapp
>>>
>>> so
>>>
>>> everything goes to example.com/myapp/".
>>>
>>> "You'd have to use a glob/regex if
>>>
>>> you wanted to check for [anything and maybe nothing.]
>>>
>>> example.com
>>>
>>> ."
>>>
>>>
>>>
>>> There is nothing in your configuration or question that suggests
>>>
>>> that
>>>
>>> the hostname in the request is relevant, but you are making it a
>>> *requirement* that the request contains a specific Host header.
>>>
>>> IF
>>>
>>> you
>>>
>>> don't actually need that, why do you have it?
>>>
>>> -chris
>>>
>>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
>>>
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Ammu,
>>>
>>>
>>> On 4/19/24 08:32, lavanya tech wrote:
>>>
>>> Thank you very much. I removed <Host> for example.com as
>>>
>>> well
>>>
>>> as
>>>
>>>
>>> adding
>>>
>>>
>>> an
>>>
>>>
>>> <Alias> in server.xml
>>> I copied context.xml file
>>>
>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
>>>
>>> Removed < in rewrite.config files.
>>>
>>> But still I dont redirect the URL.
>>>
>>>
>>> If you have <Context> in server.xml and also your application
>>>
>>> in
>>>
>>> the
>>>
>>> webapps/ directory, then you will be double-deploying your
>>>
>>> application.
>>>
>>>
>>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are
>>> important)
>>> and remove the <Context> element from your server.xml.
>>>
>>> Then start your server and read the logs.
>>>
>>> *nslookup alias.example.com <http://alias.example.com>
>>>
>>> gives-->Non-authoritative answer:Name: www.example.com
>>> <http://www.example.com>Address: 192.168.200.10Aliases:
>>>
>>> alias.example.com
>>>
>>> <http://alias.example.com>*
>>>
>>>
>>> Just to give some information here, *www.example.com
>>> <http://www.example.com>* has alias* "alias.example.com
>>> <http://alias.example.com>"*
>>> But https://www.example.com:7777/example --> works fine with
>>>
>>> out
>>>
>>>
>>> issues
>>>
>>>
>>> but
>>>
>>>
>>> the alias doesnot works (https://alias.example.com)
>>> So i am not sure if the redirect url helps or if its correct
>>>
>>>
>>> Your rewrite configuration says that you have to be using host
>>> "example.com" but your request goes to www.example.com. Your
>>> configuration should only redirect a request such as:
>>>
>>> $ curl -v http://example.com:7777/something
>>>
>>> HTTP/1.1 301 Moved Permanently
>>> ...
>>> Location: https://www.example.com:7777/example
>>>
>>> If you
>>>
>>>
>>>
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
