Re: Does Tomcat need a non-ssl connector?
On Tue, Feb 16, 2016 at 08:52:50AM -0500, Christopher Schultz wrote: > > > If jsvc is working for you, what's the port number you chose for SSL? > 8080? (That's odd, most people use 8443). Why not just use the standard > port for HTTPS? I want to use 443. I don't want proxies or to see the port number appended to the URI. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does Tomcat need a non-ssl connector?
On Thu, Feb 11, 2016 at 02:17:38PM -0500, m...@kimwana.com wrote: It works! Requests to port 80 area sent to 443, and there's no need to append a non-standard port! The counterintuitive bit for me is, port 443 is seemingly configured twice. No need for iptables or httpd! Woot! > If I want to run Tomcat using ssl only do I still need to set up a non-ssl > connector and redirect the port? > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does Tomcat need a non-ssl connector?
On Fri, Feb 12, 2016 at 05:36:56PM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Chuck, > > On 2/12/16 3:06 PM, Caldarale, Charles R wrote: > >> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] > >> Subject: Re: Does Tomcat need a non-ssl connector? > > > >> On 2/12/16, 11:40 AM, m...@kimwana.com wrote: > > > >>> Perhaps I should have phrased this differently. I want to > >>> force clients to ssl. When they hit http://app.myurl.com their > >>> browser should load https://app.myurl.com > > > >> Wouldn't mind knowing that myself. All the Tomcat installations > >> I'm responsible for are set up to simply reject non-secured > >> connections (that's EASY, just comment out the non-secured > >> connector); I'm sure some customers would like it to behave as > >> you describe. > > > > Read the servlet spec. > > +1 > > > Simply set transport-guarantee to CONFIDENTIAL for all URL > > patterns (/*). You can do this in the global conf/web.xml, if > > desired. Yeah-no. Nothing is that simple ;) > Not quite: there is still a bit of Tomcat configuration that needs to > be done. The default configuration will do this correctly (redirect > port 8080 -> 8443). If you want different port numbers, you'll need to > read the configuration reference for the HTTP connector. jsvc is working for me but the redirect 80 --> 8080 (ssl) shows up in the url https://tomcat7.mynatnet.yo/8080 I need to figure out how to have that uri load with ssl as https://tomcat7.mynatnet.yo > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla+XogACgkQ9CaO5/Lv0PBYpACfcRriDcScS0UUbq6cFvOiCpfq > QnUAnRGtVj7K0G+3PtUI2M5uF+mu3/hr > =nzQi > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl config questions
On Fri, Feb 12, 2016 at 10:53:12AM -0700, George Sexton wrote: > > On 2/11/2016 11:30 AM, m...@kimwana.com wrote: > >On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote: > >>-BEGIN PGP SIGNED MESSAGE- > >>Hash: SHA1 > >> > >>Msh, > >> > >>On 2/10/16 7:04 PM, m...@kimwana.com wrote: > >>>I have the fillowing problem to solve for a job interview. > >A few thoughts: > > > >(1) There is no (stated) requirement that the non-secure web service > >be listening on port 80. There is no (stated) requirement that the > >secure web service be listening on port 443. Perhaps you could > >simplify things by not worrying about traditional port numbers for > >HTTP and HTTPS. > >Yeah. It took me a while to remember that http protocol can run on any > >practically any non-reserved port. > >Of course browsers expect port 80 so I added a rule in my iptables config > > > >-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443 > > You can also use JSVC which will allow you to bind to reserved > ports. There are some other advantages to JSVC as well. For example, > in some cases, if the JVM fails, it can perform a re-start. I guess a lot of folks use Apache httpd as a proxy for Tomcat. I don't even know what JSVC is. Heh! I've worked in several Tomcat shops but there were always load balancers handling such duties. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does Tomcat need a non-ssl connector?
On Thu, Feb 11, 2016 at 02:33:06PM -0500, m...@kimwana.com wrote: > On Thu, Feb 11, 2016 at 07:19:10PM +, Mark Thomas wrote: > > On 11/02/2016 19:17, m...@kimwana.com wrote: > > > If I want to run Tomcat using ssl only do I still need to set up a > > > non-ssl connector and redirect the port? > > > > That depends if you want Tomcat to respond at all if a user tries to use > > a non-TLS connection. Perhaps I should have phrased this differently. I want to force clients to ssl. When they hit http://app.myurl.com their browser should load https://app.myurl.com > > I do not want any unencrypted traffic. Ideally I would have iptables redirect > requests to port 80 to 8443. > I need to run Tomcat as the tomcat user so I can't listen on port 80 or 443. > > I'm making iptables redirect inbound 80 --> 8443 but I think I need an > outbound rule to allow the replies out. > > Inbound: > iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 8443 > > Or perhaps I need to set up httpd in front of Tomcat. > > > > > > Mark > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl config questions
On Fri, Feb 12, 2016 at 10:53:12AM -0700, George Sexton wrote: > > > On 2/11/2016 11:30 AM, m...@kimwana.com wrote: > >On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote: > >>-BEGIN PGP SIGNED MESSAGE- > >>Hash: SHA1 > >> > >>Msh, > >> > >>On 2/10/16 7:04 PM, m...@kimwana.com wrote: > >>>I have the fillowing problem to solve for a job interview. > >A few thoughts: > > > >(1) There is no (stated) requirement that the non-secure web service > >be listening on port 80. There is no (stated) requirement that the > >secure web service be listening on port 443. Perhaps you could > >simplify things by not worrying about traditional port numbers for > >HTTP and HTTPS. > >Yeah. It took me a while to remember that http protocol can run on any > >practically any non-reserved port. > >Of course browsers expect port 80 so I added a rule in my iptables config > > > >-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443 > > You can also use JSVC which will allow you to bind to reserved > ports. There are some other advantages to JSVC as well. For example, > in some cases, if the JVM fails, it can perform a re-start. So I would run JSVC as root or as an unprivileged user? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Does Tomcat need a non-ssl connector?
On Thu, Feb 11, 2016 at 07:19:10PM +, Mark Thomas wrote: > On 11/02/2016 19:17, m...@kimwana.com wrote: > > If I want to run Tomcat using ssl only do I still need to set up a non-ssl > > connector and redirect the port? > > That depends if you want Tomcat to respond at all if a user tries to use > a non-TLS connection. I do not want any unencrypted traffic. Ideally I would have iptables redirect requests to port 80 to 8443. I need to run Tomcat as the tomcat user so I can't listen on port 80 or 443. I'm making iptables redirect inbound 80 --> 8443 but I think I need an outbound rule to allow the replies out. Inbound: iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443 Or perhaps I need to set up httpd in front of Tomcat. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Does Tomcat need a non-ssl connector?
If I want to run Tomcat using ssl only do I still need to set up a non-ssl connector and redirect the port? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl config questions
On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Msh, > > On 2/10/16 7:04 PM, m...@kimwana.com wrote: > > I have the fillowing problem to solve for a job interview. Fillowing. Heh! Thanks for the help. > You have two connectors, but they are both HTTP (non-secure). Part of > "installing Tomcat as non-root" means that binding to port 443 isn't > going to work. You need to use a different port. Yeah, I did realize this. ssl can work > > A few thoughts: > > (1) There is no (stated) requirement that the non-secure web service > be listening on port 80. There is no (stated) requirement that the > secure web service be listening on port 443. Perhaps you could > simplify things by not worrying about traditional port numbers for > HTTP and HTTPS. Yeah. It took me a while to remember that http protocol can run on any practically any non-reserved port. Of course browsers expect port 80 so I added a rule in my iptables config -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443 which I think should work. I guess netcat will help me test that theory. > > (2) Everything you need to know about configuring SSL is in Tomcat's > Users Guide[1] or Configuration Guide[2]. > > - -chris > > [1] http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html > [2] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla8xMgACgkQ9CaO5/Lv0PCIOwCgrSddUZzULTPzL++vmYdQ6P5s > P2AAoLzk+fasGjjzHOxEilTmvzn6DaUV > =CuhC > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ssl config questions
I have the fillowing problem to solve for a job interview. Install the latest version of Apache Tomcat 7 using the latest version of Oracle Java 8.Done. Running under a non-root account. Done. With the provided helloworld.war deployed under the /app web context (https:///app) Done. With HTTPS enabled using a self-signed certificate that you generate Done. * Ensure the web application is available to the Internet for both HTTP and HTTPS * HTTP requests should be redirected to HTTPS automatically I need help with the last two tasks. Do I need two redirecting connectors? 'iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080' could be the first step. Then . . . How do I tell Tomcat to use ssl on a specific port? I was able to load the site in my browser without specifying a port which seemed like a win but I need to see that good old self-signed cert warning in my browser before I can call it a day. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
