Re: Requirements to support HTTPS
Perfect. Thanks, Mark! On Sat, Mar 25, 2023 at 2:37 PM Mark Thomas wrote: > > > On 25/03/2023 14:16, Blake McBride wrote: > > Greetings, > > > > I wanted to confirm my suspicions regarding packages needed in tomcat to > > support HTTPS. > > > > The config I am using is: > > > > > > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > > >sslImplementationName="org.apache.tomcat.util.net > .openssl.OpenSSLImplementation" > > ... > > > > > > My suspicion is: > > > > OpenSSL - needed > > APR - needed > > Tomcat-native - not needed > > > > Is that correct? > > No. For that configuration you can use Tomcat Native 1.2.x or 2.0.x. > > Tomcat Native depends on OpenSSL and APR. Whether you need to provide > those dependencies explicitly will depend on how you have obtained > Tomcat Native. The Windows binaries include all dependencies via static > linking. Most (all?) Linux distributions use dynamic linking and should > have the correct dependencies set so installed Tomcat Native installs > the dependencies. > > Or just use JSSE which is a pure Java solution. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Requirements to support HTTPS
On 25/03/2023 14:16, Blake McBride wrote: Greetings, I wanted to confirm my suspicions regarding packages needed in tomcat to support HTTPS. The config I am using is: No. For that configuration you can use Tomcat Native 1.2.x or 2.0.x. Tomcat Native depends on OpenSSL and APR. Whether you need to provide those dependencies explicitly will depend on how you have obtained Tomcat Native. The Windows binaries include all dependencies via static linking. Most (all?) Linux distributions use dynamic linking and should have the correct dependencies set so installed Tomcat Native installs the dependencies. Or just use JSSE which is a pure Java solution. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Requirements to support HTTPS
Hi Chris, Thanks for the response! However, I think what I am experiencing and what you are saying are at odds. I have native installed, but it is the wrong version and doesn't work with my tomcat. So, essentially, it's not installed. (Unless the new protocol I am using just doesn't use the problem areas of native.) When I switched to the configuration shown, it worked. I assume it's not using native because of the trouble I had before. So, are you sure I need native with the config I show? Thanks a lot! Blake On Sat, Mar 25, 2023 at 12:54 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Blake, > > On 3/25/23 10:16, Blake McBride wrote: > > I wanted to confirm my suspicions regarding packages needed in tomcat to > > support HTTPS. > > You don't need anything except the core Tomcat and a reasonably recent > JVM to support HTTPS. You may have some other requirements you'd like to > place on top of that, but you haven't mentioned what those might be. > > > The config I am using is: > > > > > > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > > >sslImplementationName="org.apache.tomcat.util.net > .openssl.OpenSSLImplementation" > > ... > > > > > > My suspicion is: > > > > OpenSSL - needed > > APR - needed > > Tomcat-native - not needed > > > > Is that correct? > > No, Tomcat native contains the glue you need to get at OpenSSL, so you > need all of those things. > > You may not need OpenSSL and therefore that whole stack. Do you need > particularly high-performance TLS? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Requirements to support HTTPS
idk I went overboard and made my own CA and signed some certs lol On Sat, Mar 25, 2023, 13:54 Christopher Schultz < ch...@christopherschultz.net> wrote: > Blake, > > On 3/25/23 10:16, Blake McBride wrote: > > I wanted to confirm my suspicions regarding packages needed in tomcat to > > support HTTPS. > > You don't need anything except the core Tomcat and a reasonably recent > JVM to support HTTPS. You may have some other requirements you'd like to > place on top of that, but you haven't mentioned what those might be. > > > The config I am using is: > > > > > > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > > >sslImplementationName="org.apache.tomcat.util.net > .openssl.OpenSSLImplementation" > > ... > > > > > > My suspicion is: > > > > OpenSSL - needed > > APR - needed > > Tomcat-native - not needed > > > > Is that correct? > > No, Tomcat native contains the glue you need to get at OpenSSL, so you > need all of those things. > > You may not need OpenSSL and therefore that whole stack. Do you need > particularly high-performance TLS? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Requirements to support HTTPS
Blake, On 3/25/23 10:16, Blake McBride wrote: I wanted to confirm my suspicions regarding packages needed in tomcat to support HTTPS. You don't need anything except the core Tomcat and a reasonably recent JVM to support HTTPS. You may have some other requirements you'd like to place on top of that, but you haven't mentioned what those might be. The config I am using is: No, Tomcat native contains the glue you need to get at OpenSSL, so you need all of those things. You may not need OpenSSL and therefore that whole stack. Do you need particularly high-performance TLS? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can't get RemoteIpValve to work
Leon, On 3/24/23 10:09, Leon Rosenberg wrote: Full log output (dumping out headers, without the valve): 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: host; value: api.myhost.net 6049752 2023-03-24 14:07:59,749 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: user-agent; value: Wget/1.21.3 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: accept; value: */* 6049754 2023-03-24 14:07:59,751 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: accept-encoding; value: identity 6049755 2023-03-24 14:07:59,752 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-for; value: 217.110.113.178 6049756 2023-03-24 14:07:59,753 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-host; value: api.myhost.net 6049757 2023-03-24 14:07:59,754 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: x-forwarded-server; value: api.myhost.net 6049758 2023-03-24 14:07:59,755 [http-apr-8080-exec-13] INFO n.a.c.extapi.ping.PingResource:38 - key: connection; value: Keep-Alive So you have x-forwarded-host set to "api.myhost.net" but you are using IP-allowing 10.something. Maybe you need to IP-allow "api.myhost.net". Or maybe you want to set httpd to send an IP instead of a hostname? Or maybe you need to enable DNS resolution on Tomcat? Or maybe api.myhost.net resolves to the public-IP of the reverse-proxy? > 217.110.113.178 is my ip, so the value is correct. Good. -chris On Fri, Mar 24, 2023 at 3:07 PM Leon Rosenberg wrote: yeah, interestingly enough removing ipvalve and adding access log magic, puts the X-Forwarded-For in the localhost_access.log ... but strange nevertheless. On Fri, Mar 24, 2023 at 11:44 AM Mark Thomas wrote: Maybe try commenting out the RemoteIpValve in Tomcat and retest so you can see exactly what headers Tomcat is seeing. Alternatively, since this is over http, Wireshark or similar could help. Mark On 24/03/2023 10:29, Leon Rosenberg wrote: Hi, we have following setup apache 2.4 on a ubuntu host, in front of docker-container with tomcat9 (on same host). Connection is via apache mod_http/proxy. Internal IP of the host is 10.138.0.3 (where httpd and docker are running). In localhost_access log we see always 10.138.0.3 address. If going through port 8080 directly, without httpd, we see the correct IP-Address. We have added RemoteIpValve to server xml. http config also has ProxyAddHeaders on, also I understand that to be default anyway: ProxyPass / http://10.138.0.3:8080/ ProxyPassReverse / http://10.138.0.3:8080/ ProxyErrorOverride Off ProxyAddHeaders On Require all granted ProxyAddHeaders On When we print out all headers in a request, the X-Forwarded-For is missing, so obviously tomcat does something with it, but doesn't trust the httpd? So probably the line internalProxies="10\.138\.0\.3" is wrong, bug I can't get my head around it. any help would be highly appreciated kr Leon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Requirements to support HTTPS
Greetings, I wanted to confirm my suspicions regarding packages needed in tomcat to support HTTPS. The config I am using is:
Re: UnsatisfiedLinkError
Thanks, Mark! I switched to Nio2, and all is well. Blake On Sat, Mar 25, 2023 at 3:42 AM Mark Thomas wrote: > You are using Tomcat Native 2.0.3. That does not support the HTTP > APR/native connector (nor the AJP/native connector). You need to use > Tomcat Native 1.2.x or switch to the HTTP NIO or HTTP NIO2 connector. > > Mark > > > On 25/03/2023 01:13, Blake McBride wrote: > > Greetings, > > > > I am getting an unsatisfied link error when I start up tomcat. Here are > > some of the specifics: > > > > System: Ubuntu 20.04 > > Tomcat: 9.0.73 > > APR: 1.7.2 > > OpenSSL: 3.1.0 > > > > Any help you can offer is greatly appreciated! > > > > Blake McBride > > > > > > Here is catalina.out: > > > > NOTE: Picked up JDK_JAVA_OPTIONS: > > --add-opens=java.base/java.lang=ALL-UNNAMED > > --add-opens=java.base/java.io=ALL-UNNAMED > > --add-opens=java.base/java.util=ALL-UNNAMED > > --add-opens=java.base/java.util.concurrent=ALL-UNNAMED > > --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED > > 24-Mar-2023 19:51:56.377 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server version > name: > >Apache Tomcat/9.0.73 > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server built: > > Feb 27 2023 15:33:40 UTC > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Server version > > number: 9.0.73.0 > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log OS Name: > >Linux > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log OS Version: > > 5.4.0-144-generic > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Architecture: > > amd64 > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Java Home: > >/usr/lib/jvm/java-17-openjdk-amd64 > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log JVM Version: > >17.0.6+10-Ubuntu-0ubuntu120.04.1 > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: > > Private Build > > 24-Mar-2023 19:51:56.381 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: > >/home/arahant/tomcat > > 24-Mar-2023 19:51:56.382 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: > >/home/arahant/tomcat > > 24-Mar-2023 19:51:56.393 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: --add-opens=java.base/java.lang=ALL-UNNAMED > > 24-Mar-2023 19:51:56.393 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: --add-opens=java.base/java.io=ALL-UNNAMED > > 24-Mar-2023 19:51:56.393 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: --add-opens=java.base/java.util=ALL-UNNAMED > > 24-Mar-2023 19:51:56.393 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED > > 24-Mar-2023 19:51:56.394 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED > > 24-Mar-2023 19:51:56.394 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: > > > -Djava.util.logging.config.file=/home/arahant/tomcat/conf/logging.properties > > 24-Mar-2023 19:51:56.394 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager > > 24-Mar-2023 19:51:56.394 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -Djdk.tls.ephemeralDHKeySize=2048 > > 24-Mar-2023 19:51:56.395 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources > > 24-Mar-2023 19:51:56.396 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 > > 24-Mar-2023 19:51:56.396 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -Xms256M > > 24-Mar-2023 19:51:56.396 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -Xmx4524M > > 24-Mar-2023 19:51:56.396 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -XX:+UseZGC > > 24-Mar-2023 19:51:56.396 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > > argument: -XX:-ZUncommit > > 24-Mar-2023 19:51:56.396 INFO [main] > > org.apache.catalina.startup.VersionLoggerListener.log Command line > >
Re: UnsatisfiedLinkError
You are using Tomcat Native 2.0.3. That does not support the HTTP APR/native connector (nor the AJP/native connector). You need to use Tomcat Native 1.2.x or switch to the HTTP NIO or HTTP NIO2 connector. Mark On 25/03/2023 01:13, Blake McBride wrote: Greetings, I am getting an unsatisfied link error when I start up tomcat. Here are some of the specifics: System: Ubuntu 20.04 Tomcat: 9.0.73 APR: 1.7.2 OpenSSL: 3.1.0 Any help you can offer is greatly appreciated! Blake McBride Here is catalina.out: NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 24-Mar-2023 19:51:56.377 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/9.0.73 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Feb 27 2023 15:33:40 UTC 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.73.0 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 5.4.0-144-generic 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-17-openjdk-amd64 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 17.0.6+10-Ubuntu-0ubuntu120.04.1 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Private Build 24-Mar-2023 19:51:56.381 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /home/arahant/tomcat 24-Mar-2023 19:51:56.382 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /home/arahant/tomcat 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED 24-Mar-2023 19:51:56.393 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/home/arahant/tomcat/conf/logging.properties 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 24-Mar-2023 19:51:56.394 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 24-Mar-2023 19:51:56.395 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms256M 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx4524M 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:+UseZGC 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:-ZUncommit 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.library.path=/usr/local/apr/lib 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/home/arahant/tomcat 24-Mar-2023 19:51:56.396 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/home/arahant/tomcat 24-Mar-2023 19:51:56.396 INFO [main]