Virtual Hosting, HTTP 302 to HTTPS?

2016-02-01 Thread Björn Raupach
Dear group,

I have two web applications (a,b) that are both reachable via subdomains:

a.example.com 
b.example.com 

For b.example.com  exists a SSL certificate. 
a.example.com  does not need SSL.
The HTTPS connector uses a a Java keystore with the certificate. 

I configured Apache Tomcat 8.0.20 with Virtual Hosting.

CATALINA_HOME/webapps_a
CATALINA_HOME/webapps_b

The server.xml has been adjusted.



 
   ...
 

 
   ...
 



Both web apps are deployed using ROOT.war. They get unpacked and there are no 
errors in the log files.

Here is my problem. b works fine, but I can't reach a.

curl -I http://a.example.com 
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private 
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: https://a.example.com 
Content-Length: 0
Date: Mon, 01 Feb 2016 13:52:32 GMT

curl -I http://b.example.com 
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private 
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: https://b.example.com 
Content-Length: 0
Date: Mon, 01 Feb 2016 13:52:54 GMT  

The redirect sets Location to https. I know this can't work because I have no
certificate for srv.grasmueck.de  nor do I need https.

And I see the web application `b` instead of `a` despite the error.

Do I need a Apache HTTPD fronted? 


Thanks for the support! I appreciate it.

Björn

Re: Virtual Hosting, HTTP 302 to HTTPS?

2016-02-01 Thread Björn Raupach

> On 01 Feb 2016, at 16:20, Mark Thomas <ma...@apache.org> wrote:
> 
> On 1 February 2016 14:07:57 GMT+00:00, "Björn Raupach" <raup...@me.com> wrote:
>> Dear group,
>> 
>> I have two web applications (a,b) that are both reachable via
>> subdomains:
>> 
>> a.example.com <http://a.example.com/>
>> b.example.com <http://b.example.com/>
>> 
>> For b.example.com <http://b.example.com/> exists a SSL certificate. 
>> a.example.com <http://a.example.com/> does not need SSL.
>> The HTTPS connector uses a a Java keystore with the certificate. 
>> 
>> I configured Apache Tomcat 8.0.20 with Virtual Hosting.
>> 
>> CATALINA_HOME/webapps_a
>> CATALINA_HOME/webapps_b
>> 
>> The server.xml has been adjusted.
>> 
>> 
>> 
>> 
>>  ...
>> 
>> 
>> 
>>  ...
>> 
>> 
>> 
>> 
>> Both web apps are deployed using ROOT.war. They get unpacked and there
>> are no errors in the log files.
>> 
>> Here is my problem. b works fine, but I can't reach a.
>> 
>> curl -I http://a.example.com <http://a.example.com/>
>> HTTP/1.1 302 Found
>> Server: Apache-Coyote/1.1
>> Cache-Control: private 
>> Expires: Thu, 01 Jan 1970 01:00:00 CET
>> Location: https://a.example.com <https://a.example.com/>
>> Content-Length: 0
>> Date: Mon, 01 Feb 2016 13:52:32 GMT
>> 
>> curl -I http://b.example.com <http://b.example.com/>
>> HTTP/1.1 302 Found
>> Server: Apache-Coyote/1.1
>> Cache-Control: private 
>> Expires: Thu, 01 Jan 1970 01:00:00 CET
>> Location: https://b.example.com <https://b.example.com/>
>> Content-Length: 0
>> Date: Mon, 01 Feb 2016 13:52:54 GMT  
>> 
>> The redirect sets Location to https. I know this can't work because I
>> have no
>> certificate for srv.grasmueck.de <http://srv.grasmueck.de/> nor do I
>> need https.
>> 
>> And I see the web application `b` instead of `a` despite the error.
>> 
>> Do I need a Apache HTTPD fronted? 
> 
> No.  The name of your virtual host (or one of its aliases) must match the 
> host header. If they don't match the default host will be used.
> 
> Given that you've already told us one of the real host names, you might as 
> well show us the real configuration and the real request if you need help 
> spotting the configuration error.

And here I am trying to be smart. ;)

srv.grasmueck.de <http://srv.grasmueck.de/>
isiee.grasmueck.de <http://isiee.grasmueck.de/>

Here is my server.xml:


  
  
  
  
  
  
  
  

  
  





  

  
  




















  
  

  
  


  

  







  

  



  

  



> 
> Mark



> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 



Re: Virtual Hosting, HTTP 302 to HTTPS?

2016-02-01 Thread Björn Raupach

> On 01 Feb 2016, at 16:29, Jeffrey Janner <jeffrey.jan...@polydyne.com> wrote:
> 
>> -Original Message-
>> From: Mark Thomas [mailto:ma...@apache.org]
>> Sent: Monday, February 01, 2016 9:21 AM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Virtual Hosting, HTTP 302 to HTTPS?
>> 
>> On 1 February 2016 14:07:57 GMT+00:00, "Björn Raupach" <raup...@me.com>
>> wrote:
>>> Dear group,
>>> 
>>> I have two web applications (a,b) that are both reachable via
>>> subdomains:
>>> 
>>> a.example.com <http://a.example.com/>
>>> b.example.com <http://b.example.com/>
>>> 
>>> For b.example.com <http://b.example.com/> exists a SSL certificate.
>>> a.example.com <http://a.example.com/> does not need SSL.
>>> The HTTPS connector uses a a Java keystore with the certificate.
>>> 
>>> I configured Apache Tomcat 8.0.20 with Virtual Hosting.
>>> 
>>> CATALINA_HOME/webapps_a
>>> CATALINA_HOME/webapps_b
>>> 
>>> The server.xml has been adjusted.
>>> 
>>> 
>>> 
>>> 
>>>  ...
>>> 
>>> 
>>> 
>>>  ...
>>> 
>>> 
>>> 
>>> 
>>> Both web apps are deployed using ROOT.war. They get unpacked and there
>>> are no errors in the log files.
>>> 
>>> Here is my problem. b works fine, but I can't reach a.
>>> 
>>> curl -I http://a.example.com <http://a.example.com/>
>>> HTTP/1.1 302 Found
>>> Server: Apache-Coyote/1.1
>>> Cache-Control: private
>>> Expires: Thu, 01 Jan 1970 01:00:00 CET
>>> Location: https://a.example.com <https://a.example.com/>
>>> Content-Length: 0
>>> Date: Mon, 01 Feb 2016 13:52:32 GMT
>>> 
>>> curl -I http://b.example.com <http://b.example.com/>
>>> HTTP/1.1 302 Found
>>> Server: Apache-Coyote/1.1
>>> Cache-Control: private
>>> Expires: Thu, 01 Jan 1970 01:00:00 CET
>>> Location: https://b.example.com <https://b.example.com/>
>>> Content-Length: 0
>>> Date: Mon, 01 Feb 2016 13:52:54 GMT
>>> 
>>> The redirect sets Location to https. I know this can't work because I
>>> have no
>>> certificate for srv.grasmueck.de <http://srv.grasmueck.de/> nor do I
>>> need https.
>>> 
>>> And I see the web application `b` instead of `a` despite the error.
>>> 
>>> Do I need a Apache HTTPD fronted?
>> 
>> No.  The name of your virtual host (or one of its aliases) must match
>> the host header. If they don't match the default host will be used.
>> 
>> Given that you've already told us one of the real host names, you might
>> as well show us the real configuration and the real request if you need
>> help spotting the configuration error.
>> 
>> Mark
>> 
> Since the information provided shows that both URLs are responding with a 302 
> redirect to the HTTPS connector with the same hostname as provided, I'd say 
> that his server.xml configuration is working correctly.
> Obviously, there is something in both webapps that is forcing the redirect.
> Might I suggest the OP take a look at the web.xml file for the A host to see 
> if he can see that it is indeed requesting the redirect?  (hint: 
>  section.)
> Jeff

Hi Jeff,

the web application with the certificate does have a security constraint in the 
web.xml.



/index.xhtml


CONFIDENTIAL



> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> <mailto:users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> <mailto:users-h...@tomcat.apache.org>


Re: Virtual Hosting, HTTP 302 to HTTPS?

2016-02-01 Thread Björn Raupach

> On 01 Feb 2016, at 17:30, Mark Thomas <ma...@apache.org> wrote:
> 
> On 01/02/2016 15:27, Björn Raupach wrote:
>>> On 01 Feb 2016, at 16:20, Mark Thomas <ma...@apache.org> wrote:
>>> On 1 February 2016 14:07:57 GMT+00:00, "Björn Raupach" <raup...@me.com> 
>>> wrote:
> 
> 
> 
>>>> Do I need a Apache HTTPD fronted? 
>>> 
>>> No.  The name of your virtual host (or one of its aliases) must match the 
>>> host header. If they don't match the default host will be used.
>>> 
>>> Given that you've already told us one of the real host names, you might as 
>>> well show us the real configuration and the real request if you need help 
>>> spotting the configuration error.
>> 
>> And here I am trying to be smart. ;)
>> 
>> srv.grasmueck.de <http://srv.grasmueck.de/>
>> isiee.grasmueck.de <http://isiee.grasmueck.de/>
> 
> 
> 
>>  >unpackWARs="true" autoDeploy="true">
> 
> 
> 
>>  
>> 
>>  >unpackWARs="true" autoDeploy="true">
> 
> 
> 
>>  
>>
>>  
>> 
> 
> To repeat: The name of your virtual host (or one of its aliases) must
> match the host header.
> 
> You should be using
> 
> and
> 

Thank you for being so patient. This worked!

> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Need assistance on web application

2015-11-27 Thread Björn Raupach

Hi Subhro,

> On 27 Nov 2015, at 11:21, Subhro Paul  wrote:
> 
> Hi Team,
> 
> We have a simple web application(Example : www.example.com) which don't 
> have any ".war" or ".ear". It's just have jsps, htmls, javascripts, css 
> and images inside a folder which is placed in webapps of Tomcat. Now we 
> are developing a complext module which will be referred from the same 
> application with same url, like "www.example.com/complexModule". For that 
> we will create a new war or ear file as necessary like 
> "complexModule.war".
> 
> how can we configure our website in tomcat so that we can refer the new 
> application as "www.example.com/complexModule” ?

So your current web application is in a folder ROOT? That is Tomcat’s way
of deploying to the root context of a host.

Any other folders are reachable just by folder names. war-files are usually
exploded to directories first.

For example, if your host is www.example.com  and the 
webapps directory
has the following two folders:

ROOT/
complexModule/

Then you can access the two web applications through a browser with
the following URLs

http://www.example.com  for ROOT
http://www.example.com/compleModule  for 
complexModule

> 
> Note:- Contents present in "www.example.com" will be as it is and will not 
> be zipped in "war" or "ear". Only new contents for "complexModule" will 
> have war/ear and will placed as per required configuration.
> 
> Thanks & Regards
> Subhro Paul
> =-=-=
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain 
> confidential or privileged information. If you are 
> not the intended recipient, any dissemination, use, 
> review, distribution, printing or copying of the 
> information contained in this e-mail message 
> and/or attachments to it are strictly prohibited. If 
> you have received this communication in error, 
> please notify us by reply e-mail or telephone and 
> immediately and permanently delete the message 
> and any attachments. Thank you
> 
> 



Re: No direct access to Tomcat as it is using AJP connector?

2015-11-10 Thread Björn Raupach
Hello Suleman,

> On 10 Nov 2015, at 11:18, Suleman Butt  wrote:
> 
> Hi All,
> 
> I have the following configuration.
> 
> Standalone Apache web server is talking to Tomcat AS using AJP connector.
> Both Apache and Tomcat are running on seperate server machines. All my
> application components are deployed on the Tomcat AS and Apache is just
> used to redirect the user requests to Tomcat.
> 
> Now I have the following requirement, I have been asked by my operation
> team member that he needs to " replace Battery and install McAfee" on the
> Apache web server and the activity would require approx. 1 hour. He also
> told me that during this period of time, the entire application would not
> be accessible!
> 
> My question to him was that why can't users access the application by
> directly putting the IP of the Tomcat server in the browser during the time
> Apache web server is under maintenance? Why can't we access the Tomcat AS
> directly? Once the Apache is up, users can then use the actual URL and
> access the application again via Apache web server.
> 
> But the short answer I got from the team member was that *there is no
> alternate URL as Tomcat is using AJP connector which cannot be accessed via
> browser. *
> 
> So my question is if it really true and there is no alternate way (quick
> solution/workaround) we can avoid the complete outage of the application?

Yes, your colleague is correct. If only the AJP connector is configured you
can’t access Apache Tomcat with your Browser. Your Browser speaks HTTP
and not AJP. Thinks would be different if there is an HTTP-Connector configured.

> 
> I am not technically aware of this AJP configuration and constraint, so
> that's why I want to make sure if the above condition stated by the team
> member is indeed correct. May be he lacks or unaware of any other alternate.

Not judging your colleague here and what is reasoning is. Sysadmins usually
place Tomcat behind an Apache because:

* Load balancing
* Routing many services within a single website
* SSL issues
* SLA or corporate policies
* Trust

We have been running standalone Apache Tomcat since version 6. It is 
stable and has not caused any troubles in all these years. It is worth trying 
out.


> 
> So any help/clarification would be really appreciated.
> 
> Many thanks.
> 
> 
> 
> -- 
> Regards Suleman


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: No direct access to Tomcat as it is using AJP connector?

2015-11-10 Thread Björn Raupach

> On 10 Nov 2015, at 11:46, Suleman Butt <suleman.b...@gmail.com> wrote:
> 
> Thanks, Björn for your reply.
> 
> * Load balancing
> is not the case.
> 
> * Routing many services within a single website
> The same Apache Web server is serving other applications running on other
> Tomcats
> 
> * SSL issues
> The application endpoint URL is HTTPS.
> 
> * SLA or corporate policies
> Not sure, but the layout Apache Webserver and Tomcat Application is very
> common here for other applications as well
> 
> * Trust
> Not sure what exactly does the term Trust reflect here.

Well, I met Sysadmins who assign port 80 only to trusted deamons which 
defaults to Apache HTTPD.

> 
> 
> But on a separate note, if application is not directly accessible (pointing
> to Tomcat) then what if Apache Web server is down then that could be the
> only point of failure for the entire application or set of applications?
> Don't you think an alternate solution should need to be in place in
> parallel?

I don’t know your environment. Ask your colleague. Maybe they have 2 Apache
with a load balancer in front. I have seen this in use.

> 
> Thanks.
> 
> 
> On Tue, Nov 10, 2015 at 11:32 AM, Björn Raupach <raup...@me.com> wrote:
> 
>> Hello Suleman,
>> 
>>> On 10 Nov 2015, at 11:18, Suleman Butt <suleman.b...@gmail.com> wrote:
>>> 
>>> Hi All,
>>> 
>>> I have the following configuration.
>>> 
>>> Standalone Apache web server is talking to Tomcat AS using AJP connector.
>>> Both Apache and Tomcat are running on seperate server machines. All my
>>> application components are deployed on the Tomcat AS and Apache is just
>>> used to redirect the user requests to Tomcat.
>>> 
>>> Now I have the following requirement, I have been asked by my operation
>>> team member that he needs to " replace Battery and install McAfee" on the
>>> Apache web server and the activity would require approx. 1 hour. He also
>>> told me that during this period of time, the entire application would not
>>> be accessible!
>>> 
>>> My question to him was that why can't users access the application by
>>> directly putting the IP of the Tomcat server in the browser during the
>> time
>>> Apache web server is under maintenance? Why can't we access the Tomcat AS
>>> directly? Once the Apache is up, users can then use the actual URL and
>>> access the application again via Apache web server.
>>> 
>>> But the short answer I got from the team member was that *there is no
>>> alternate URL as Tomcat is using AJP connector which cannot be accessed
>> via
>>> browser. *
>>> 
>>> So my question is if it really true and there is no alternate way (quick
>>> solution/workaround) we can avoid the complete outage of the application?
>> 
>> Yes, your colleague is correct. If only the AJP connector is configured you
>> can’t access Apache Tomcat with your Browser. Your Browser speaks HTTP
>> and not AJP. Thinks would be different if there is an HTTP-Connector
>> configured.
>> 
>>> 
>>> I am not technically aware of this AJP configuration and constraint, so
>>> that's why I want to make sure if the above condition stated by the team
>>> member is indeed correct. May be he lacks or unaware of any other
>> alternate.
>> 
>> Not judging your colleague here and what is reasoning is. Sysadmins usually
>> place Tomcat behind an Apache because:
>> 
>> * Load balancing
>> * Routing many services within a single website
>> * SSL issues
>> * SLA or corporate policies
>> * Trust
>> 
>> We have been running standalone Apache Tomcat since version 6. It is
>> stable and has not caused any troubles in all these years. It is worth
>> trying out.
>> 
>> 
>>> 
>>> So any help/clarification would be really appreciated.
>>> 
>>> Many thanks.
>>> 
>>> 
>>> 
>>> --
>>> Regards Suleman
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
> 
> -- 
> Regards Suleman


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL and Virtual Hosting

2015-10-22 Thread Björn Raupach
Hi Chris,

thank you very much for the elaborate answer!

> On 21 Oct 2015, at 21:44, Christopher Schultz <ch...@christopherschultz.net> 
> wrote:
> 
> Björn,
> 
> On 10/21/15 2:47 PM, Björn Raupach wrote:
>>> On 21 Oct 2015, at 20:42, Mark Thomas <ma...@apache.org> wrote:
>>> 
>>> On 21/10/2015 16:27, Björn Raupach wrote:
>>>> Dear group,
>>>> 
>>>> it would be nice if anyone knows, if my planned setup is going to work.
>>>> 
>>>> At the moment we are having two services (web apps) at two different 
>>>> machines and hostnames. Lets say bob.example.com and alice.example.com 
>>>> 
>>>> bob.example.com runs without SSL and deploys the web app at the root 
>>>> context. We just throw a ROOT.war in /webapps.
>>>> 
>>>> alice.example.com needs SSL at all times. It currently does not run with 
>>>> the root context but we would like to. So another ROOT.war. We have an SSL 
>>>> cert for alice.example.com
>>>> 
>>>> I want both applications to run on a single Tomcat instance with Virtual 
>>>> Hosting. Virtual Hosting with Tomcat that is. I am comfortable with 
>>>> setting up Virtual Hosting, but I am just not sure about the SSL part. 
>>>> Does the choice between IP-based or Hostname matter? bob.example.com might 
>>>> need SSL support in the future.
>>>> 
>>>> We are using Amazon AWS if that is important. So I could get another 
>>>> Elastic IP. We are working with the latest Apache Tomcat 8 and the latest 
>>>> JDK on the server machines.
>>>> 
>>>> Sorry if this is not 100% Tomcat related.
>>> 
>>> Currently it will work if both hosts can share the same certificate
>>> because they share a connector and (currently) a connector can only have
>>> a single certificate.
>> 
>> How can both hosts share the same certificate?
> 
> I think he meant that if both sites "can" share a certificate, the whole
> thing becomes easier. For example, a certificate with a
> subject-alternative-name, or a wildcard certificate.
> 
> Recent versions of Java support SNI which should allow multiple
> certificates to be used, but I'm not sure if Tomcat supports that
> directly right now (see Mark's comments about multi-certificate support
> in the very near future).
> 
>> Do I need a SAN certificate or can I just run with the cert for
>> alice.example.com <http://alice.example.com/> and have to live with any
>> cert errors on bob.example.com <http://bob.example.com/>?
> 
> Well, those are both options, but the first one costs a heap of money
> and the second is unpalatable for users (errors = bad).
> 
>>> As of 9.0.x (and hopefully eventually back-ported to 8.x) you'll be able
>>> to have per host certs. There should be a 9.0.0-RC1 in the next week or so.
> 
> This is the "holy grail" of TLS certificate support -- one that I hope
> will be able to be back-ported without too much pain for (probably) Mark.
> 
> IIRC, this will also allow *either* PEM-file-based setup *or*
> keystore-based setup regardless of the crypto implementation (OpenSSL
> vs. JSSE) being used. I personally detest keystores because they are so
> fault-intolerant, but they do have the advantage of being able to say
> "use any matching certificate in this blob" to get work done.
> 
> So... if you are willing to wait a bit (9.0-RC1 in the next week? woah!)
> for a back-port from trunk into the 8.0.x branch, then that's probably
> your best bet. If you absolutely need to get this out right away, I see
> only a few options:
> 
> 1. Wildcard cert
> 2. Cert with a SAN
> 3. Front each service with AWS ELB
> 4. Front both services with httpd, which supports SNI
> 5. Use two s, each on a different port
> 6. Use two s, each on a different interface
> 
> That last one (6) might not be possible on AWS, since the host is itself
> mostly unaware of the public IP address external clients use to access
> it. (I have an EC2 instance with both internal and external IPs, and I
> only have "lo" and "eth0" interfaces, so I couldn't bind a 
> to the public IP's interface).
> 
> Option #3 might be the best for you in the short-term (and possibly the
> long-term), because it allows you to easily configure TLS *and*
> port-redirection without the complexity of a whole server+httpd instance
> to maintain. It will also allow you to grow your service trivially in
> the future should you choose to do so. The downside is that you pay for
> the ELB by the bi

SSL and Virtual Hosting

2015-10-21 Thread Björn Raupach
Dear group,

it would be nice if anyone knows, if my planned setup is going to work.

At the moment we are having two services (web apps) at two different machines 
and hostnames. Lets say bob.example.com and alice.example.com 

bob.example.com runs without SSL and deploys the web app at the root context. 
We just throw a ROOT.war in /webapps.

alice.example.com needs SSL at all times. It currently does not run with the 
root context but we would like to. So another ROOT.war. We have an SSL cert for 
alice.example.com

I want both applications to run on a single Tomcat instance with Virtual 
Hosting. Virtual Hosting with Tomcat that is. I am comfortable with setting up 
Virtual Hosting, but I am just not sure about the SSL part. Does the choice 
between IP-based or Hostname matter? bob.example.com might need SSL support in 
the future.

We are using Amazon AWS if that is important. So I could get another Elastic 
IP. We are working with the latest Apache Tomcat 8 and the latest JDK on the 
server machines.

Sorry if this is not 100% Tomcat related.

Thanks for taking the time!


with kind regards,
Björn
 
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL and Virtual Hosting

2015-10-21 Thread Björn Raupach
Dear Jason,

> On 21 Oct 2015, at 19:18, Jason Britton <jbritto...@gmail.com> wrote:
> 
> Hi Björn -
> Look in tomcat/conf at the server.xml, you'd just define multiple host
> entries, one host entry would have a name of "alice.example.com" the other
> with "bob.example.com".  Each host entry would also have its own appBase
> (alice-webapps & bob-webapps), meaning both sites could be deployed using
> ROOT.war.  Update the DNS for alice and bob to point at the server your
> consolidated tomcat is on.  Inside tomcat/conf/Catalina/ I'm pretty sure
> you're going to need a directory for each host with that hosts config
> ROOT.xml etc).

thanks. Yes, I know how to do this part.

>  We use Apache HTTPD to proxy to our Tomcats and we
> terminate SSL at HTTPD so I'm not exactly sure on your SSL questions.  Our
> SSL is configured through Apache HTTPD Virtual Hosts.  Maybe you want to
> look into the cost for a wildcard SSL cert that would cover *.example.com
> rather than specific hosts?

Unfortunately that is the scenario I am trying to prevent.
I don’t want to add another layer of complexity.
Apache Tomcat works like a charm and if it supports Virtual Hosting I don’t need
another service running.

> 
> Jason
> 
> On Wed, Oct 21, 2015 at 8:27 AM, Björn Raupach <raup...@me.com> wrote:
> 
>> Dear group,
>> 
>> it would be nice if anyone knows, if my planned setup is going to work.
>> 
>> At the moment we are having two services (web apps) at two different
>> machines and hostnames. Lets say bob.example.com and alice.example.com
>> 
>> bob.example.com runs without SSL and deploys the web app at the root
>> context. We just throw a ROOT.war in /webapps.
>> 
>> alice.example.com needs SSL at all times. It currently does not run with
>> the root context but we would like to. So another ROOT.war. We have an SSL
>> cert for alice.example.com
>> 
>> I want both applications to run on a single Tomcat instance with Virtual
>> Hosting. Virtual Hosting with Tomcat that is. I am comfortable with setting
>> up Virtual Hosting, but I am just not sure about the SSL part. Does the
>> choice between IP-based or Hostname matter? bob.example.com might need
>> SSL support in the future.
>> 
>> We are using Amazon AWS if that is important. So I could get another
>> Elastic IP. We are working with the latest Apache Tomcat 8 and the latest
>> JDK on the server machines.
>> 
>> Sorry if this is not 100% Tomcat related.
>> 
>> Thanks for taking the time!
>> 
>> 
>> with kind regards,
>> Björn
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL and Virtual Hosting

2015-10-21 Thread Björn Raupach
Hello Mark,

thanks for responding

> On 21 Oct 2015, at 20:42, Mark Thomas <ma...@apache.org> wrote:
> 
> On 21/10/2015 16:27, Björn Raupach wrote:
>> Dear group,
>> 
>> it would be nice if anyone knows, if my planned setup is going to work.
>> 
>> At the moment we are having two services (web apps) at two different 
>> machines and hostnames. Lets say bob.example.com and alice.example.com 
>> 
>> bob.example.com runs without SSL and deploys the web app at the root 
>> context. We just throw a ROOT.war in /webapps.
>> 
>> alice.example.com needs SSL at all times. It currently does not run with the 
>> root context but we would like to. So another ROOT.war. We have an SSL cert 
>> for alice.example.com
>> 
>> I want both applications to run on a single Tomcat instance with Virtual 
>> Hosting. Virtual Hosting with Tomcat that is. I am comfortable with setting 
>> up Virtual Hosting, but I am just not sure about the SSL part. Does the 
>> choice between IP-based or Hostname matter? bob.example.com might need SSL 
>> support in the future.
>> 
>> We are using Amazon AWS if that is important. So I could get another Elastic 
>> IP. We are working with the latest Apache Tomcat 8 and the latest JDK on the 
>> server machines.
>> 
>> Sorry if this is not 100% Tomcat related.
> 
> Currently it will work if both hosts can share the same certificate
> because they share a connector and (currently) a connector can only have
> a single certificate.

How can both hosts share the same certificate? Do I need a SAN certificate or 
can I just run with the cert for alice.example.com <http://alice.example.com/> 
and have to live with any cert errors on bob.example.com 
<http://bob.example.com/>? 

> 
> As of 9.0.x (and hopefully eventually back-ported to 8.x) you'll be able
> to have per host certs. There should be a 9.0.0-RC1 in the next week or so.
> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> <mailto:users-unsubscr...@tomcat.apache.org>
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> <mailto:users-h...@tomcat.apache.org>


Re: Stderr and Stdout Log Rotation on Tomcat 6.0 on Windows

2014-08-20 Thread Björn Raupach
Hi Kristof,

tell your developer to use a logging framework instead of System.out

You can't get rid of stoud and stderr log files, but they should be empty - 
most of the time.

cheers,
Björn

On 20 Aug 2014, at 13:51 , Kristof Can Bilen cankris...@yahoo.com.INVALID 
wrote:

 Hello all,
 
 I’m running a Tomcat service on Windows and I’m having some minor issues with 
 the logging mechanism. I've been researching for weeks now, read every FAQ, 
 user forum and article but no one seems to have any clue on this.
 
 I use 64-bit Tomcat 6.0.39 as a Windows service on Windows 2008 R2 
 x64Standard.
 
 Tomcat keeps writing to the same stdout and stderr log files without any log 
 rotation until the service is restarted. Because of this, the stdout and 
 stderr log files become quite large in time and it becomes difficult to 
 open/read logs. My aim is to never restart the Tomcat service until it 
 isreally necessary, so this makes log rotation quite crucial.
 
 The Tomcat process won’t release the log files until the Tomcat service is 
 restarted. I was unable to use 3rd party tools for logrotation as stdout and 
 stderr files are locked by the process.
 
 While this Tomcat log rotation is quite simple on Linux, there seems to be no 
 simple way to do it on Windows. I tried every command to force JULI to rotate 
 these two files based on size or date but it was fruitless. I tried to force 
 Log4j to take over the logging mechanism but stdout and stderr still seem to 
 act on their own, probably due to Tomcat’s internal mechanisms. Btw webapp 
 application logs rotate just fine.
 
 Have you had any experience with stdout/stderr log rotation on Windows 
 Tomcat? If you have the time, it’d be great if you could share yourthoughts..
 
 Thanks!
 Can
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org