Hi Chris, You are right. We need aliasing here which means the URL in the browser does not change. May I know where should I put the below rewrite files ?
# Redirect everything that is not server.lbg.com to # server.lbg.com. Don't worry about /towl yet. RewriteCond %{HTTP_HOST} !^server\.lbg\.com$ RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L] # Redirect anything that isn't already going to /towl # to go to /towl RewriteCond %{REQUEST_URI} !^/towl RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L] Thanks, Lavanya On Tuesday, May 14, 2024, Christopher Schultz <ch...@christopherschultz.net> wrote: > Lavanya, > > On 5/14/24 09:12, lavanya tech wrote: > >> IMHO removing the port number is always the preferred solution — I never >>> did it >>> >>> >>>> can we achieve this with tomcat or we need to setup an reverse proxy >>>> here. >>>> >>>> >>> Your application uses whatever internal URLs it wants. Are you building >>> those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If >>> it's Tomcat, this is where the proxyName and proxyPort come in. >>> >> >> - Yes, I have not built these UrLs before. It’s was working from the >> very >> beginning. As. I mentioned we are not able to reach goal or whatever. >> >> Rather than saying redirection, I would say it’s aliasing. >> > > Please be specific. "Aliasing" (to me) means "the URL does to the right > place but doesn't change in the browser's URL" and "redirection" (to > everybody) means "HTTP 301 or 302 response to a new URL". > > Instead of moving applications or changing tomcat configuration it’s easier >> to achieve with reverse proxy ? >> >> https://example.lbg.com/ to https://server.lbg.com:8443/towl >> > > This will be a nightmare. Do not try to rewrite URLs using a reverse > proxy. You should redirect users to the right place if necessary. You can > use a reverse-proxy if you want, but it won't be any less complicated than > having Tomcat do it. > > I think your rewrite.config file just needs a few tweaks: > > # Redirect everything that is not server.lbg.com to > # server.lbg.com. Don't worry about /towl yet. > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$ > RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L] > > # Redirect anything that isn't already going to /towl > # to go to /towl > RewriteCond %{REQUEST_URI} !^/towl > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L] > > The application should be deployed as towl.war (or towl/ directory). You > should listen on ports 80, 443, and 8443, and you should always end up at > the right place. You should have proxyPort="8443" and proxyName=" > server.lbg.com" in your <Connector>. > > You will not need a ROOT context, since the rewrite will take care of that > for you. > > -chris > > On Mon, May 13, 2024 at 10:17 PM lavanya tech <lavanyatech...@gmail.com> >>> wrote: >>> >>> Hi Chris, >>> >>> Sorry, If I did confuse. It’s important that >>> https://server.lbg.com:8443/towl is always working. Goal is not to >>> disable /towl, but just redirect or aliasing >>> >>> https//example.lbg.com/ to https://server.lbg.com:8443/towl >>> >>> >>> >>> >>> Thanks, >>> Lavanya >>> >>> On Monday, May 13, 2024, Christopher Schultz < >>> ch...@christopherschultz.net >>> >>>> >>>> wrote: >>> >>> Lavanya, >>> >>> On 5/13/24 05:57, lavanya tech wrote: >>> >>> Somehow made it work now i can only access urls as you mentioned before >>> https://example.lbg.com and https://server.lbg.com with port 8443 and >>> with >>> out >>> >>> https://example.lbg.com/towl and https://server.lbg.com/towl --> I >>> have an >>> error now File not found. >>> >>> So i think we need to make work https://example.lbg.com/ to >>> https://server.lbg.com/towl >>> >>> >>> I'm sorry, I'm still confused as to which way you want things. >>> >>> Do you want to redirect /towl -> / or do you want to redirect / - > >>> /towl? >>> >>> Or does it depend upon the hostname? It would really be better if you >>> could settle on one specific beahvior. >>> >>> -chris >>> >>> On Mon, May 13, 2024 at 9:41 AM lavanya tech <lavanyatech...@gmail.com> >>> >>> wrote: >>> >>> Hi Chris, >>> >>> >>> Where are you defining the RewriteValve itself? >>> >>> Defined rewritevalve here >>> <Host name="localhost" appBase="webapps" >>> unpackWARs="true" autoDeploy="true"> >>> >>> <Valve >>> className="org.apache.catalina.valves.rewrite.RewriteValve" /> >>> resource="conf/rewrite.config" /> >>> >>> 2) reated rewrite.config and added as below under conf/ >>> >>> RewriteCond %{REQUEST_URI} ^/towl/(.*) >>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R] >>> >>> 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I >>> already have this mappings /* in web.xml file) >>> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>Logging Area</web-resource-name> >>> <description> >>> Authentication for registered users. >>> </description> >>> <url-pattern>/*</url-pattern> >>> <url-pattern>/api/v1/search</url-pattern> <!-- protect search >>> endpoint whitelisted above --> >>> <url-pattern>/api/v1/suggest/*</url-pattern> <!-- protect >>> suggest >>> endpoint whitelisted above --> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>LDAP_USER</role-name> >>> <role-name>api</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> 4) Restarted Tomcat, Then I cannot access >>> https://server.lbg.com:8443/towl >>> --> Have below error >>> >>> Message java.nio.file.NoSuchFileException: >>> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar >>> >>> Description The server encountered an unexpected condition that >>> prevented >>> it from fulfilling the request. >>> >>> 5) Also https://example.lbg.com doesnot work anymore >>> >>> Before you do anything with redirecting, can you just make sure you are >>> only deploying ROOT.war and nothing else? >>> How can I do that. I already changed towl.war to ROOT.war >>> >>> But still both the urls have error as mentioned above. >>> >>> >>> Si I revereted back the changes. >>> That's weird. Try stopping, deleting the work/ directory and restarting. >>> --> I have this wierd behavior for some reason, thoudh index.jsp is >>> located >>> no changes were made to file. After deleting cookies url works >>> >>> where Am I going wrong. >>> >>> Thanks, >>> Lavanya >>> >>> >>> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> >>> On 5/10/24 04:37, lavanya tech wrote: >>> >>> I tried the below and have the issues. >>> >>> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector >>> 2) remanmed towl.war to ROOT.war >>> 3) created rewrite.config and added as below under conf/ >>> >>> >>> Where are you defining the RewriteValve itself? >>> >>> RewriteCond %{REQUEST_URI} ^/towl/(.*) >>> >>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R] >>> >>> >>> If this is being handled by the ROOT servlet then I think it's right. >>> >>> 4) added this in web.xml file of /webapps/towl/web.xml/ >>> >>> >>> <!-- Servlet mappings --> >>> <!-- Add your existing servlet mappings here --> >>> >>> <!-- Security constraint to restrict access to /towl path --> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>Restricted Access to >>> /towl</web-resource-name> >>> <url-pattern>/towl/*</url-pattern> >>> >>> >>> No, this is wrong. Since this is the "towl" application and not ROOT, >>> you want to map /* and not /towl/* because the application will never >>> see the /towl/ as it's an application/context prefix that Tomcat will >>> remove. >>> >>> </web-resource-collection> >>> >>> <auth-constraint> >>> <!-- Deny access to all roles --> >>> </auth-constraint> >>> </security-constraint> >>> >>> Also I noticed that even if I rename the towl application to ROOT, >>> when >>> >>> i >>> >>> call the url with https://example.lbg.com/towl --> this towl >>> directory >>> >>> is >>> >>> getting created under webapps by default >>> >>> >>> If webapps/towl is being created, then it's happening for some other >>> reason. Do you have anything under conf/Catalina/*/towl.xml which >>> points >>> to a WAR file or something? If so, remove that. >>> >>> 5) Resarted tomcat and I have the below error and all the urls have the >>> >>> same issue >>> >>> Message org.apache.jasper.JasperException: >>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp >>> >>> >>> That's weird. Try stopping, deleting the work/ directory and >>> restarting. >>> >>> Description The server encountered an unexpected condition that >>> >>> >>> prevented >>> >>> it from fulfilling the request. >>> >>> Exception >>> >>> org.apache.jasper.JasperException: org.apache.jasper.JasperException: >>> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp >>> >>> >>> org.apache.jasper.servlet.JspServletWrapper.handleJspException( >>> JspServletWrapper.java:578) >>> >>> >>> >>> org.apache.jasper.servlet.JspServletWrapper.service( >>> JspServletWrapper.java:422) >>> >>> >>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380) >>> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328) >>> jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) >>> org.apache.tomcat.websocket.se >>> rver.WsFilter.doFilter(WsFilter.java:51) >>> >>> >>> Before you do anything with redirecting, can you just make sure you are >>> only deploying ROOT.war and nothing else? >>> >>> This should allow you to reach the application at both >>> https://example.lbg.com/ and https://server.lbg.com/ as well as both >>> of >>> those with port 8443. >>> >>> Then use the applications and make sure they are working as expected. >>> Then, we'll add the /towl handling. >>> >>> -chris >>> >>> On Thu, May 9, 2024 at 11:20 PM Christopher Schultz < >>> >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> >>> On 5/9/24 13:48, lavanya tech wrote: >>> >>> Thank you so much for your explanation. I will try these options. >>> >>> Do server and example both resolve to the same IP? >>> -yes >>> >>> >>> Good, that significantly reduces the complexity required, since you >>> can >>> do it will a single process (Tomcat) in a single environment. >>> >>> So I need follow both 4a/b and 5a/b steps here or any of them ? >>> >>> >>> If I setup exactly by using below steps , then I should access both >>> >>> the >>> >>> >>> urls right ? https://server.lbg.com:8443/towl and >>> >>> >>> https://example.lbg.com >>> >>> If you visit either hostname with /towl, you will be redirected to >>> example.lbg.com/ with no port number. example:8443 will still work >>> and >>> no redirect will take place... unless you specifically make >>> >>> arrangements >>> >>> >>> for that. We can do that later if you really want to. >>> >>> >>> Let's get the other things working, first. >>> >>> -chris >>> >>> On Thursday, May 9, 2024, Christopher Schultz < >>> >>> >>> ch...@christopherschultz.net> >>> >>> wrote: >>> >>> Lavanya, >>> >>> >>> On 5/9/24 02:58, lavanya tech wrote: >>> >>> Just giving background again of this topic again. >>> >>> >>> 1) The application team who is working they wanted to access the >>> url >>> https://server.lbg.com:8443/towl —> which should redirect or >>> point >>> >>> to >>> >>> >>> https://example.lbg.com >>> >>> >>> Is that a typo? You want specifically https://server.lbg.com/towl >>> >>> and >>> >>> >>> https://example.lbg.com/ to point to your application? >>> >>> — It’s not the Typo the requirements are still >>> the >>> >>> same. >>> >>> >>> >>> >>> Okay. >>> >>> Do server and example both resolve to the same IP? >>> >>> 2) Hence I added firewall rule to redirect port 443 to 8443. And >>> the >>> >>> url >>> >>> >>> https://example.lbg.com started working but its pointing to >>> >>> https://server.lbg.com:8443 indeed and not >>> >>> https://server.lbg.com:8443/to >>> >>> >>> wl >>> >>> >>> But then they wanted the point 1 to have it. If I understood >>> >>> correctly. So >>> >>> >>> basically to achieve this we wanted a reverse proxy setup ? >>> >>> >>> I didnot define any additional host in server.xml file on just >>> left >>> >>> to >>> >>> >>> default to local host. >>> >>> >>> >>> Here's what you have to do in order to support this odd >>> >>> configuration. >>> >>> >>> >>> 1. Configure your firewall to route port 443 -> 8443. I suspect >>> this >>> >>> is >>> >>> >>> already done. >>> >>> >>> 2. Deploy Tomcat on server.lbg.com with a <Connector> on port >>> 8443. >>> >>> This >>> >>> >>> is the default, so there shouldn't be anything to do. I suspect this >>> >>> >>> is >>> >>> >>> already done. You should set proxyPort="443" and proxyName=" >>> >>> example.lbg.com" in your <Connector>. This will ensure that any >>> URLs >>> generated by Tomcat or your application will point to >>> https://example.lbg.com/ and not to server.lbg.com or have a port >>> >>> number >>> >>> >>> or whatever. >>> >>> >>> 3. Re-name your application directory or WAR file from towl -> ROOT >>> >>> (upper >>> >>> >>> case is important). So if you have tomcat/webapps/towl re-name that >>> >>> >>> to >>> >>> >>> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name >>> >>> >>> that >>> >>> >>> to >>> >>> >>> tomcat/webapps/ROOT.war. >>> >>> >>> The last thing to do is get /towl to re-direct to /. There are a >>> few >>> >>> ways >>> >>> >>> of doing that. >>> >>> >>> 4a. Configure your application (now called ROOT and deployed on / >>> and >>> >>> not >>> >>> >>> /towl anymore) to handle the /towl URL and specifically redirect >>> >>> this >>> >>> back >>> >>> >>> to /. This is oddly specific and has the application trying to >>> >>> >>> redirect >>> >>> >>> to >>> >>> >>> itself which is weird. >>> >>> >>> 4b. Create a new application called towl or towl.war which will be >>> deployed on /towl and have THAT redirect to /. I think this is >>> >>> cleaner >>> >>> >>> because you can call the application anything you'd like and it will >>> >>> >>> still >>> >>> >>> work. You don't have to match URL patterns yourself, you just >>> >>> re-name >>> >>> the >>> >>> >>> WAR file if you suddenly want to use /towl2 instead of /towl. >>> >>> >>> There are several ways to redirect. >>> >>> 5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A >>> >>> few >>> >>> >>> notes: (1) the (*) means "capture this string" and \1 means "put the >>> >>> >>> string >>> >>> >>> back. This allows you to redirect /towl/foo/bar to /foo/bar instead >>> >>> >>> of >>> >>> >>> losing the /foo/bar. This syntax may not be perfect, adapt it to your >>> >>> needs. (2) Remember that the towl application is deployed on /towl >>> so >>> >>> you >>> >>> >>> don't want to redirect /towl/foo/bar you only want redirect /foo/bar >>> >>> >>> since >>> >>> >>> the URL will be relative to the current context (/towl). Got that? >>> >>> >>> Finally, >>> >>> >>> (3) you need to use a global redirect that does *NOT* redirect back >>> >>> >>> to >>> >>> >>> the >>> >>> >>> /towl application. Normally, if you redirect to /foo you'll get an >>> >>> application-relative redirect from something like a rewrite >>> valve/filter/whatever. Take care to redirect relative to the SERVER >>> >>> and >>> >>> >>> not >>> >>> >>> to the application. >>> >>> >>> 5b. Write your own servlet to do a specific redirect. >>> >>> I hope that helps, >>> -chris >>> >>> On Wednesday, May 8, 2024, Christopher Schultz < >>> >>> ch...@christopherschultz.net> >>> wrote: >>> >>> Lavanya, >>> >>> >>> On 5/8/24 06:48, lavanya tech wrote: >>> >>> I figured out how I can it make it work with 443. Now the URls >>> are >>> >>> working. >>> I added iptables route 443 to 8443 and it started working. >>> >>> nslookup example.lbg.com >>> >>> Non-authoritative answer: >>> Name: server.lbg.com >>> Address: 192.168.200.105 >>> Aliases: example.lbg.com >>> >>> >>> I have some application towl running with apache tomcat. I have >>> >>> the >>> >>> >>> below >>> >>> URLs working. >>> >>> https://server.lbg.com:8443/towl >>> https://server.lbg.com >>> https://example.lbg.com >>> https://example.lbg.com/towl >>> >>> >>> Now i wanted to disable the url https://example.lbg.com/towl >>> and >>> https://server.lbg.com and access only the other remaining two. >>> >>> >>> >>> >>> >>> I would *highly* recommend that you pick either /towl or / and not >>> >>> >>> try to >>> >>> >>> do both, unless you want to deploy the application twice (which is >>> >>> >>> fine, >>> >>> >>> just deploy towl.war and ROOT.war as copies of each other). If you >>> >>> >>> try to >>> >>> >>> re-write /towl to / or / to /towl, you'll find you spend the rest >>> >>> >>> of >>> >>> >>> your >>> >>> >>> days tracking-down edge-cases and "fixing" them -- likely making >>> >>> >>> things >>> >>> >>> confusing and, probably, worse. >>> >>> >>> In the end our goal to makesure that the links are not always >>> >>> dead as >>> >>> >>> soon >>> >>> >>> as the towl is moved to a new machine. Can you pelase assit me >>> >>> how >>> >>> to do >>> >>> >>> that? >>> >>> >>> >>> The goal should be that "moving" the application only means >>> >>> >>> changing >>> >>> >>> DNS >>> >>> >>> and everything else works as expected. >>> >>> >>> If you: >>> >>> 1. Deploy the application with a single context (e.g. /towl, >>> which >>> >>> I >>> >>> >>> recommend) >>> >>> >>> 2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT >>> application that does nothing but redirect ; my personal >>> >>> preference) >>> >>> >>> >>> 3. Do not define any <Host> other than "localhost" and make it >>> the >>> default. Do not bother with any <Alias> elements since they are >>> not >>> necessary. >>> >>> Moving the application should only require that you: >>> >>> 4. Deploy the same application with the same configuration in the >>> >>> new >>> >>> >>> location >>> >>> >>> 5. Change DNS to point example.lbg.com and server.lbg.com to the >>> >>> new >>> >>> >>> location of the service >>> >>> >>> Hope that helps, >>> -chris >>> >>> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> On 4/30/24 07:10, lavanya tech wrote: >>> >>> Can you tell me how to do the below ? How should I setup Tomcat >>> in >>> server.xml ? >>> >>> >>> If you want to use port 443 (the default port for HTTPS) then you >>> >>> will >>> >>> >>> need to change Tomcat to bind to port 443 (if that's allowed on >>> >>> >>> your >>> >>> >>> OS) >>> >>> >>> or arrange to have port 443 routed to port 8443. You may need >>> >>> >>> additional >>> >>> >>> configuration in Tomcat (specifically: proxyPort) to avoid having >>> >>> >>> Tomcat >>> >>> >>> generate URLs with ":8443" in them. >>> >>> >>> Looking forward to your reply. >>> >>> >>> If Tomcat is listening on port 8443 then you will need to include >>> >>> that >>> >>> >>> in your URL, period. If you want to allow URLs without a port >>> >>> >>> number, >>> >>> >>> you will have to arrange to have something listening on port 443. >>> >>> >>> On Windows, Tomcat can listen directly on port 443. On UNIX and >>> UNIX-like systems, you won't be able to do this without running >>> >>> Tomcat >>> >>> >>> as root WHICH YOU ABSOLUTELY SHOULD NOT DO. >>> >>> >>> There are other ways to get port 443 working, but I'll need to >>> know >>> >>> more >>> >>> >>> about your environment. The port issue is "easier" than figuring >>> >>> >>> out >>> >>> >>> whatever is going on with your DNS, aliases, etc. so I would >>> >>> >>> recommend >>> >>> >>> we fix one thing at a time. >>> >>> >>> -chris >>> >>> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech < >>> >>> lavanyatech...@gmail.com> >>> >>> >>> wrote: >>> >>> >>> Hi Chris, >>> >>> There is no issues with browser, because I tested with different >>> >>> browsers >>> >>> and it all works fine. I am sure that there is no issue with the >>> certificate. >>> Because I was able to establish successful connections >>> with >>> >>> port >>> >>> >>> >>> 8443, it >>> >>> just doesnot work with out port >>> >>> curl https://example.lbg.com/towl >>> curl: (56) Received HTTP code 504 from proxy after CONNECT >>> curl: (56) Received HTTP code 504 from proxy after CONNECT >>> >>> >>> If you want to use port 443 (the default port for HTTPS) then you >>> >>> will >>> >>> >>> need to change Tomcat to bind to port 443 (if that's allowed on >>> >>> >>> your >>> >>> >>> OS) >>> >>> >>> or arrange to have port 443 routed to port 8443. You may need >>> >>> >>> additional >>> >>> >>> configuration in Tomcat (specifically: proxyPort) to avoid having >>> >>> >>> Tomcat >>> >>> >>> generate URLs with ":8443" in them. >>> >>> >>> <Connector port="443" protocol="HTTP/1.1" >>> connectionTimeout="20000" >>> redirectPort="8443" >>> maxThreads="150" >>> scheme="https" secure="true" SSLEnabled="true" >>> keystoreFile="path_to_your_keystore_file" >>> keystorePass="your_keystore_password" >>> keystoreType="PKCS12" >>> clientAuth="false" sslProtocol="TLS" >>> proxyPort="443"/> >>> >>> should i use connect port like the above ? But you mentioned >>> >>> before >>> >>> >>> we >>> >>> >>> dont need any configuration changes. Please clarify I am not able >>> >>> >>> to >>> >>> >>> >>> figure >>> >>> this out and I have this issue many days pending. How to make it >>> >>> work >>> >>> >>> >>> with >>> >>> port 8443 and with out port >>> >>> Also I wanted to use weburl with alias name permanently instead >>> of >>> >>> the >>> >>> >>> hostname. How can I achieve both >>> >>> >>> Thanks, >>> Lavanya >>> >>> >>> --> >>> >>> >>> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> On 4/25/24 07:24, lavanya tech wrote: >>> >>> Hi Chris, >>> >>> One question / doubt: >>> >>> As I mentioned earlier, the below URLS already working in the >>> >>> browser >>> >>> >>> >>> https://server.lbg.com:8443/towl >>> https://example.lbg.com:8443/towl -> redirect ( which means >>> when I >>> >>> hit in >>> >>> browser) it points to https://server.lbg.com:8443/towl ---> To >>> be >>> >>> frank, >>> >>> even I donot need redirect here, not sure why it redirects. >>> >>> My question is why its working even though SAN is not registered >>> >>> with >>> >>> >>> >>> the >>> >>> certificate ? It doesnot even throw warning in the browser. >>> >>> >>> I'm not sure. Is it possible you have dismissed this error in the >>> >>> past >>> >>> >>> and the browser is remembering that? Try this with a different web >>> >>> browser or maybe with curl from the command-line to see what >>> >>> happens. >>> >>> >>> >>> Why https://server.lbg.com/towl or https://example.lbg.com/towl >>> >>> --> >>> >>> >>> >>> How it >>> >>> should work with New SAN certificate ? >>> >>> >>> You don't need to worry about the port number or application >>> name, >>> >>> only >>> >>> >>> the hostname is a part of the SAN. >>> >>> >>> -chris >>> >>> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech < >>> >>> lavanyatech...@gmail.com >>> >>> >>> wrote: >>> >>> Hi Chris, >>> >>> >>> Thanks I will request new certificate with SANs and I will try to >>> >>> fix >>> >>> >>> >>> the >>> >>> things from our end. >>> >>> Best Regards, >>> Lavanya >>> >>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> On 4/24/24 15:39, lavanya tech wrote: >>> >>> Local host means the machine i am logged in to server.lbg.com >>> >>> You are right, example.lbg.com is CNAME record. >>> >>> >>> Okay, thanks for clearing that up. >>> >>> I dont have any SAN configured for the certificate. The >>> certificate >>> >>> is >>> >>> requested for only server.lbg.com >>> >>> >>> You will never be able to make a secure request to anything other >>> >>> than >>> >>> server.lbg.com without seeing an error. I highly recommend >>> adding >>> >>> the >>> >>> other hostname as a SAN to your certificate if you really want to >>> support this. >>> >>> Even if you wanted https://example.lbg.com/whatever to return an >>> >>> HTTP >>> >>> 302 redirect to https://server.lbg.com/whatever, the user would >>> >>> see a >>> >>> certificate hostname mismatch error which is ugly. It's best to >>> >>> make >>> >>> >>> >>> it >>> >>> work without users seeing ugly things. >>> >>> So if i just request new certificate with SAN it should work ? If >>> >>> yes, I >>> >>> will request for it and follow your steps as below suggested. >>> >>> >>> Yes, it should. >>> >>> Should i use CName record or DNS? Does it make difference? >>> >>> >>> CNAME *is* DNS. >>> >>> Whenever possible, use hostnames and not IP addresses as SANs. >>> It's >>> >>> more >>> >>> flexible that way, and users get to see hostnames instead of IP >>> >>> addresses. >>> >>> >>> -chris >>> >>> On Wednesday, April 24, 2024, Christopher Schultz < >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> On 4/24/24 07:37, lavanya tech wrote: >>> >>> Sorry I understood wrongly here with regards to my environment, >>> >>> Let me >>> >>> start from the beginning. I donot want to use redirect at all. I >>> >>> simply >>> >>> wanted to force apache tomcat to use both localhost and dns name >>> >>> of >>> >>> the >>> >>> localhost via url. >>> >>> >>> When you say "force" what do you mean? >>> >>> When you say "use both localhost and DNS name" what do you mean? >>> >>> When you say "localhost" do you mean 127.0.0.1 or "the machine >>> I'm >>> logged-into right now"? >>> >>> I have DNS resollution as below. >>> >>> >>> server.lbg.com --> localhost >>> >>> >>> Is that a CNAME record? >>> >>> nslookup server.lbg.com (localhost) >>> >>> Name: server.lbg.com >>> Address: 192.168.100.20 >>> alias: example.lbg.com >>> >>> >>> That's a weird DNS response. The DNS name "localhost" should >>> >>> *always* >>> >>> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return >>> 191.168.100.20. >>> >>> We have working the below urls working: >>> >>> https://server.lbg.com:8443/towl >>> https://example.lbg.com:8443/towl --> redirects to >>> >>> >>> What do you mean "redirect"? Does it return a 30x response that >>> >>> causes >>> >>> the >>> >>> browser to make a new request to \/ >>> >>> https://server.lbg.com:8443/towl --> still works --> we have >>> SSL >>> >>> configured for the same but this SSL certificate doesnot have >>> >>> additional >>> >>> DNS setup. >>> >>> >>> What SANs are in your certificate? How many certificates do you >>> >>> have? >>> >>> >>> But I would need to somehow access https://example.lbg.com --> >>> >>> which >>> >>> means >>> I would need to access via 443 here ? >>> >>> >>> I'm so confused. What needs to access what? >>> >>> I tried to adding the below to server.xml as below, but that >>> >>> doesnot >>> >>> seems >>> >>> to work. >>> >>> <Connector port="80" >>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> connectionTimeout="20000" >>> redirectPort="443" /> >>> >>> >>> This will only redirect (HTTP 302) requests to >>> >>> http://yourhost/anything >>> >>> to https://yourhost/anything *if the application specifically >>> >>> requests >>> >>> CONFIDENTIAL transport*. It doesn't just redirect everything by >>> >>> default. If >>> >>> you want it to redirect everything, you'll need to set that up >>> >>> e.g. >>> >>> using >>> >>> RewriteValve. There are other options, too. >>> >>> Do i need additional SSL certificate for the >>> >>> https://example.lbg.com >>> >>> to >>> >>> make it work ? >>> >>> >>> If you don't want your browser to complain, you will need at >>> least >>> >>> one >>> >>> TLS >>> >>> certificate that contains every Subject Alternative Name (SAN) >>> for >>> >>> every >>> >>> possible hostname you expect to use with this service. You ca do >>> >>> it >>> >>> with >>> >>> multiple certificates as well, but a single cert with multiple >>> >>> SANs >>> >>> is >>> >>> less >>> >>> work. >>> >>> Do i need to set up an additional web server for this like apache >>> >>> or >>> >>> nginx >>> >>> for redirecting requests? >>> >>> >>> No. >>> >>> Please stop saying "redirect" because it sounds like you almost >>> >>> never >>> >>> mean >>> >>> "HTTP 30x redirect" and that's confusing everything. >>> >>> I *think* you only need the following: >>> >>> 1. A TLS certificate with the following SANs: >>> >>> * server.lbg.com >>> * example.lbg.com >>> * localhost (you shouldn't do this) >>> >>> 2. DNS configured for all hostnames: >>> >>> * server.lbg.com -> A 192.168.100.20 >>> * example.lgb.com -> A 192.168.100.20 >>> >>> 3. Tomcat configured with a single <Host> which is the default >>> >>> virtual >>> >>> host. Note that this is the *default Tomcat configuration* and >>> >>> doesn't >>> >>> need >>> >>> to be changed from the default. >>> >>> 4. Tomcat configured with your certificate like this: >>> >>> <Connector ... >>> SSLEnabled="true"> >>> <SSLHostConfig> >>> <Certificate >>> certificateFile="/path/to/your/cert.crt" >>> certificateKeyFile="/path/to/your/key.pem" /> >>> <!-- You may need certificateKeyPassword in >>> >>> <Certificate> >>> >>> --> >>> >>> </SSLHostConfig> >>> </Connector> >>> >>> If your SANs are configured properly, this should allow you to >>> >>> connect >>> >>> using any of these URLs: >>> >>> $ curl https://server.lbg.com/towl/login.jsp >>> >>> (returns login page) >>> >>> $ curl https://example.lbg.com/towl/login.jsp >>> >>> (returns login page) >>> >>> If your application's web.xml contains something like this: >>> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>theapp</web-resource-name> >>> <url-pattern>/*</url-pattern> >>> </web-resource-collection> >>> <user-data-constraint> >>> >>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >>> >>> >>> </user-data-constraint> >>> >>> </security-constraint> >>> >>> ... then these URLs insecure HTTP URLs should redirect your >>> >>> clients: >>> >>> >>> $ curl http://server.lbg.com/towl/login.jsp >>> >>> (returns HTTP 302 redirect to >>> >>> https://server.lbg.com/towl/login.jsp >>> >>> ) >>> >>> >>> $ curl https://server.lbg.com/towl/login.jsp >>> >>> (returns HTTP 302 redirect to >>> >>> https://example.lbg.com/towl/login.jsp) >>> >>> >>> I don't think you need any use of the RewriteValve unless you >>> want >>> >>> to >>> >>> handle sending HTTP 302 redirect responses to insecure requests >>> >>> without >>> >>> specifying the CONFIDENTIAL transport-guarantee in your >>> >>> application's >>> >>> web.xml file. But I don't see any reason NOT to have that in >>> >>> there. >>> >>> >>> -chris >>> >>> On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz < >>> >>> ch...@christopherschultz.net> wrote: >>> >>> Lavanya, >>> >>> >>> On 4/22/24 05:21, lavanya tech wrote: >>> >>> Could you please explain, what you exactly mean ? So here >>> >>> redirect >>> >>> is >>> >>> >>> not a >>> >>> solution right ? >>> >>> >>> Redirecting is fine. >>> >>> Perhaps you should take a step back and decide: what do you >>> >>> actually >>> >>> want, here? You might be trying to solve problem X by applying >>> >>> solution >>> >>> Y, and you've already decided that solution Y is correct so you >>> >>> are >>> >>> trying to get help with that. >>> >>> Perhaps ask for help with Problem X? >>> >>> For example, "I don't want users to have to type the name of my >>> application to reach it so I want example.com/ to go to my >>> >>> application >>> >>> instead of example.com/myapp/". >>> >>> Or, "I have multiple domains and I want all of them to redirect >>> >>> to >>> >>> the >>> >>> canonical domain example.com and to go to me web application >>> >>> /myapp >>> >>> so >>> >>> everything goes to example.com/myapp/". >>> >>> "You'd have to use a glob/regex if >>> >>> you wanted to check for [anything and maybe nothing.] >>> >>> example.com >>> >>> ." >>> >>> >>> >>> There is nothing in your configuration or question that suggests >>> >>> that >>> >>> the hostname in the request is relevant, but you are making it a >>> *requirement* that the request contains a specific Host header. >>> >>> IF >>> >>> you >>> >>> don't actually need that, why do you have it? >>> >>> -chris >>> >>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz < >>> >>> ch...@christopherschultz.net> wrote: >>> >>> Ammu, >>> >>> >>> On 4/19/24 08:32, lavanya tech wrote: >>> >>> Thank you very much. I removed <Host> for example.com as >>> >>> well >>> >>> as >>> >>> >>> adding >>> >>> >>> an >>> >>> >>> <Alias> in server.xml >>> I copied context.xml file >>> >>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml >>> >>> Removed < in rewrite.config files. >>> >>> But still I dont redirect the URL. >>> >>> >>> If you have <Context> in server.xml and also your application >>> >>> in >>> >>> the >>> >>> webapps/ directory, then you will be double-deploying your >>> >>> application. >>> >>> >>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be >>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are >>> important) >>> and remove the <Context> element from your server.xml. >>> >>> Then start your server and read the logs. >>> >>> *nslookup alias.example.com <http://alias.example.com> >>> >>> gives-->Non-authoritative answer:Name: www.example.com >>> <http://www.example.com>Address: 192.168.200.10Aliases: >>> >>> alias.example.com >>> >>> <http://alias.example.com>* >>> >>> >>> Just to give some information here, *www.example.com >>> <http://www.example.com>* has alias* "alias.example.com >>> <http://alias.example.com>"* >>> But https://www.example.com:7777/example --> works fine with >>> >>> out >>> >>> >>> issues >>> >>> >>> but >>> >>> >>> the alias doesnot works (https://alias.example.com) >>> So i am not sure if the redirect url helps or if its correct >>> >>> >>> Your rewrite configuration says that you have to be using host >>> "example.com" but your request goes to www.example.com. Your >>> configuration should only redirect a request such as: >>> >>> $ curl -v http://example.com:7777/something >>> >>> HTTP/1.1 301 Moved Permanently >>> ... >>> Location: https://www.example.com:7777/example >>> >>> If you >>> >>> >>> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >