Re: Regarding Tomcat url redirection
Lavanya, On 4/25/24 09:36, lavanya tech wrote: I have updated the certificate now, but still I cannot access url https://example.lbg.com/towl either https://server.lbg.com/towl ? I wonder why its working with port 8443 and not with out port If Tomcat is listening to port 8443, then you need to use port 8443 to make a request. The cert doesn't cover port number, so you can still use it. If you want to use port 443 (the default port for HTTPS) then you will need to change Tomcat to bind to port 443 (if that's allowed on your OS) or arrange to have port 443 routed to port 8443. You may need additional configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat generate URLs with ":8443" in them. -chris On Thu, Apr 25, 2024 at 1:24 PM lavanya tech wrote: Hi Chris, One question / doubt: As I mentioned earlier, the below URLS already working in the browser https://server.lbg.com:8443/towl https://example.lbg.com:8443/towl -> redirect ( which means when I hit in browser) it points to https://server.lbg.com:8443/towl ---> To be frank, even I donot need redirect here, not sure why it redirects. My question is why its working even though SAN is not registered with the certificate ? It doesnot even throw warning in the browser. Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How it should work with New SAN certificate ? Thanks, Lavanya On Thu, Apr 25, 2024 at 10:16 AM lavanya tech wrote: Hi Chris, Thanks I will request new certificate with SANs and I will try to fix the things from our end. Best Regards, Lavanya On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Lavanya, On 4/24/24 15:39, lavanya tech wrote: Local host means the machine i am logged in to server.lbg.com You are right, example.lbg.com is CNAME record. Okay, thanks for clearing that up. I dont have any SAN configured for the certificate. The certificate is requested for only server.lbg.com You will never be able to make a secure request to anything other than server.lbg.com without seeing an error. I highly recommend adding the other hostname as a SAN to your certificate if you really want to support this. Even if you wanted https://example.lbg.com/whatever to return an HTTP 302 redirect to https://server.lbg.com/whatever, the user would see a certificate hostname mismatch error which is ugly. It's best to make it work without users seeing ugly things. So if i just request new certificate with SAN it should work ? If yes, I will request for it and follow your steps as below suggested. Yes, it should. Should i use CName record or DNS? Does it make difference? CNAME *is* DNS. Whenever possible, use hostnames and not IP addresses as SANs. It's more flexible that way, and users get to see hostnames instead of IP addresses. -chris On Wednesday, April 24, 2024, Christopher Schultz < ch...@christopherschultz.net> wrote: Lavanya, On 4/24/24 07:37, lavanya tech wrote: Sorry I understood wrongly here with regards to my environment, Let me start from the beginning. I donot want to use redirect at all. I simply wanted to force apache tomcat to use both localhost and dns name of the localhost via url. When you say "force" what do you mean? When you say "use both localhost and DNS name" what do you mean? When you say "localhost" do you mean 127.0.0.1 or "the machine I'm logged-into right now"? I have DNS resollution as below. server.lbg.com --> localhost Is that a CNAME record? nslookup server.lbg.com (localhost) Name:server.lbg.com Address: 192.168.100.20 alias: example.lbg.com That's a weird DNS response. The DNS name "localhost" should *always* return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return 191.168.100.20. We have working the below urls working: https://server.lbg.com:8443/towl https://example.lbg.com:8443/towl --> redirects to What do you mean "redirect"? Does it return a 30x response that causes the browser to make a new request to \/ https://server.lbg.com:8443/towl --> still works --> we have SSL configured for the same but this SSL certificate doesnot have additional DNS setup. What SANs are in your certificate? How many certificates do you have? But I would need to somehow access https://example.lbg.com --> which means I would need to access via 443 here ? I'm so confused. What needs to access what? I tried to adding the below to server.xml as below, but that doesnot seems to work. This will only redirect (HTTP 302) requests to http://yourhost/anything to https://yourhost/anything *if the application specifically requests CONFIDENTIAL transport*. It doesn't just redirect everything by default. If you want it to redirect everything, you'll need to set that up e.g. using RewriteValve. There are other options, too. Do i need additional SSL certificate for the https://example.lbg.com to make it work ? If you don't want your
Re: Regarding Tomcat url redirection
Lavanya, On 4/25/24 07:24, lavanya tech wrote: Hi Chris, One question / doubt: As I mentioned earlier, the below URLS already working in the browser https://server.lbg.com:8443/towl https://example.lbg.com:8443/towl -> redirect ( which means when I hit in browser) it points to https://server.lbg.com:8443/towl ---> To be frank, even I donot need redirect here, not sure why it redirects. My question is why its working even though SAN is not registered with the certificate ? It doesnot even throw warning in the browser. I'm not sure. Is it possible you have dismissed this error in the past and the browser is remembering that? Try this with a different web browser or maybe with curl from the command-line to see what happens. Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How it should work with New SAN certificate ? You don't need to worry about the port number or application name, only the hostname is a part of the SAN. -chris On Thu, Apr 25, 2024 at 10:16 AM lavanya tech wrote: Hi Chris, Thanks I will request new certificate with SANs and I will try to fix the things from our end. Best Regards, Lavanya On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Lavanya, On 4/24/24 15:39, lavanya tech wrote: Local host means the machine i am logged in to server.lbg.com You are right, example.lbg.com is CNAME record. Okay, thanks for clearing that up. I dont have any SAN configured for the certificate. The certificate is requested for only server.lbg.com You will never be able to make a secure request to anything other than server.lbg.com without seeing an error. I highly recommend adding the other hostname as a SAN to your certificate if you really want to support this. Even if you wanted https://example.lbg.com/whatever to return an HTTP 302 redirect to https://server.lbg.com/whatever, the user would see a certificate hostname mismatch error which is ugly. It's best to make it work without users seeing ugly things. So if i just request new certificate with SAN it should work ? If yes, I will request for it and follow your steps as below suggested. Yes, it should. Should i use CName record or DNS? Does it make difference? CNAME *is* DNS. Whenever possible, use hostnames and not IP addresses as SANs. It's more flexible that way, and users get to see hostnames instead of IP addresses. -chris On Wednesday, April 24, 2024, Christopher Schultz < ch...@christopherschultz.net> wrote: Lavanya, On 4/24/24 07:37, lavanya tech wrote: Sorry I understood wrongly here with regards to my environment, Let me start from the beginning. I donot want to use redirect at all. I simply wanted to force apache tomcat to use both localhost and dns name of the localhost via url. When you say "force" what do you mean? When you say "use both localhost and DNS name" what do you mean? When you say "localhost" do you mean 127.0.0.1 or "the machine I'm logged-into right now"? I have DNS resollution as below. server.lbg.com --> localhost Is that a CNAME record? nslookup server.lbg.com (localhost) Name:server.lbg.com Address: 192.168.100.20 alias: example.lbg.com That's a weird DNS response. The DNS name "localhost" should *always* return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return 191.168.100.20. We have working the below urls working: https://server.lbg.com:8443/towl https://example.lbg.com:8443/towl --> redirects to What do you mean "redirect"? Does it return a 30x response that causes the browser to make a new request to \/ https://server.lbg.com:8443/towl --> still works --> we have SSL configured for the same but this SSL certificate doesnot have additional DNS setup. What SANs are in your certificate? How many certificates do you have? But I would need to somehow access https://example.lbg.com --> which means I would need to access via 443 here ? I'm so confused. What needs to access what? I tried to adding the below to server.xml as below, but that doesnot seems to work. This will only redirect (HTTP 302) requests to http://yourhost/anything to https://yourhost/anything *if the application specifically requests CONFIDENTIAL transport*. It doesn't just redirect everything by default. If you want it to redirect everything, you'll need to set that up e.g. using RewriteValve. There are other options, too. Do i need additional SSL certificate for the https://example.lbg.com to make it work ? If you don't want your browser to complain, you will need at least one TLS certificate that contains every Subject Alternative Name (SAN) for every possible hostname you expect to use with this service. You ca do it with multiple certificates as well, but a single cert with multiple SANs is less work. Do i need to set up an additional web server for this like apache or nginx for redirecting requests? No. Please stop saying "redirect" because