TLS 1.0 and "HTTP Security Header Not Detected" on Tomcat 7, running under Java 7

[James H. H. Lampert]

We've just received word from a customer that they had two 
vulnerabilities flagged on a security scan of the box their Tomcat 
server is running on.


38628 - TLS 1.0 still supported.
Ok, assuming that the box and the JVM can go up to a more current TLS 
level, and a more current cipher, what do I need to set? On other boxes, 
I've added a "ciphers" clause to the Connector for port 443 in the 
server.xml, but what about the TLS?


17369 - HTTP Security Header Not Detected.
This, I don't get: what I've been able to find on this one talks about a 
security header missing on port 80; the Tomcat server (at least the one 
we're responsible for) doesn't even have 80 (or 8080) open at all. If I 
remember right, though, there are other HTTP(S) servers running on that 
box; is it perhaps one of the others?


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Number of tomcat downloads

[Igal Sapir]

On Tue, Feb 5, 2019 at 6:35 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Leon,
>
> On 2/5/19 05:35, Leon Rosenberg wrote:
> > A little background on the original question: we have some legal
> > issues with a client, among other things, he claims that our code
> > isn't documented well, because he run checkstyle on it, and it
> > showed 6000 errors. My argumentation was that default checkstyle
> > settings aren't telling anything about code quality (unless agreed
> > upon upfront). I run checkstyle with default settings on tomcat
> > code base and it showed 85.412 errors using sun code checks (yes,
> > those from 1996). Most of them are like:
> >
> > AbstractFramedStreamSourceChannel reamSourceChannel,AbstractAjpClientStreamSinkChannel>
> >
> >
> this line produces multiple warnings, for example ',' not followed by a
> > whitespace and such.
> >
> > if(attachments == null) - if not followed by a whitespace etc.
> >
> > Hence if such a mature product like tomcat (with 10.000.000
> > installations) contains 85412 errors and is considered well
> > documented, he is using the wrong tool for the task.
>
> LOL try running checkstyle or SpotBugs against WebLogic and see what
> happens.
>

Yep.  That's quite a ridiculous claim by that client.

When it comes to FOSS, though, I always remind complaining clients that
they can get their money back ;)

Best,

Igal

Re: Number of tomcat downloads

[Igal Sapir]

Chris,

On Tue, Feb 5, 2019 at 6:32 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Igal,
>
> On 2/4/19 23:52, Igal Sapir wrote:
> > 
> > On that note, should we add Google Analytics to the new site?
>
> Hard pass, thank you very much.
>

I didn't necessarily mean that it has to be GA, even though I mentioned it
by name as it's the most popular tool out there - it was more like saying
"Xerox" instead of "Copier", or "Kleenex" instead of "Tissue".

It can be any tool, including the one you suggested in the other email, but
anyway, as Mark pointed out this decision might be made at a higher level.

Best,

Igal

Re: Tomcat gives 404 for file that exists

[Joel Griffith]

On Tue, Feb 5, 2019 at 9:49 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Joel,
>
> On 2/5/19 08:56, Joel Griffith wrote:
> > On Mon, Feb 4, 2019 at 4:50 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Joel,
> >
> > On 2/4/19 16:35, Joel Griffith wrote:
>  I've installed Tomcat 8.0.32 a local Ubuntu 16.04 VM (Oracle
>  VirtualBox) and I'm using it to access a webapp through the
>  laptop the VM is local to. The VM port-forwards 3081 to 8080,
>  so I can access Tomcat as ` http://127.0.0.1:3081/`
> 
>   in
> > my laptop browser.
> >
> > Are you sure it's going to the Tomcat you think it's going to?
> >
> > I'm not at all certain.  I didn't even know there was more than
> > one.  How can I tell?
>
> I was thinking that maybe you had either more than one Tomcat running
> or that your port-forwarding wasn't working the way you thought it was.
>
> >> Accessing `http://127.0.0.1:3081/`  <
> http://127.0.0.1:3081/> gives
> >> the default page stored in
> >> `/var/lib/tomcat8/webapps/ROOT/index.html`.  So, Tomcat is able
> >> to find and serve from the `webapps/` directory.
> >>
> >> However, if I try to access
> >> `http://127.0.0.1:3081/myWebapp/index.html`
> , which exists as
> >> `/var/lib/tomcat8/webapps/myWebapp/index.html`, Tomcat returns a
> >> 404, reporting that the requested resource in unavailable.
> >>
> >> `/var/lib/tomcat8/webapps/myWebapp/WEB-INF/web.xml` exists and
> >> is identical to that used in a functioning setup on a different
> >> server.
> >>
> >> What am I missing?  Why can Tomcat find
> >> `webapps/ROOT/index.html` but not `webapps/myWebapp/index.html`?
> >
> > Do you have an AccessLogVave enabled for the server? Is it showing
> > your requests and the 404 response when you make a request?
> >
> >
> >> Yes, and yes.
>
> Okay, that's (sort of) good. It means that your request is going to
> the right place.
>
> If you delete your log files and start Tomcat cleanly, what does
> catalina.out say about which applications were started? You should
> have some log entries that look like this:
>
> INFO: Deploying web application directory [/path/to/your/webappp]
> ...
> INFO: Deployment of web application directory [/path/to/your/webapp]
> has finished in [6,417] ms
>
> That's the ticket.  The webapp wasn't deploying because I was missing a
class required by the webapp's web.xml.  I'll get that fixed.  Thanks for
your help!

>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZon8ACgkQHPApP6U8
> pFho+Q//XYLSHMBzQKSWR4luiMXRaml5ahpWUqcgUa8h/753Aeeiks2Dgr0KcXgB
> dwCWxN/9VE1s+MHzKPWcvoaX2pWHW3ceABw8EzpftMQqrl6pMT9cfqY29d8B0Sbz
> mKyaIrV1qJrnG5bb+G89a8DhCyTroRF5BOXvkKQCiHIJhQ4Q6lihRa/HEYWFLA4l
> cKdfaTjSTfBtkJLfDaQ8+BlDRSY+lfk6joi0P3BOqkNn+kEgM6uTDBadN2NwsBP8
> C7rOK8+Fk2t938it9yPdi3lJ67NUCFbjb8HCYyt36UPuurPZV0ZVf4UdOqYmdPWF
> U+0fqh8XFIH+HLnLS85c+y0BSZ+MukjdkVqRGgiVGhF53icTtv6K1SVOUdI5jw8x
> LdOdn3s7QFCTV2Of3er3Vw/s4NcZRchKZhttd1KnEjAH3Op+IHo88YAGk+3R6bAg
> kCCDHXHs378o7SqVRqW10cujkUN4dAWfkt3/agS+VoRH92VtXFy/zOS++UlD+eBm
> 4tglZSwwhqkEs2tYA+ZDXe1A9e+op4dZ7y48yGo91dDo4E0uRnqrVWDNoROE7a4i
> nyCT4C8NrtP1UUyt43fYcUtbiWlYf1pQcUsVuYOSDkGWNA3Ejj7F8hDaj0XuwB9E
> XLxpjgbZSuf5+ifC+lJat8tBqKBDw+vDBJyKYAs1XqLMIm7WgFw=
> =fay0
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: latest situation with escaped path delimiters in URI

[Garret Wilson]

On 2/5/2019 1:15 PM, Mark Thomas wrote:

…
Migratation to git has been in planning for a while. We are pretty much
ready to pull the trigger. It is largely waiting for someone to have the
time to do it when there aren't other more urgent things to be dealt
with. I'd expect it to happen in the next few months.



That would really be super. If there are discussions that will help move 
this forward, I would like to contribute (to the discussions, at least) 
if it's helpful. About three years ago I migrated over a decade of my 
Subversion code to Git, and I did a lot of research on some of the 
gotchas. It involved splitting out branches and changing their roots. 
Here's the resulting script I used: 
https://bitbucket.org/globalmentor/util/src/master/bin/svn2git.sh (with 
related scripts in the same repo).


A not-unimportant factor is the whole LF vs CRLF nightmare. If you 
haven't been normalizing to LF in the Subversion repo from day one, 
you'll want to rewrite the entire Git history normalizing the text files 
(including source code) before using the repository. You'll want to add 
a good `.gitattributes` file so that this happens automatically going 
forward. (I understand you have this to some extent in Subversion 
already, but it's not as configurable as with `.gitattributes`.) Anyway, 
I hope you can go forward with this soon.



However, you can still use git and GitHub and provide PRs against
gitub.com/apache/tomcat  The ASF has integrations in place that make it
fairly easy for us to pull those in.



Oh, that's nice. Good news. OK, I'll start looking at the code, thanks.

Garret


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: latest situation with escaped path delimiters in URI

[Mark Thomas]

On 05/02/2019 14:51, Garret Wilson wrote:
> On 2/3/2019 9:34 PM, Mark Thomas wrote:
>>
>>>   * If this setting is still needed in some cases, is there any way to
>>>     control it without resorting to a system property? (System
>>>     properties are not very flexible, and Tomcat has many layers of more
>>>     manipulable settings, as you all would know better than me.)
>> No. Moving system properties to more fine-grained configuration
>> locations is on the TODO list.
> 
> 
> Is there really an actual to-do list, or were you speaking
> metaphorically? I'd be interested in looking at it.

https://svn.apache.org/viewvc/tomcat/trunk/TOMCAT-NEXT.txt?view=annotate

> I was crossing my fingers that https://github.com/apache/tomcat would
> actually be using the issue tracker, and that would be the to-do list,
> but I suppose I was expecting too much. Speaking of which, is the GitHub
> repository the canonical place for source code?

No. It is a mirror of svn.

> Because
> https://tomcat.apache.org/svn.html claims that Tomcat still uses
> Suversion and that Git is just a read-only mirror, even though
> https://git.apache.org/ claims that some projects have switched to
> GitHub for their primary SCM.

Those statements are all correct.

> I'm really interested in contributing, but I shudder at thinking about
> regressing a decade to start messing with Subversion (just
> `.gitattributes and how it more or less fixes the CRLF nightmare is a
> huge thing) and submitting patches rather than commenting on pull
> requests. (I have nothing against Subversion, mind you. I thought it was
> wonderful and I once used the property system extensively for per-file
> metadata in a custom CRM. But for a SCM… the world has moved on.) What's
> the Tomcat source code status?

Migratation to git has been in planning for a while. We are pretty much
ready to pull the trigger. It is largely waiting for someone to have the
time to do it when there aren't other more urgent things to be dealt
with. I'd expect it to happen in the next few months.

However, you can still use git and GitHub and provide PRs against
gitub.com/apache/tomcat  The ASF has integrations in place that make it
fairly easy for us to pull those in.

> Returning to the subject, do you have a list of system properties you'd
> be interested in making configurable,

All of them ;)
http://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html

Some are going to be a lot easier to address than others. I suspect that
in some cases we'd opt to keep the system property due to the complexity
of replacing it.

> and would this be a welcome
> contribution?

Yes.

> Where in the code code I look before committing myself?

Pick a property and use your IDE (or GitHub, or ...) to see how it is
used. Then figure out where to put the replacement configuration. Ask on
dev@ if pointers are required.

Note: In terms of backward compatibility, we have typically used the
system property to set the default of the new config option and then
dropped the system property in a subsequent major release.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: latest situation with escaped path delimiters in URI

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Garret,

On 2/4/19 17:22, Garret Wilson wrote:
> On 2/4/2019 7:31 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Garret,
>> 
>> On 2/3/19 16:20, Garret Wilson wrote:
>>> If we want to look up the thing identified by 
>>> https://example.info/foobar, we would need to issue a request
>>> to 
>>> https://example.com/https%3A%2F%2Fexample.info%2Ffoobar/description
>>
>>> 
Why
>> are you %-encoding the slashes at all? They are perfectly legal
>> as-is.
> 
> 
> Hmmm… So let's say my RESTful API endpoint is 
> https://example.com/{thingURI}/description as I mentioned. (Yes, I
> know that RESTful APIs don't have to be meaningful or structured as
> long as we use HATEOAS, but… a lot of us like them.) So you're
> saying that to request information for the resource
> https://example.info/foobar, I would send a GET request to:
> 
> https://example.com/https%3A//example.info/foobar/description
> 
> That raises all sorts of questions, such as
> 
> * The double slash is OK? Really!?? * Is there any RESTful API
> framework on the planet that would realize the URI path
> "/https%3A//example.info/foobar/description" matched 
> "{thingURI}/description"? So if I'm using JAX-RS with a 
> @Path("{thingURI}/description") with a string
> @PathParam("thingURI") thing, JAX-RS would set the "thing"
> parameter to "https://example.info/foobar;?? I highly doubt that.

I've never used a RESTful API framework, but you can always pull the
full URI from a request and do whatever you want with it.

> Either I'm missing something and I'm going to learn something cool;
> or you missed some of the details of what I wrote. :) If I'm
> missing something, please explain because I'm ready to learn!

No, I got it. I just didn't realize that the opaqueness of the
{thingURI} had to be ... so opaque.

The only problem you are running into is the inertia of history.
http://example.com/foo%2fbar has sometimes been interpreted to mean
the same thing as http://example.com/foo/bar even though it should
never have been so. Erring on the side of security seems to be a Good
Thing these days.

If your application isn't rendered insecure by setting
ALLOW_ENCODED_SLASH=true, then by all means, use it.

As for not setting it for the whole server, that's hard to do, since
the URL-decoding must happen before the request is mapped to a
particular application.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZpQsACgkQHPApP6U8
pFgIURAAkpcL2vbU74izgIIabjQaMw0bN8edMG4kiPNJYlzGha+FE0IrFopywXAP
Cihmt108aW3toFyNhFEB+4VtuNtMFN2zz+wtLijZX9+rcn8v/W06Ya06BR62IvNz
m4/S3kB0wWEIynktB935qmh+KqVmVfcyEk8IMKslWOuxKQ1Dp/zL8tniHSwGpRR4
VxGIX4Tmh1V8T8iBurJhJlsiltCEJxLQ1lPVYjV6Or9UJpl0B//Cl69b7rl4svo0
nz5ZOp5JHe6x9eI4oMQ8DUZH62oIHjCCk3V0CP/w0grAz1xmVdgB1Rnc8Q87O9Da
rqJwTiZcCBRoVKsLm1JADSxEa3HoWYhyHxdNaBmeTRtsA5+RRQ9hZvy1p1DQRFDW
dVUAMgUIr5snaa+oac17zvjeBMHq0AgAPU84V80U6ed69+jhSDYg+rFp7nfYwEQE
tpeunyxnah5FfMyBLj/omRviFm5LtTEw6wqBDxLAGK2H4bXr9pyrCb3BKBMpbQeB
SeiUhOWEdGyMCoroKG8kkMSnYtci5b/PA86nPSB7MA5Zhw++tioLxdH3ipJZH6uX
Bvp30LbnkX3a3aVG4ga0ykNmETJXgQPX2EJtvrUBdnAB3Sv1MKBpDzWPUA+ZJcMe
77SCkRWKSNjRJIoiyJoj0mPSSP80+vduQtfe+5BZT8qZoaTceTc=
=stKv
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: latest situation with escaped path delimiters in URI

[Garret Wilson]

On 2/3/2019 9:34 PM, Mark Thomas wrote:



  * If this setting is still needed in some cases, is there any way to
    control it without resorting to a system property? (System
    properties are not very flexible, and Tomcat has many layers of more
    manipulable settings, as you all would know better than me.)

No. Moving system properties to more fine-grained configuration
locations is on the TODO list.



Is there really an actual to-do list, or were you speaking 
metaphorically? I'd be interested in looking at it.


I was crossing my fingers that https://github.com/apache/tomcat would 
actually be using the issue tracker, and that would be the to-do list, 
but I suppose I was expecting too much. Speaking of which, is the GitHub 
repository the canonical place for source code? Because 
https://tomcat.apache.org/svn.html claims that Tomcat still uses 
Suversion and that Git is just a read-only mirror, even though 
https://git.apache.org/ claims that some projects have switched to 
GitHub for their primary SCM.


I'm really interested in contributing, but I shudder at thinking about 
regressing a decade to start messing with Subversion (just 
`.gitattributes and how it more or less fixes the CRLF nightmare is a 
huge thing) and submitting patches rather than commenting on pull 
requests. (I have nothing against Subversion, mind you. I thought it was 
wonderful and I once used the property system extensively for per-file 
metadata in a custom CRM. But for a SCM… the world has moved on.) What's 
the Tomcat source code status?


Returning to the subject, do you have a list of system properties you'd 
be interested in making configurable, and would this be a welcome 
contribution? Where in the code code I look before committing myself?


Cheers,

Garret


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat gives 404 for file that exists

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Joel,

On 2/5/19 08:56, Joel Griffith wrote:
> On Mon, Feb 4, 2019 at 4:50 PM Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Joel,
> 
> On 2/4/19 16:35, Joel Griffith wrote:
 I've installed Tomcat 8.0.32 a local Ubuntu 16.04 VM (Oracle 
 VirtualBox) and I'm using it to access a webapp through the
 laptop the VM is local to. The VM port-forwards 3081 to 8080,
 so I can access Tomcat as ` http://127.0.0.1:3081/`
  in
> my laptop browser.
> 
> Are you sure it's going to the Tomcat you think it's going to?
> 
> I'm not at all certain.  I didn't even know there was more than
> one.  How can I tell?

I was thinking that maybe you had either more than one Tomcat running
or that your port-forwarding wasn't working the way you thought it was.

>> Accessing `http://127.0.0.1:3081/`  gives
>> the default page stored in
>> `/var/lib/tomcat8/webapps/ROOT/index.html`.  So, Tomcat is able 
>> to find and serve from the `webapps/` directory.
>> 
>> However, if I try to access 
>> `http://127.0.0.1:3081/myWebapp/index.html`, which exists as 
>> `/var/lib/tomcat8/webapps/myWebapp/index.html`, Tomcat returns a 
>> 404, reporting that the requested resource in unavailable.
>> 
>> `/var/lib/tomcat8/webapps/myWebapp/WEB-INF/web.xml` exists and
>> is identical to that used in a functioning setup on a different 
>> server.
>> 
>> What am I missing?  Why can Tomcat find
>> `webapps/ROOT/index.html` but not `webapps/myWebapp/index.html`?
> 
> Do you have an AccessLogVave enabled for the server? Is it showing 
> your requests and the 404 response when you make a request?
> 
> 
>> Yes, and yes.

Okay, that's (sort of) good. It means that your request is going to
the right place.

If you delete your log files and start Tomcat cleanly, what does
catalina.out say about which applications were started? You should
have some log entries that look like this:

INFO: Deploying web application directory [/path/to/your/webappp]
...
INFO: Deployment of web application directory [/path/to/your/webapp]
has finished in [6,417] ms


- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZon8ACgkQHPApP6U8
pFho+Q//XYLSHMBzQKSWR4luiMXRaml5ahpWUqcgUa8h/753Aeeiks2Dgr0KcXgB
dwCWxN/9VE1s+MHzKPWcvoaX2pWHW3ceABw8EzpftMQqrl6pMT9cfqY29d8B0Sbz
mKyaIrV1qJrnG5bb+G89a8DhCyTroRF5BOXvkKQCiHIJhQ4Q6lihRa/HEYWFLA4l
cKdfaTjSTfBtkJLfDaQ8+BlDRSY+lfk6joi0P3BOqkNn+kEgM6uTDBadN2NwsBP8
C7rOK8+Fk2t938it9yPdi3lJ67NUCFbjb8HCYyt36UPuurPZV0ZVf4UdOqYmdPWF
U+0fqh8XFIH+HLnLS85c+y0BSZ+MukjdkVqRGgiVGhF53icTtv6K1SVOUdI5jw8x
LdOdn3s7QFCTV2Of3er3Vw/s4NcZRchKZhttd1KnEjAH3Op+IHo88YAGk+3R6bAg
kCCDHXHs378o7SqVRqW10cujkUN4dAWfkt3/agS+VoRH92VtXFy/zOS++UlD+eBm
4tglZSwwhqkEs2tYA+ZDXe1A9e+op4dZ7y48yGo91dDo4E0uRnqrVWDNoROE7a4i
nyCT4C8NrtP1UUyt43fYcUtbiWlYf1pQcUsVuYOSDkGWNA3Ejj7F8hDaj0XuwB9E
XLxpjgbZSuf5+ifC+lJat8tBqKBDw+vDBJyKYAs1XqLMIm7WgFw=
=fay0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: request.getContextPath() behind a proxy (apache/nginx)

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Guido,

On 2/5/19 05:33, Jäkel, Guido wrote:
>> On 05/02/2019 08:23, Johan Compagner wrote:
>>> problem is that our customers are doing this. also they can
>>> have 1 tomcat with a few webapps that they want to map under 
>>> different domains
>>> 
>>> so that would mean for them starting 3 different tomcats under
>>> 3 different ports and configure all that thats not always
>>> something they want to do. So i guess the only way for me is to
>>> have some kind of setting (per context)
>> 
>> They would be better configuring Tomcat with virtual hosts and
>> having three ROOT webapps.
>> 
>> Mark
> 
> Dear Johan,
> 
> as Christopher and Mark wrote: If possible in any way, please
> avoid to handle it via rewriting on a reverse proxy and prefer to
> set up the Tomcat to serve the application on the same domain and
> context path as used "outside" in front of the proxy.
The domain doesn't even matter. Tomcat will happily host applications
on any domain without interfering. IF you want the same web
application serving requests to example.com, example1.com, and
example2.com, there is no additional configuration necessary then if
they were only serving example.com alone.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZoNsACgkQHPApP6U8
pFiVGg/+Mnngbs7PKUpBqFkJtE8ux1jLk+HQzskI4GwPjaPPhqeD431BcFYkKiik
M1bWkfu6E8z7MeUpaP0RLzyNYzZaVzIVl5vbOQCzYqZJ6GHmATpjFojozyA7ump6
Jjt/kg++PPLTbUCh+j4tgfhamzZrDXIXRAD/Z16z+vjSf8neXc226bCCxAFXQrit
jHWGy9CHrDUs2c/iWhuw53QQuBCtRZJJ/ag/+z8+QDq5axOmYRhfocpSpPY+fOCT
4iIOfM+0h7eoqqPjGcMq2yG44kf7YSaLPKNu3JIfrfNgDmKok6u4uAsQMpvvNUHp
bT6qV49KxW6ltZNLnhi/k3LSY1T5BgYn7NXE4Wbg7u/mtI+LBLW+EMLP/UofY1zS
Lqr2BmFe4IqlOETFaPoXgBxvaSeXeQdda4xmTf2Cuq8K2S3T96MvVfqTNciPSfSF
K1PGdsPjKz00JXOPI7BjCDX1zM/yccijiLXvo0f1TWfUa3aB1wD1JAaYqjjnD4xI
LhqsS5tYVN0TfYfyyXZZLoOoS+WgSK9lShhhI7U5/Zs0DO/qJ8jzoC/3jxe5MBZy
tL7eZ6B5caVxgW4ZiKamgsE+7wV73wYv+lI+9+W+ohIXCJL4Hyr+7iF1P/H8rXAO
z/hPfn815FFfOuU10X3waKovD5L5aSyUZWv0Wuzs6VSsjiwnaAk=
=J9fU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Number of tomcat downloads

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Leon,

On 2/5/19 05:35, Leon Rosenberg wrote:
> A little background on the original question: we have some legal
> issues with a client, among other things, he claims that our code
> isn't documented well, because he run checkstyle on it, and it
> showed 6000 errors. My argumentation was that default checkstyle
> settings aren't telling anything about code quality (unless agreed
> upon upfront). I run checkstyle with default settings on tomcat
> code base and it showed 85.412 errors using sun code checks (yes,
> those from 1996). Most of them are like:
> 
> AbstractFramedStreamSourceChannel
>
> 
this line produces multiple warnings, for example ',' not followed by a
> whitespace and such.
> 
> if(attachments == null) - if not followed by a whitespace etc.
> 
> Hence if such a mature product like tomcat (with 10.000.000
> installations) contains 85412 errors and is considered well
> documented, he is using the wrong tool for the task.

LOL try running checkstyle or SpotBugs against WebLogic and see what
happens.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZny0ACgkQHPApP6U8
pFjfCg//TunspTQM63FupsuF13vm44pVlVBTnK1hibsH8b2Ceyp2GcjOp5LDu17b
FZMJ7ZD+b7yER8CZIU0vyQQTH4wHD+CJEJpFhYIKGnw3143mLfmemu5Ni6NCWDWg
sagRVuGHEg978MLi+oY9pQOOXBumZbcpA63oIdBUtmddL6E5zfbTq6k0Lw6oPZNZ
Ent5axXbMNnnbsihWmbZN7nWx4keASpbsWosvjs5z/mSx4bySIzLDNhM+DJEZcVd
R6P52M9DX4renzW5bY7G4qgohBDPdxDB1SOA041SReg5o+nR+VzsG0IYUQ5rlaS4
FiznBzn7GiXp06OPvauugz9sGxj/r3ApzCqHvpGm3o+E0rtxSwKK/cZK/rI+U/Ru
1r0aMc+XkV5mDpqy185zajUeFHqbnwJSxFti1mDxeQbLID9MjhXZxBGbWioVjVvB
1mtRux+KecdbUqHyBjazdu8Khsmwf2M3cOMPKdYLl7jiSz1g59NIjYFZaYjctgZi
gMmAC7MjLlo7AQZRNYct/C6FvEh/QcK0ygrKIwwNovYJHp16YwDC51X3Di2Mqe8v
CcXxpefQ7FWYkla2CMS7eAVYYeyhjlqrZn8gXGUA3lHmjrhlAJ4TS4nZ0kzXPRn+
xNQGeTU3Ctgz3YXNwgtSyCNVaKRpBraLnhDCsDw+t/IcJGysZ1E=
=QQVh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Number of tomcat downloads

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 2/5/19 04:46, Mark Thomas wrote:
> On 05/02/2019 04:52, Igal Sapir wrote:
>> On that note, should we add Google Analytics to the new site?
>> Obviously it will only give us information moving forward, but it
>> can be interesting.
> 
> No. There are some internal discussions ongoing about the use of
> GA. We should wait for those to conclude before considering adding
> it to our site.

I think we should soundly reject the use of GA for a number of reasons.

One of those reasons is that, with very little effort, we can get the
data we want without violating anyone's privacy by running our own
analytics: https://matomo.org/

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZnsIACgkQHPApP6U8
pFgyDBAAxRopi9SxCB5zXpHwn0Nj9/4u57Osku/9QG2HTm0BrjGTomXKzVQRAkxD
cI5xNg33wfMejOLNedgrsg+r+vuGi+ou4jt12GREHfK1NyF/traTXdtjT9jDaugu
+RphEQgOdP7Wp2HMM512ooXdrLWA/YIjPS6jpel6FnSnB5EHLMsA3WwV/TTIvf2a
YGID3+NQctQdanIQnbDS6OGUcOIvkkRorco2pMm+D73GmqzwoZO98nrdCKIcWTJn
qJ3i8QoKYeTaIVH3lpoqNfgjDky3PMlfBVSFBtjy+mNKVOHcZg8Q6V0j0Etz9OOM
ThvshpoQ1pdlS2eBGTPQmaHUB3YPKfcLFDScmOiJS62HZaebhN4fB8tGJ8zNDCbn
boqoyGyJUdlxYA2Co/dfnW5yk094PY7qmgxd9DreGSKYgMAGeraqr5Zu68bInG4i
fd7O2mBBRP1cEB0hYybKPEzEaZY4e4taupu2qPhTZU3IIlS0/bc69n5Hj4i6+WzI
nYPDj9tHlI5zOkU0XBidz053RWdCVxJ1VrBMOfVl8j5n4dgJUhIpUvdFP3/2sb1O
u+DPlVST3Y7lj6NtmOiwFPpG/ojSjpYmOP3WtNhO1SxcozRVHgmWmhTHfnUAPnAw
FQsbyVgMyWtWXh8unri15gk+76Df/hzevRV2Mmvym1oCYI/+AT0=
=53qG
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Number of tomcat downloads

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Igal,

On 2/4/19 23:52, Igal Sapir wrote:
> On Mon, Feb 4, 2019 at 3:58 PM Leon Rosenberg
>  wrote:
> 
>> Hi,
>> 
>> I vaguely remember Marc naming some figures for number of tomcat
>> downloads sofar, but I couldn't find anything in the state of the
>> cat slides. I checked on the website, but all I found was this:
>> 
>> " Tomcat has been downloaded more than 10 million times: assuming
>> even a 1% production adoption rate results in more than 10
>> installations. " But this is from 2014 and I assume there should
>> be a better number by now.
>> 
> 
> I don't think that it is tracked ATM, unless INFRA aggregates the
> web server logs and records the metrics somewhere.
> 
> On that note, should we add Google Analytics to the new site?

Hard pass, thank you very much.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxZnl0ACgkQHPApP6U8
pFjZ0g//fd1M3n/tCAestOdCTRbaO4tn+2qjErUQqk/fTQ75w/LmEifcUNd869r9
+1/OxzPRfWYSofb8ejjytsXGlNQDkXSqfZKvswRYcadT/cKLvK9tijXiFdcQF2mN
qJ64eRJ1Tf/aOzBFCFmcAUq71q5O3LjoR/M6S2SJ2wp1haPrDoNwo/z/TG3gEXHf
NhrJAyuOqFNVjW7sZeZaicWvWRmoNvqF0UIH9FDEFdv6rSDNNSIq8R9hm3MkrKwl
Ec09bwEMt1xORuAIopx2Ur7/h4rfOWiRgqBWecSjUbDzcnqAjXGC9dpI2qFWBikl
U/2mcDoBnVTZ0FuDqxSasXzyel7uxD1JFwuTBYUxDF7sYYgtFyADyjREM+5ByLgo
bGuC6gwRTDhae2Umk87reQVJuVutznEQejnVeFD5jrUbWQ/YoNM8Xmcw03Mg71ao
yjSU0reXkmXlV5PkvJQLMFJ6sxjfJPF/zqdJ4qktP191QcoEjyK1KPKfnmuEx9wG
swIvIgatYgx7eJcJQYMXz9iN0HrUCSCle7qiQgnyOThA9B+Pib0hIX4/uZ7yhVnp
UHpJZwa5HnPqZgvBxb31hjLbvjVV3nuHhiz9eQ1Cnj78on5rlT2zuDzd+ZoE1AZA
n/bttO6fdRZARMJk1AT32yyJgP+djcxP+W/shD9hZQsjQ9jJ3tM=
=AeoV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: request.getContextPath() behind a proxy (apache/nginx)

[John Dale]

I've encountered something similar in the past, but it was around
access logging.  It all depends on what the load balancer can forward
to tomcat in headers.

Port forwarding and resolving internally to the same domain externally
seems to be how Tomcat wants to handle your issue.

JMX M-Beans can offer some help in resolving request domains as well,
but can get kind of ugly, and I'm not sure how portable that is.

On 2/5/19, Johan Compagner  wrote:
> On Tue, 5 Feb 2019 at 11:34, Jäkel, Guido  wrote:
>
>> >On 05/02/2019 08:23, Johan Compagner wrote:
>> >> problem is that our customers are doing this.
>> >> also they can have 1 tomcat with a few webapps that they want to map
>> under
>> >> different domains
>> >>
>> >> so that would mean for them starting 3 different tomcats under 3
>> different
>> >> ports and configure all that
>> >> thats not always something they want to do.
>> >> So i guess the only way for me is to have some kind of setting (per
>> context)
>> >
>> >They would be better configuring Tomcat with virtual hosts and having
>> >three ROOT webapps.
>> >
>> >Mark
>>
>> Dear Johan,
>>
>> as Christopher and Mark wrote: If possible in any way, please avoid to
>> handle it via rewriting on a reverse proxy and prefer to set up the
>> Tomcat
>> to serve the application on the same domain and context path as used
>> "outside" in front of the proxy.
>>
>> If you real can't avoid, you have to do a forward rewriting of the used
>> header (e.g. hostname) and/or URL pattern in the one hand, but also a
>> complex backward rewriting of the answer! You have to back-rewrite parts
>> of
>> the answer header (Cookies, Locations, Links, ...) and the embedded URLs
>> in
>> the content of different MIME types (HTML, CSS, javascript, JSON, ...).
>> As
>> a consequence, you have either to forbid compression of the returned body
>> or (even more complex) decompress/modify/recompress it on the fly.
>>
>> Sometimes, I simply can't avoid because we need to have an application
>> available on two "addresses" while migration or something similar. And if
>> the application itself can't be run in two instances I know no other way.
>> But's it a real burden every time.
>>
>>
>>
> yeah i think we will document that if they want to have a reverse proxy in
> front of it that maps it on root (very likely)
> then they also should map the WAR on root in the tomcat behind that
> And if they have multiply wars they should try to use virtual hosting on
> tomcat as Mark described
> As a last resort i think i will add a configuration param (per context)
> where they can override it
>
>
> --
> Johan Compagner
> Servoy
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat gives 404 for file that exists

[Joel Griffith]

On Mon, Feb 4, 2019 at 4:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Joel,
>
> On 2/4/19 16:35, Joel Griffith wrote:
> > I've installed Tomcat 8.0.32 a local Ubuntu 16.04 VM (Oracle
> > VirtualBox) and I'm using it to access a webapp through the laptop
> > the VM is local to. The VM port-forwards 3081 to 8080, so I can
> > access Tomcat as ` http://127.0.0.1:3081/`  in
> my laptop browser.
>
> Are you sure it's going to the Tomcat you think it's going to?
>
> I'm not at all certain.  I didn't even know there was more than one.  How
can I tell?

> Accessing `http://127.0.0.1:3081/`  gives the
> default page stored
> > in `/var/lib/tomcat8/webapps/ROOT/index.html`.  So, Tomcat is able
> > to find and serve from the `webapps/` directory.
> >
> > However, if I try to access
> > `http://127.0.0.1:3081/myWebapp/index.html`
> , which exists as
> > `/var/lib/tomcat8/webapps/myWebapp/index.html`, Tomcat returns a
> > 404, reporting that the requested resource in unavailable.
> >
> > `/var/lib/tomcat8/webapps/myWebapp/WEB-INF/web.xml` exists and is
> > identical to that used in a functioning setup on a different
> > server.  It was originally written for a Tomcat 7 deployment, I
> > think, but there's nothing in it that seems to have anything to do
> > with these URLs, so I don't think it's a problem with that file.
> > Similarly, `/var/lib/tomcat8/conf/server.xml` exists and is
> > virtually identical to that used in the other (functioning)
> > deployment.
> >
> > All of the information I've been able to scrape together from web
> > searches over the past two days indicate that the presence of a
> > folder within the `webapps/` directory is sufficient for Tomcat to
> > recognize and register it as a Context.  I'm at a complete loss for
> > what else I need to do to have Tomcat serve the file
> > `webapps/myWebapp/index.html`
> >
> > What am I missing?  Why can Tomcat find `webapps/ROOT/index.html`
> > but not `webapps/myWebapp/index.html`?
>
> Do you have an AccessLogVave enabled for the server? Is it showing
> your requests and the 404 response when you make a request?
>

Yes, and yes.


> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxYs5gACgkQHPApP6U8
> pFgDGQ//VQnrKG77d+ciLUx5hgapoTR73DEHIIXD1vrbkPR9XLydjRcgnbTXFWzf
> xIH2rB2hROWAsA0T/GjaG87EfqFehlGmqa5isFNLqoah6Ss3wCvjvquwtdS+1OPX
> 0wxl2uqxgDmFVpMAOgmYGmp3HLi87nP/8h5Rn/Ef/Iqg3Z4CTKjvcUUhKRf3Lupw
> CYoPe3AFUOXTG40EKBDqzJ8IW2+Mt0rNfkU3T5v4BUtrKKc3ARof5CygVvgVS+5Q
> qpjH/p+hskvXWWuAz9is6+qAgu7WPyoV7KhOq93M9yQQ/bR7fNMfjVYg9q6z+UKO
> m6bNf+eQCtXfaHnDJp5Bytied0nUlCfBbHP6tvvNNl9B2jdaV4nT+9ZQIykOXN4E
> p64PvpHk8V2v/6GIlJ04E1LNiMwNycu3l24DnSn27sVxD6JKIMoTlyf4dvPK+zsw
> Jp8Bguiqog6geBpo+CNU1vzToWpiGHP/8rSwh9pbX7xpyTfWgq3bnvJmzNaVYJQ5
> ggPCRiMRFgPurIr5edvvlyaGp8gfeFtb1FgCTKNTg2J9j8yxVI2p30lT8L+I+Rxp
> Tpapvum6q1/NAtKigCuq7ylXpN3XQnOmJq7fb1a7+lYwzA0NQ3IC8uooSys4GNBb
> ijeTnYsCTJqXNZ9k5BiCkUgMEr5yo4qiAtmppTbelGoNsWno+Jc=
> =VZa6
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: request.getContextPath() behind a proxy (apache/nginx)

[Johan Compagner]

On Tue, 5 Feb 2019 at 11:34, Jäkel, Guido  wrote:

> >On 05/02/2019 08:23, Johan Compagner wrote:
> >> problem is that our customers are doing this.
> >> also they can have 1 tomcat with a few webapps that they want to map
> under
> >> different domains
> >>
> >> so that would mean for them starting 3 different tomcats under 3
> different
> >> ports and configure all that
> >> thats not always something they want to do.
> >> So i guess the only way for me is to have some kind of setting (per
> context)
> >
> >They would be better configuring Tomcat with virtual hosts and having
> >three ROOT webapps.
> >
> >Mark
>
> Dear Johan,
>
> as Christopher and Mark wrote: If possible in any way, please avoid to
> handle it via rewriting on a reverse proxy and prefer to set up the Tomcat
> to serve the application on the same domain and context path as used
> "outside" in front of the proxy.
>
> If you real can't avoid, you have to do a forward rewriting of the used
> header (e.g. hostname) and/or URL pattern in the one hand, but also a
> complex backward rewriting of the answer! You have to back-rewrite parts of
> the answer header (Cookies, Locations, Links, ...) and the embedded URLs in
> the content of different MIME types (HTML, CSS, javascript, JSON, ...). As
> a consequence, you have either to forbid compression of the returned body
> or (even more complex) decompress/modify/recompress it on the fly.
>
> Sometimes, I simply can't avoid because we need to have an application
> available on two "addresses" while migration or something similar. And if
> the application itself can't be run in two instances I know no other way.
> But's it a real burden every time.
>
>
>
yeah i think we will document that if they want to have a reverse proxy in
front of it that maps it on root (very likely)
then they also should map the WAR on root in the tomcat behind that
And if they have multiply wars they should try to use virtual hosting on
tomcat as Mark described
As a last resort i think i will add a configuration param (per context)
where they can override it


-- 
Johan Compagner
Servoy

Re: Number of tomcat downloads

[Leon Rosenberg]

A little background on the original question: we have some legal issues
with a client, among other things, he claims that our code isn't documented
well, because he run checkstyle on it, and it showed 6000 errors. My
argumentation was that default checkstyle settings aren't telling anything
about code quality (unless agreed upon upfront). I run checkstyle with
default settings on tomcat code base and it showed 85.412 errors using sun
code checks (yes, those from 1996). Most of them are like:

 
AbstractFramedStreamSourceChannel
this line produces multiple warnings, for example ',' not followed by a
whitespace and such.

if(attachments == null) - if not followed by a whitespace etc.

Hence if such a mature product like tomcat (with 10.000.000 installations)
contains 85412 errors and is considered well documented, he is using the
wrong tool for the task.

regards
Leon


On Tue, Feb 5, 2019 at 11:25 AM Leon Rosenberg 
wrote:

> Thank you very much Igal, Marc and Emmanuel.
>
> regards
> Leon
>
> On Tue, Feb 5, 2019 at 11:23 AM Emmanuel Bourg  wrote:
>
>> Le 05/02/2019 à 00:48, Leon Rosenberg a écrit :
>>
>> > I vaguely remember Marc naming some figures for number of tomcat
>> downloads
>> > sofar, but I couldn't find anything in the state of the cat slides.
>> > I checked on the website, but all I found was this:
>> >
>> > " Tomcat has been downloaded more than 10 million times: assuming even
>> a 1%
>> > production adoption rate results in more than 10 installations. "
>> > But this is from 2014 and I assume there should be a better number by
>> now.
>> >
>> > Anyone? Asking for a friend ;-)
>>
>> Some numbers, from Debian:
>>
>>
>> https://qa.debian.org/popcon-graph.php?packages=tomcat9+tomcat8+tomcat7+tomcat6_installed=on_legend=on_ticks=on_date=_date=_date=_fmt=%25Y-%25m=1
>>
>> around 2400 installations reported by popcon, rather stable over the
>> years.
>>
>> From Ubuntu:
>>
>>   https://popcon.ubuntu.com/by_inst
>>
>>   tomcat6   15785
>>   tomcat72122
>>   tomcat8 117
>>
>> And from Netcraft:
>>
>>
>> https://news.netcraft.com/archives/2018/12/17/december-2018-web-server-survey.html
>>
>> Netcraft reported ~60 domains served by Tomcat.
>>
>> Emmanuel Bourg
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

RE: request.getContextPath() behind a proxy (apache/nginx)

[Jäkel , Guido]

>On 05/02/2019 08:23, Johan Compagner wrote:
>> problem is that our customers are doing this.
>> also they can have 1 tomcat with a few webapps that they want to map under
>> different domains
>>
>> so that would mean for them starting 3 different tomcats under 3 different
>> ports and configure all that
>> thats not always something they want to do.
>> So i guess the only way for me is to have some kind of setting (per context)
>
>They would be better configuring Tomcat with virtual hosts and having
>three ROOT webapps.
>
>Mark

Dear Johan,

as Christopher and Mark wrote: If possible in any way, please avoid to handle 
it via rewriting on a reverse proxy and prefer to set up the Tomcat to serve 
the application on the same domain and context path as used "outside" in front 
of the proxy.

If you real can't avoid, you have to do a forward rewriting of the used header 
(e.g. hostname) and/or URL pattern in the one hand, but also a complex backward 
rewriting of the answer! You have to back-rewrite parts of the answer header 
(Cookies, Locations, Links, ...) and the embedded URLs in the content of 
different MIME types (HTML, CSS, javascript, JSON, ...). As a consequence, you 
have either to forbid compression of the returned body or (even more complex) 
decompress/modify/recompress it on the fly.

Sometimes, I simply can't avoid because we need to have an application 
available on two "addresses" while migration or something similar. And if the 
application itself can't be run in two instances I know no other way. But's it 
a real burden every time.

with greetings

Guido

Re: Number of tomcat downloads

[Leon Rosenberg]

Thank you very much Igal, Marc and Emmanuel.

regards
Leon

On Tue, Feb 5, 2019 at 11:23 AM Emmanuel Bourg  wrote:

> Le 05/02/2019 à 00:48, Leon Rosenberg a écrit :
>
> > I vaguely remember Marc naming some figures for number of tomcat
> downloads
> > sofar, but I couldn't find anything in the state of the cat slides.
> > I checked on the website, but all I found was this:
> >
> > " Tomcat has been downloaded more than 10 million times: assuming even a
> 1%
> > production adoption rate results in more than 10 installations. "
> > But this is from 2014 and I assume there should be a better number by
> now.
> >
> > Anyone? Asking for a friend ;-)
>
> Some numbers, from Debian:
>
>
> https://qa.debian.org/popcon-graph.php?packages=tomcat9+tomcat8+tomcat7+tomcat6_installed=on_legend=on_ticks=on_date=_date=_date=_fmt=%25Y-%25m=1
>
> around 2400 installations reported by popcon, rather stable over the years.
>
> From Ubuntu:
>
>   https://popcon.ubuntu.com/by_inst
>
>   tomcat6   15785
>   tomcat72122
>   tomcat8 117
>
> And from Netcraft:
>
>
> https://news.netcraft.com/archives/2018/12/17/december-2018-web-server-survey.html
>
> Netcraft reported ~60 domains served by Tomcat.
>
> Emmanuel Bourg
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Number of tomcat downloads

[Emmanuel Bourg]

Le 05/02/2019 à 00:48, Leon Rosenberg a écrit :

> I vaguely remember Marc naming some figures for number of tomcat downloads
> sofar, but I couldn't find anything in the state of the cat slides.
> I checked on the website, but all I found was this:
> 
> " Tomcat has been downloaded more than 10 million times: assuming even a 1%
> production adoption rate results in more than 10 installations. "
> But this is from 2014 and I assume there should be a better number by now.
> 
> Anyone? Asking for a friend ;-)

Some numbers, from Debian:

https://qa.debian.org/popcon-graph.php?packages=tomcat9+tomcat8+tomcat7+tomcat6_installed=on_legend=on_ticks=on_date=_date=_date=_fmt=%25Y-%25m=1

around 2400 installations reported by popcon, rather stable over the years.

>From Ubuntu:

  https://popcon.ubuntu.com/by_inst

  tomcat6   15785
  tomcat72122
  tomcat8 117

And from Netcraft:

https://news.netcraft.com/archives/2018/12/17/december-2018-web-server-survey.html

Netcraft reported ~60 domains served by Tomcat.

Emmanuel Bourg

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: request.getContextPath() behind a proxy (apache/nginx)

[Mark Thomas]

On 05/02/2019 08:23, Johan Compagner wrote:
> problem is that our customers are doing this.
> also they can have 1 tomcat with a few webapps that they want to map under
> different domains
> 
> so that would mean for them starting 3 different tomcats under 3 different
> ports and configure all that
> thats not always something they want to do.
> So i guess the only way for me is to have some kind of setting (per context)

They would be better configuring Tomcat with virtual hosts and having
three ROOT webapps.

Mark


> 
> 
> On Mon, 4 Feb 2019 at 22:40, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Johan,
> 
> On 2/4/19 07:09, Johan Compagner wrote:
 There are many older post for this on stackoverflow and so on
 https://stackoverflow.com/questions/10050550/why-does-getcontextpath-u
> nder-a-proxy-return-the-internal-path-inside-httpserv
> 

  but i wonder what the latest state of that is, we have a lot of
 proxy settings for host and scheme But is there something (a
 header) that a proxy can set so that Tomcat returns the right
 context path on that getContextPath() call?
> 
> This is #49 on the list of "why you shouldn't be munging context paths
> within a reverse-proxy".
> 
 Or are there headers that we have to check manually?

 If this is not the case then i guess the only way to fix this is to
 make it a configuration in our product something like

 String context = settings.getProperty("context.path",
 request.getContextPath());

 (get the context from the settings if not there use the default
 value which is from the request)

 So the problem is mostly because of virtual hosts i guess

 where

 Proxy / is mapped to AppServer /Webapp1
> 
> How about "don't do that"?
> 
> If you want to host your application on /, then host it on / and not
> /Webapp1.
> 
> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Number of tomcat downloads

[Mark Thomas]

On 05/02/2019 04:52, Igal Sapir wrote:
> On Mon, Feb 4, 2019 at 3:58 PM Leon Rosenberg 
> wrote:
> 
>> Hi,
>>
>> I vaguely remember Marc naming some figures for number of tomcat downloads
>> sofar, but I couldn't find anything in the state of the cat slides.
>> I checked on the website, but all I found was this:
>>
>> " Tomcat has been downloaded more than 10 million times: assuming even a 1%
>> production adoption rate results in more than 10 installations. "
>> But this is from 2014 and I assume there should be a better number by now.

Those figures are VERY out of date.

> I don't think that it is tracked ATM, unless INFRA aggregates the web
> server logs and records the metrics somewhere.

We have our own web server logs but since most downloads will be via the
mirror network we can't track those.

We can track requests for the download page. They are currently running
at ~1,800,000 requests per month for the download pages. I can see that
archive.apache.org saw ~2,000,000 requests to download a Tomcat
distribution in the last month. I suspect a lot of folks have
(incorrectly) pointed their build tools at archive.a.o rather than the
mirror network.

We can track downloads via Maven Central. They are currently running at:
- 2,000,000 to 2,500,000 per month for embedded
- 20,000 to 25,000 per month for the standard binary distribution
- 120,000 to 140,000 per month for the standard JARs

We have no figures for downloads via mechanisms such as Linux package
managers, Docker, etc.

Make of those figures what you will.


> On that note, should we add Google Analytics to the new site?  Obviously it
> will only give us information moving forward, but it can be interesting.

No. There are some internal discussions ongoing about the use of GA. We
should wait for those to conclude before considering adding it to our site.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: request.getContextPath() behind a proxy (apache/nginx)

[Johan Compagner]

problem is that our customers are doing this.
also they can have 1 tomcat with a few webapps that they want to map under
different domains

so that would mean for them starting 3 different tomcats under 3 different
ports and configure all that
thats not always something they want to do.
So i guess the only way for me is to have some kind of setting (per context)


On Mon, 4 Feb 2019 at 22:40, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Johan,
>
> On 2/4/19 07:09, Johan Compagner wrote:
> > There are many older post for this on stackoverflow and so on
> > https://stackoverflow.com/questions/10050550/why-does-getcontextpath-u
> nder-a-proxy-return-the-internal-path-inside-httpserv
> 
> >
> >  but i wonder what the latest state of that is, we have a lot of
> > proxy settings for host and scheme But is there something (a
> > header) that a proxy can set so that Tomcat returns the right
> > context path on that getContextPath() call?
>
> This is #49 on the list of "why you shouldn't be munging context paths
> within a reverse-proxy".
>
> > Or are there headers that we have to check manually?
> >
> > If this is not the case then i guess the only way to fix this is to
> > make it a configuration in our product something like
> >
> > String context = settings.getProperty("context.path",
> > request.getContextPath());
> >
> > (get the context from the settings if not there use the default
> > value which is from the request)
> >
> > So the problem is mostly because of virtual hosts i guess
> >
> > where
> >
> > Proxy / is mapped to AppServer /Webapp1
>
> How about "don't do that"?
>
> If you want to host your application on /, then host it on / and not
> /Webapp1.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxYsWIACgkQHPApP6U8
> pFhOeA//SmTil/dDz1ewySksqKiI83WjEtkrJ7/1xcaISkrU+t42bMOx8sLS/SOh
> VX2O/c0hlLuDy5YfaBClZgd7qLHmy3a5xcLpazUtw9CFZuJD+UTahxlK2AwysOzd
> +ns0qlRJEOZrxAxCfJpJ6yUZ9DppbKSHd8fd+XopIiRQyqJ3pWJtCZ61B3zJC7Ln
> Vxo7Qpk/1qQht8XhgRdkh1EOB+sJRziowcchu/t0xtpQNVH47czwVC4LpyX9wp43
> jMhlfVfwqjNAtgNsvm8YE3zfr8DUw3Q7hxwRk5EzGrRbq8RAoDEFri8F/9RB
> zhI+8tPi73JxYaz8/8MzIxGY2A0La6A2P/qCNjNYAoXy0tlzsN0MgUIvXjgnaRJl
> bRWwFlpqrOPqRkS7PvBa98rFiXzbC/Ef6uE68hTK7XrV/Ki9Pm4uJ+hbSdurHz7c
> KkKwgMmcpJ6nc80lOaXxtviuXbTrcxY1rGivhRiHr1nemRZkxwMzybf0nynhMtaa
> nuGFdKC/KGk25FM6xZEVzUuYLX7NV57GWPZcFkmcvfd87gRLwdmti+5vVGMIvC8z
> HYMDd4ArfkY3JYOeIlVc76mpTfCWPcFfN6U30G+dVwFEYUqGxOtRM6QY2OFbtpMW
> Ah8/FKULkBMCoD2AV0JJvTXz9PZ/v0bYPaitKRrPQZrlyp1CJ5M=
> =uP57
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
Johan Compagner
Servoy