Re: Publishing Tomcat webapp

2022-07-18 Thread Martynas Jusevičius
Hi, Wouldn’t this setup be easier to deploy as a Docker container? We have an image with SSL server cert support: https://github.com/AtomGraph/letsencrypt-tomcat On Mon, 18 Jul 2022 at 16.09, Aryeh Friedman wrote: > Here are the steps to installing a SSL cert (it varies slightly based > on

Re: Tomcat fails to start in Docker on Amazon ECS

2021-05-15 Thread Martynas Jusevičius
My bad :) CATALINA_OPTS was malformed. On Sat, May 15, 2021 at 10:19 AM Martynas Jusevičius wrote: > > Hi, > > I have a Docker image that extends tomcat:9.0.39-jdk11 and at the very > end of the entrypoint script calls 'catalina.sh run'. > > This has worked fine bot

Tomcat fails to start in Docker on Amazon ECS

2021-05-15 Thread Martynas Jusevičius
Hi, I have a Docker image that extends tomcat:9.0.39-jdk11 and at the very end of the entrypoint script calls 'catalina.sh run'. This has worked fine both on my local Windows and on a CentOS server. However when I start a container on Amazon ECS with AMI Linux, I get the error below when

Re: Defining environment variables for a webapp ?

2021-04-14 Thread Martynas Jusevičius
Rony, you might want to look into containerizing your webapps. We use an XSLT stylesheet (invoked by the entrypoint script) that transforms env params into context.xml params: https://github.com/AtomGraph/LinkedDataHub/blob/master/platform/context.xsl Martynas On Wed, Apr 14, 2021 at 2:16 PM

Re: Dynamic Configuration on TC startup

2021-02-23 Thread Martynas Jusevičius
I think this is where you need to wrap your apps into Docker images :) See this base image for example: https://hub.docker.com/r/atomgraph/letsencrypt-tomcat It configures server.xml by using an XSLT stylesheet and environmental parameters:

Re: Not able to connect to Tomcat 9.0.39 instance using jconsole/jvisualvm

2021-02-02 Thread Martynas Jusevičius
Not sure if related, but JPDA address config changed from - JPDA_ADDRESS=8000 on Tomcat 8 to - JPDA_ADDRESS=*:8000 on Tomcat 9 (i.e. host needs to be included, or a wildcard). On Tue, Feb 2, 2021 at 12:22 PM Suvendu Sekhar Mondal wrote: > > Hello Everyone, > > We recently migrated Tomcat from

Rate limiting

2021-02-01 Thread Martynas Jusevičius
Hi, How do I limit request rates using Tomcat 9.0.x? Something similar to limit_req in nginx: https://www.nginx.com/blog/rate-limiting-nginx/ Martynas atomgraph.com - To unsubscribe, e-mail:

Re: Max heap size when using -XX:MaxRAMPercentage

2020-11-11 Thread Martynas Jusevičius
Christopher, thanks for your reply. Answers inline. > > What I see in the profiler is Max Heap Size 310378496 B, which is only 0.28 > > GiB. > > This is probably the maximum size of the /used/ heap. Can you confirm that? Nope. Netbeans profiler says: Max Heap Size 310378496 B, Max Used Heap

Max heap size when using -XX:MaxRAMPercentage

2020-11-11 Thread Martynas Jusevičius
Hi, I am attempting to make my webapps that run in Tomcat to take advantage of the Docker container-specific JVM options such as -XX:MaxRAMPercentage: https://www.eclipse.org/openj9/docs/xxinitialrampercentage/ TL;DR It allows specifying JVM heap as % of the container memory limit rather than

Re: completely automated (for real) Let's Encrypt on embedded Tomcat

2020-10-04 Thread Martynas Jusevičius
https://github.com/AtomGraph/letsencrypt-tomcat On Sun, Oct 4, 2020 at 8:04 PM Garret Wilson wrote: > > Hi, everyone. I'm back already. (I had intended to leave the list to > focus my efforts elsewhere, but … here I am again.) > > I just realized there is a big SSL problem for small

Connector compressibleMimeType

2020-03-26 Thread Martynas Jusevičius
Hi, I enabled GZip compression on using 8.0.44. Then I noticed that text/html documents are getting compressed, but others were not. I guess this is due to the default compressibleMimeType? Which is "text/html,text/xml,text/plain,text/css,text/javascript,application/javascript".

Re: Security audit raises questions (Tomcat 7.0.93)

2020-03-17 Thread Martynas Jusevičius
; > > >On 3/17/20 3:18 PM, Martynas Jusevičius wrote: > >> why should DELETE or OPTIONS not be enabled? They are standard HTTP > >methods. > > > >True, but (quoting the audit report) > >> . . . [DELETE] may allow a remote attacker to delete arbitrary file

Re: Security audit raises questions (Tomcat 7.0.93)

2020-03-17 Thread Martynas Jusevičius
Hi, why should DELETE or OPTIONS not be enabled? They are standard HTTP methods. On Tue, Mar 17, 2020 at 11:05 PM James H. H. Lampert wrote: > > Ladies and Gentlemen: > > One of our customers did a security audit on the Tomcat server we > maintain on their system, and it found a few issues: > >

Re: Client cert auth on demand

2020-03-02 Thread Martynas Jusevičius
%3A5443 test %{QUERY_STRING} to rule with pattern ^(.*)(localhost\%3A5443)(.*)$ and substitution $1localhost$3 On Mon, Mar 2, 2020 at 11:51 AM Martynas Jusevičius wrote: > > No matter where I place the rewrite.config, cannot get the > RewriteValve to find it. > > I tried: > * /usr

Re: Client cert auth on demand

2020-03-02 Thread Martynas Jusevičius
] org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for [org.apache.catalina.valves.rewrite.RewriteValve[]] to [STARTED] On Sun, Mar 1, 2020 at 2:15 PM Martynas Jusevičius wrote: > > I hit a snag with the query string. In some cases it contains the > webapp base URI in a query

Re: Client cert auth on demand

2020-03-01 Thread Martynas Jusevičius
Martynas Jusevičius wrote: > > Thanks! I actually needed proxyPort="443" to make the URL > https://localhost, but your suggestion did the trick. > > On Sat, Feb 29, 2020 at 11:12 AM Mark Thomas wrote: > > > > > > > > On 28/02/2020 22:26, Martyna

Re: Client cert auth on demand

2020-02-29 Thread Martynas Jusevičius
Thanks! I actually needed proxyPort="443" to make the URL https://localhost, but your suggestion did the trick. On Sat, Feb 29, 2020 at 11:12 AM Mark Thomas wrote: > > > > On 28/02/2020 22:26, Martynas Jusevičius wrote: > > Yes the clients connect only directly to

Re: Client cert auth on demand

2020-02-28 Thread Martynas Jusevičius
/443 instead of localhost:90/5443. Absolute URIs matter in this case because they are used for direct lookups in an RDF triplestore and RDF uses absolute URIs. On Fri, Feb 28, 2020 at 10:59 PM Mark Thomas wrote: > > On 28/02/2020 21:00, Martynas Jusevičius wrote: > > Setti

Re: Client cert auth on demand

2020-02-28 Thread Martynas Jusevičius
n context.xml would be ideal. On Thu, Feb 27, 2020 at 11:52 AM Martynas Jusevičius wrote: > > Tomcat is deep within the Docker image configured with a single > connector and a single ROOT webapp, so it's easier to deploy a second > container than to add a second connector or context :)

Re: Client cert auth on demand

2020-02-27 Thread Martynas Jusevičius
10:28, Martynas Jusevičius wrote: > > Yes, that could be an option. Or, since we're on Docker, a second > > instance of the webapp on a different port would be easier. > > > > But we would need to add some URL rewriting proxy before that > > connector to strip tha

Re: Client cert auth on demand

2020-02-27 Thread Martynas Jusevičius
with nginx which we are using anyway. So essentially 2 webapps on different ports, one configured without the clientAuth for the end-users, and one with clientAuth for the API access, correct? On Thu, Feb 27, 2020 at 11:18 AM Mark Thomas wrote: > > On 27/02/2020 09:58, Martynas Jusevičius wrote:

Client cert auth on demand

2020-02-27 Thread Martynas Jusevičius
Hi list, I'm using a Docker image based on tomcat:8.0-jre8. It serves as an end-user facing webapp but also as a REST API which authenticates using client certificates. The same URLs serve both purposes, however only administrators are using the API. The Connector is configured using

Re: Tomcat app within docker container

2020-01-10 Thread Martynas Jusevičius
Why build the webapp outside Docker? It means that docker build is not enough to give you an image, it needs some extra steps beforehand. On Fri, Jan 10, 2020 at 12:47 PM Alex K wrote: > > Just to follow-up on this in case it will be useful to anyone, I managed to > use also the official tomcat

Re: [OT] Tomcat app within docker container

2020-01-09 Thread Martynas Jusevičius
Forget Kubernetes for now :) My recipe is using a multi-stage build. Very crudely: FROM maven as maven # build your webapp into a .war mvn clean install FROM tomcat COPY --from=maven /webapp/target/ROOT webapps/ROOT/ It copies the whole folder from the build directory rather than the .war

Re: HTTP to HTTPS redirect not happening

2019-07-20 Thread Martynas Jusevičius
Richard, I think the rule goes that you should avoid touching server.xml for something that web.xml can do. On Sun, Jul 21, 2019 at 4:40 AM Richard Huntrods wrote: > > I apologise for top posting in advance, but just a quick update and > quicker question... > > After Konstantin found my typo, I

Re: OT: Tomcat on AWS for Dummies

2019-07-19 Thread Martynas Jusevičius
My advice when it comes to making your setup environment-agnostic: Docker'ize it. I haven't used Docker on AWS, but once you have an image running locally you can be 98% sure it's gonna run on the server (e.g. mounting files from host can cause some differences still, so best to avoid that). See

Re: Modify web.xml in production war file

2019-07-16 Thread Martynas Jusevičius
images have an entrypoint, which is the shell script making changes to server.xml in this case: https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh On Wed, 17 Jul 2019 at 02.34, André Warnier (tomcat) wrote: > On 16.07.2019 19:54, Martynas Jusevičius wrote: > &g

Re: Modify web.xml in production war file

2019-07-16 Thread Martynas Jusevičius
Grigor, I think this is a use case that Docker containers at least partially address. I find deploying containers way easier to share/deploy and more platform-independent than WAR files. I’ve created a Tomcat-based image that accepts ENV variables and modifies server.xml using their values:

Re: TLS client cert clarification

2019-07-12 Thread Martynas Jusevičius
In my experience with 8.x -- on all requests. On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon wrote: > > I was hoping to get some clarification on when to expect client x509 certs in > http requests where the Tomcat server (v9.x) has been configured to “want” or > “need” client auth. >

Re: Redirecting to https URL when https port is accessed with http scheme

2018-10-06 Thread Martynas Jusevičius
Ettra, see also this thread: https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3ccae35vmwcm9dkxmvabofgjb5d_oa07a6mrjxwcgknksbzgjh...@mail.gmail.com%3E I did this with front nginx eventually. On Sat, Oct 6, 2018 at 7:29 AM ettra lancelot wrote: > > Thank you for the detailed

Re: [tomcat:8.0-jre8] CONFIDENTIAL adds Cache-Control: private?

2018-08-20 Thread Martynas Jusevičius
t;> >>> On 8/17/18 4:09 AM, Mark Thomas wrote: >>>> On 16/08/18 13:40, Martynas Jusevičius wrote: >>>>> Hi, >>>>> >>>>> my initial observations suggest, and SO post [1] seems to >>>>> confirm, that when >>&

[tomcat:8.0-jre8] CONFIDENTIAL adds Cache-Control: private?

2018-08-16 Thread Martynas Jusevičius
Hi, my initial observations suggest, and SO post [1] seems to confirm, that when CONFIDENTIAL is specified on a security-constraint in web.xml, Tomcat does two things: 1. automatically redirects to HTTPS 2. appends Cache-Control: private and Expires: Thu, 01 Jan

Re: Using existing LetsEncrypt certs with tomcat

2018-01-06 Thread Martynas Jusevičius
Paul, see if this Docker setup could help: https://github.com/AtomGraph/letsencrypt-tomcat I also have nginx config that works with it. Martynas atomgraph.com On Sat, Jan 6, 2018 at 7:46 PM, Paul Beard wrote: > > > > On Jan 4, 2018, at 1:53 AM, Mark Thomas

Re: Am I reinventing the wheel to get letsencrypt certs for Tomcat

2017-10-27 Thread Martynas Jusevičius
I think Tomcat 9 suppors PEM files directly, but if you want to use PKCS12, this might help: https://github.com/AtomGraph/letsencrypt-tomcat/blob/master/entrypoint.sh#L33 On Fri, Oct 27, 2017 at 1:22 PM, Don Flinn wrote: > I am writing a Java program to get a certificate

Re: Invalid characters in request header

2017-09-09 Thread Martynas Jusevičius
s not one that appears on my website, it's > something that was manually written by some client. > > On Sat, Sep 9, 2017 at 1:12 PM, Martynas Jusevičius < > marty...@atomgraph.com> > wrote: > > > Tomcat is an HTTP sever, and if your client is sending invalid HTTP > >

Re: Invalid characters in request header

2017-09-09 Thread Martynas Jusevičius
> exception? But I would be happy to hear thoughts on this as I'm still > fairly new to programming. I'm not sure what is considered best practice > here. > > Thanks. > > On Sat, Sep 9, 2017 at 12:24 PM, Martynas Jusevičius < > marty...@atomgraph.com > > wrote: >

Re: Invalid characters in request header

2017-09-09 Thread Martynas Jusevičius
How is 404 beter than 400? On Sat, Sep 9, 2017 at 9:46 AM, Yuval Schwartz wrote: > Tomcat version:8.0.43 > jdk1.8.0_05 > > Hello, > > I've asked a similar question in the past about illegal characters in the > http request header (May 15, 2017). > > Certain users are

Re: letsencrypt integration?

2017-08-24 Thread Martynas Jusevičius
Hi, we have made a Docker image that configures Tomcat with LE certs: https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/ It hasn't been tested in production though. Martynas atomgraph.com On Thu, 24 Aug 2017 at 20.50, Chris Cheshire wrote: > Currently I am using

Re: [8.0.44] NPE when deploying to /manager/text/list with RemoteHostValve

2017-08-08 Thread Martynas Jusevičius
ave problem > resolving hostname in your env? Try to disable the valve and test "<%= > request.getRemoteHost() %>" in a simple jsp until you can get the right > value before re-enable the valve again. > > --Zemian > > On Mon, Aug 7, 2017 at 11:46 AM, Martynas J

[8.0.44] NPE when deploying to /manager/text/list with RemoteHostValve

2017-08-07 Thread Martynas Jusevičius
Hi, I'm deploying WAR from Jenkins Docker container to Tomcat Docker container. In server.xml I have enableLookups to enable DNS lookups and in conf/Catalina/localhost/manager.xml I have There is also manager-script role and user in tomcat-users.xml but I won't post it because

Re: [8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

2017-07-30 Thread Martynas Jusevičius
Actually I am using Tomcat on Docker: https://hub.docker.com/_/tomcat/ I do not really know the answer to your question :/ On Sun, 30 Jul 2017 at 23.12, Mark Thomas <ma...@apache.org> wrote: > On 30/07/17 21:35, Martynas Jusevičius wrote: > > Hey list, > > > > I need

[8.5.16] SSLHostConfig certificateVerification="optionalNoCA" ignored?

2017-07-30 Thread Martynas Jusevičius
Hey list, I need my webapp to accept all SSL client certificates and do its own validation. I'm upgrading server.xml from the JSSE SSL Connector which used clientAuth="want" and a custom trustManagerClassName in order to do that. The 8.5.16 docs indicate that this should be replaced with