Re: Regarding Tomcat url redirection
Hi I have updated the certificate now, but still I cannot access url https://example.lbg.com/towl either https://server.lbg.com/towl ? I wonder why its working with port 8443 and not with out port On Thu, Apr 25, 2024 at 1:24 PM lavanya tech wrote: > Hi Chris, > > One question / doubt: > > As I mentioned earlier, the below URLS already working in the browser > > https://server.lbg.com:8443/towl > > https://example.lbg.com:8443/towl -> redirect ( which means when I hit > in browser) it points to https://server.lbg.com:8443/towl ---> To be > frank, even I donot need redirect here, not sure why it redirects. > > My question is why its working even though SAN is not registered with the > certificate ? It doesnot even throw warning in the browser. > > Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How > it should work with New SAN certificate ? > > Thanks, > Lavanya > > > > On Thu, Apr 25, 2024 at 10:16 AM lavanya tech > wrote: > >> Hi Chris, >> >> >> Thanks I will request new certificate with SANs and I will try to fix the >> things from our end. >> >> Best Regards, >> Lavanya >> >> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> Lavanya, >>> >>> On 4/24/24 15:39, lavanya tech wrote: >>> > Local host means the machine i am logged in to server.lbg.com >>> > >>> > You are right, example.lbg.com is CNAME record. >>> >>> Okay, thanks for clearing that up. >>> >>> > I dont have any SAN configured for the certificate. The certificate is >>> > requested for only server.lbg.com >>> >>> You will never be able to make a secure request to anything other than >>> server.lbg.com without seeing an error. I highly recommend adding the >>> other hostname as a SAN to your certificate if you really want to >>> support this. >>> >>> Even if you wanted https://example.lbg.com/whatever to return an HTTP >>> 302 redirect to https://server.lbg.com/whatever, the user would see a >>> certificate hostname mismatch error which is ugly. It's best to make it >>> work without users seeing ugly things. >>> >>> > So if i just request new certificate with SAN it should work ? If yes, >>> I >>> > will request for it and follow your steps as below suggested. >>> >>> Yes, it should. >>> >>> > Should i use CName record or DNS? Does it make difference? >>> >>> CNAME *is* DNS. >>> >>> Whenever possible, use hostnames and not IP addresses as SANs. It's more >>> flexible that way, and users get to see hostnames instead of IP >>> addresses. >>> >>> -chris >>> >>> > On Wednesday, April 24, 2024, Christopher Schultz < >>> > ch...@christopherschultz.net> wrote: >>> > >>> >> Lavanya, >>> >> >>> >> On 4/24/24 07:37, lavanya tech wrote: >>> >> >>> >>> Sorry I understood wrongly here with regards to my environment, Let >>> me >>> >>> start from the beginning. I donot want to use redirect at all. I >>> simply >>> >>> wanted to force apache tomcat to use both localhost and dns name of >>> the >>> >>> localhost via url. >>> >>> >>> >> >>> >> When you say "force" what do you mean? >>> >> >>> >> When you say "use both localhost and DNS name" what do you mean? >>> >> >>> >> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm >>> >> logged-into right now"? >>> >> >>> >> I have DNS resollution as below. >>> >>> >>> >>> server.lbg.com --> localhost >>> >>> >>> >> >>> >> Is that a CNAME record? >>> >> >>> >> nslookup server.lbg.com (localhost) >>> >>> Name:server.lbg.com >>> >>> Address: 192.168.100.20 >>> >>> alias: example.lbg.com >>> >>> >>> >> >>> >> That's a weird DNS response. The DNS name "localhost" should *always* >>> >> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return >>> >> 191.168.100.20. >>> >> >>> >> We have working the below urls working: >>> >>> https://server.lbg.com:8443/towl >>> >>> https://example.lbg.com:8443/towl --> redirects to >>> >>> >>> >> >>> >> What do you mean "redirect"? Does it return a 30x response that >>> causes the >>> >> browser to make a new request to \/ >>> >> >>> >> https://server.lbg.com:8443/towl --> still works --> we have SSL >>> >>> configured for the same but this SSL certificate doesnot have >>> additional >>> >>> DNS setup. >>> >>> >>> >> >>> >> What SANs are in your certificate? How many certificates do you have? >>> >> >>> >> But I would need to somehow access https://example.lbg.com --> which >>> >>> means >>> >>> I would need to access via 443 here ? >>> >>> >>> >> >>> >> I'm so confused. What needs to access what? >>> >> >>> >> I tried to adding the below to server.xml as below, but that doesnot >>> seems >>> >>> to work. >>> >>> >>> >>> >> >>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> >>> connectionTimeout="2" >>> >>> redirectPort="443" /> >>> >>> >>> >> >>> >> This will only redirect (HTTP 302) requests to >>> http://yourhost/anything >>> >> to https://yourhost/anything *if the application specifically >>> requests >>> >> CONFIDENTIAL
Re: Regarding Tomcat url redirection
Hi Chris, One question / doubt: As I mentioned earlier, the below URLS already working in the browser > https://server.lbg.com:8443/towl > https://example.lbg.com:8443/towl -> redirect ( which means when I hit in browser) it points to https://server.lbg.com:8443/towl ---> To be frank, even I donot need redirect here, not sure why it redirects. My question is why its working even though SAN is not registered with the certificate ? It doesnot even throw warning in the browser. Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How it should work with New SAN certificate ? Thanks, Lavanya On Thu, Apr 25, 2024 at 10:16 AM lavanya tech wrote: > Hi Chris, > > > Thanks I will request new certificate with SANs and I will try to fix the > things from our end. > > Best Regards, > Lavanya > > On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Lavanya, >> >> On 4/24/24 15:39, lavanya tech wrote: >> > Local host means the machine i am logged in to server.lbg.com >> > >> > You are right, example.lbg.com is CNAME record. >> >> Okay, thanks for clearing that up. >> >> > I dont have any SAN configured for the certificate. The certificate is >> > requested for only server.lbg.com >> >> You will never be able to make a secure request to anything other than >> server.lbg.com without seeing an error. I highly recommend adding the >> other hostname as a SAN to your certificate if you really want to >> support this. >> >> Even if you wanted https://example.lbg.com/whatever to return an HTTP >> 302 redirect to https://server.lbg.com/whatever, the user would see a >> certificate hostname mismatch error which is ugly. It's best to make it >> work without users seeing ugly things. >> >> > So if i just request new certificate with SAN it should work ? If yes, I >> > will request for it and follow your steps as below suggested. >> >> Yes, it should. >> >> > Should i use CName record or DNS? Does it make difference? >> >> CNAME *is* DNS. >> >> Whenever possible, use hostnames and not IP addresses as SANs. It's more >> flexible that way, and users get to see hostnames instead of IP addresses. >> >> -chris >> >> > On Wednesday, April 24, 2024, Christopher Schultz < >> > ch...@christopherschultz.net> wrote: >> > >> >> Lavanya, >> >> >> >> On 4/24/24 07:37, lavanya tech wrote: >> >> >> >>> Sorry I understood wrongly here with regards to my environment, Let me >> >>> start from the beginning. I donot want to use redirect at all. I >> simply >> >>> wanted to force apache tomcat to use both localhost and dns name of >> the >> >>> localhost via url. >> >>> >> >> >> >> When you say "force" what do you mean? >> >> >> >> When you say "use both localhost and DNS name" what do you mean? >> >> >> >> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm >> >> logged-into right now"? >> >> >> >> I have DNS resollution as below. >> >>> >> >>> server.lbg.com --> localhost >> >>> >> >> >> >> Is that a CNAME record? >> >> >> >> nslookup server.lbg.com (localhost) >> >>> Name:server.lbg.com >> >>> Address: 192.168.100.20 >> >>> alias: example.lbg.com >> >>> >> >> >> >> That's a weird DNS response. The DNS name "localhost" should *always* >> >> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return >> >> 191.168.100.20. >> >> >> >> We have working the below urls working: >> >>> https://server.lbg.com:8443/towl >> >>> https://example.lbg.com:8443/towl --> redirects to >> >>> >> >> >> >> What do you mean "redirect"? Does it return a 30x response that causes >> the >> >> browser to make a new request to \/ >> >> >> >> https://server.lbg.com:8443/towl --> still works --> we have SSL >> >>> configured for the same but this SSL certificate doesnot have >> additional >> >>> DNS setup. >> >>> >> >> >> >> What SANs are in your certificate? How many certificates do you have? >> >> >> >> But I would need to somehow access https://example.lbg.com --> which >> >>> means >> >>> I would need to access via 443 here ? >> >>> >> >> >> >> I'm so confused. What needs to access what? >> >> >> >> I tried to adding the below to server.xml as below, but that doesnot >> seems >> >>> to work. >> >>> >> >>> > >>> protocol="org.apache.coyote.http11.Http11NioProtocol" >> >>> connectionTimeout="2" >> >>> redirectPort="443" /> >> >>> >> >> >> >> This will only redirect (HTTP 302) requests to >> http://yourhost/anything >> >> to https://yourhost/anything *if the application specifically requests >> >> CONFIDENTIAL transport*. It doesn't just redirect everything by >> default. If >> >> you want it to redirect everything, you'll need to set that up e.g. >> using >> >> RewriteValve. There are other options, too. >> >> >> >> Do i need additional SSL certificate for the https://example.lbg.com >> to >> >>> make it work ? >> >>> >> >> >> >> If you don't want your browser to complain, you will need at least one >> TLS >> >> certificate that contains every
Re: Regarding Tomcat url redirection
Hi Chris, Thanks I will request new certificate with SANs and I will try to fix the things from our end. Best Regards, Lavanya On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Lavanya, > > On 4/24/24 15:39, lavanya tech wrote: > > Local host means the machine i am logged in to server.lbg.com > > > > You are right, example.lbg.com is CNAME record. > > Okay, thanks for clearing that up. > > > I dont have any SAN configured for the certificate. The certificate is > > requested for only server.lbg.com > > You will never be able to make a secure request to anything other than > server.lbg.com without seeing an error. I highly recommend adding the > other hostname as a SAN to your certificate if you really want to > support this. > > Even if you wanted https://example.lbg.com/whatever to return an HTTP > 302 redirect to https://server.lbg.com/whatever, the user would see a > certificate hostname mismatch error which is ugly. It's best to make it > work without users seeing ugly things. > > > So if i just request new certificate with SAN it should work ? If yes, I > > will request for it and follow your steps as below suggested. > > Yes, it should. > > > Should i use CName record or DNS? Does it make difference? > > CNAME *is* DNS. > > Whenever possible, use hostnames and not IP addresses as SANs. It's more > flexible that way, and users get to see hostnames instead of IP addresses. > > -chris > > > On Wednesday, April 24, 2024, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Lavanya, > >> > >> On 4/24/24 07:37, lavanya tech wrote: > >> > >>> Sorry I understood wrongly here with regards to my environment, Let me > >>> start from the beginning. I donot want to use redirect at all. I simply > >>> wanted to force apache tomcat to use both localhost and dns name of the > >>> localhost via url. > >>> > >> > >> When you say "force" what do you mean? > >> > >> When you say "use both localhost and DNS name" what do you mean? > >> > >> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm > >> logged-into right now"? > >> > >> I have DNS resollution as below. > >>> > >>> server.lbg.com --> localhost > >>> > >> > >> Is that a CNAME record? > >> > >> nslookup server.lbg.com (localhost) > >>> Name:server.lbg.com > >>> Address: 192.168.100.20 > >>> alias: example.lbg.com > >>> > >> > >> That's a weird DNS response. The DNS name "localhost" should *always* > >> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return > >> 191.168.100.20. > >> > >> We have working the below urls working: > >>> https://server.lbg.com:8443/towl > >>> https://example.lbg.com:8443/towl --> redirects to > >>> > >> > >> What do you mean "redirect"? Does it return a 30x response that causes > the > >> browser to make a new request to \/ > >> > >> https://server.lbg.com:8443/towl --> still works --> we have SSL > >>> configured for the same but this SSL certificate doesnot have > additional > >>> DNS setup. > >>> > >> > >> What SANs are in your certificate? How many certificates do you have? > >> > >> But I would need to somehow access https://example.lbg.com --> which > >>> means > >>> I would need to access via 443 here ? > >>> > >> > >> I'm so confused. What needs to access what? > >> > >> I tried to adding the below to server.xml as below, but that doesnot > seems > >>> to work. > >>> > >>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" > >>> connectionTimeout="2" > >>> redirectPort="443" /> > >>> > >> > >> This will only redirect (HTTP 302) requests to http://yourhost/anything > >> to https://yourhost/anything *if the application specifically requests > >> CONFIDENTIAL transport*. It doesn't just redirect everything by > default. If > >> you want it to redirect everything, you'll need to set that up e.g. > using > >> RewriteValve. There are other options, too. > >> > >> Do i need additional SSL certificate for the https://example.lbg.com > to > >>> make it work ? > >>> > >> > >> If you don't want your browser to complain, you will need at least one > TLS > >> certificate that contains every Subject Alternative Name (SAN) for every > >> possible hostname you expect to use with this service. You ca do it with > >> multiple certificates as well, but a single cert with multiple SANs is > less > >> work. > >> > >> Do i need to set up an additional web server for this like apache or > nginx > >>> for redirecting requests? > >>> > >> > >> No. > >> > >> Please stop saying "redirect" because it sounds like you almost never > mean > >> "HTTP 30x redirect" and that's confusing everything. > >> > >> I *think* you only need the following: > >> > >> 1. A TLS certificate with the following SANs: > >> > >>* server.lbg.com > >>* example.lbg.com > >>* localhost (you shouldn't do this) > >> > >> 2. DNS configured for all hostnames: > >> > >>* server.lbg.com -> A 192.168.100.20 > >>* example.lgb.com