Re: Does Tomcat need a non-ssl connector?

2016-02-17 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Msh,

On 2/16/16 9:16 PM, m...@kimwana.com wrote:
> On Tue, Feb 16, 2016 at 08:52:50AM -0500, Christopher Schultz
> wrote:
>> 
>> 
>> If jsvc is working for you, what's the port number you chose for
>> SSL? 8080? (That's odd, most people use 8443). Why not just use
>> the standard port for HTTPS?
> 
> I want to use 443. I don't want proxies or to see the port number
> appended to the URI.

If you use port 443, you won't see any port number appended to
https:// URLs.

If you want port 443, then why did you configure a different port number
?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlbFDPMACgkQ9CaO5/Lv0PDEYwCgpPsQukXoPz16hqxGqGpFMRMF
q1YAoMLpWc7YCS6n96zJogWUEtaTmclb
=V/CZ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-16 Thread msh
On Tue, Feb 16, 2016 at 08:52:50AM -0500, Christopher Schultz wrote:
> 
> 
> If jsvc is working for you, what's the port number you chose for SSL?
> 8080? (That's odd, most people use 8443). Why not just use the standard
> port for HTTPS?

I want to use 443. I don't want proxies or to see the port number appended to 
the URI.

> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-16 Thread Christopher Schultz
Msh,

On 2/14/16 3:25 PM, m...@kimwana.com wrote:
> On Thu, Feb 11, 2016 at 02:17:38PM -0500, m...@kimwana.com wrote:
> 
> redirectPort="443" />
> 
>  clientAuth="false"
> disableUploadTimeout="true" enableLookups="false" maxThreads="25"
> keystoreFile="/opt/tomcat/conf/keystore/dishwater.jks" 
> keystorePass="ImFr3eZ1inG"
> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
> secure="true" sslProtocol="TLS" />
> 
> It works! Requests to port 80 area sent to 443, and there's no need
> to append a non-standard port!

Correct. jsvc allows you to bind to low-numbered ports because jsvc runs
with elevated privileges.

> The counterintuitive bit for me is, port 443 is seemingly configured
> twice.

How so?

> No need for iptables or httpd! Woot!

jsvc offers better features, too, such as being able to re-start the
service if it goes down unexpectedly, rotating stdout/stderr streams, etc.

A reverse-proxy such as httpd is never necessary unless you want to do
load-balancing. Especially when properly-configured, Tomcat can serve
static content just as fast as Apache httpd.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-16 Thread Christopher Schultz
Msh,

On 2/13/16 12:28 PM, m...@kimwana.com wrote:
> On Fri, Feb 12, 2016 at 05:36:56PM -0500, Christopher Schultz wrote:
> Chuck,
> 
> On 2/12/16 3:06 PM, Caldarale, Charles R wrote:
>>>>> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
>>>>> Subject: Re: Does Tomcat need a non-ssl connector?
>>>>
>>>>> On 2/12/16, 11:40 AM, m...@kimwana.com wrote:
>>>>
>>>>>> Perhaps I should have phrased this differently. I want to
>>>>>> force clients to ssl. When they hit http://app.myurl.com their
>>>>>> browser should load https://app.myurl.com
>>>>
>>>>> Wouldn't mind knowing that myself. All the Tomcat installations
>>>>> I'm responsible for are set up to simply reject non-secured
>>>>> connections (that's EASY, just comment out the non-secured
>>>>> connector); I'm sure some customers would like it to behave as
>>>>> you describe.
>>>>
>>>> Read the servlet spec.
> 
> +1
> 
>>>> Simply set transport-guarantee to CONFIDENTIAL for all URL
>>>> patterns (/*).  You can do this in the global conf/web.xml, if
>>>> desired.
> 
>> Yeah-no. Nothing is that simple ;)
> 
> Not quite: there is still a bit of Tomcat configuration that needs to
> be done. The default configuration will do this correctly (redirect
> port 8080 -> 8443). If you want different port numbers, you'll need to
> read the configuration reference for the HTTP connector.
> 
>> jsvc is working for me but the redirect 80 --> 8080 (ssl) shows up in the 
>> url https://tomcat7.mynatnet.yo/8080
> 
>> I need to figure out how to have that uri load with ssl as 
>> https://tomcat7.mynatnet.yo


If jsvc is working for you, what's the port number you chose for SSL?
8080? (That's odd, most people use 8443). Why not just use the standard
port for HTTPS?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-14 Thread msh
On Thu, Feb 11, 2016 at 02:17:38PM -0500, m...@kimwana.com wrote:





It works! Requests to port 80 area sent to 443, and there's no need to append a 
non-standard port!

The counterintuitive bit for me is, port 443 is seemingly configured twice. 

No need for iptables or httpd! Woot!

> If I want to run Tomcat using ssl only do I still need to set up a non-ssl 
> connector and redirect the port?
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-13 Thread msh
On Fri, Feb 12, 2016 at 05:36:56PM -0500, Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Chuck,
> 
> On 2/12/16 3:06 PM, Caldarale, Charles R wrote:
> >> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> >> Subject: Re: Does Tomcat need a non-ssl connector?
> > 
> >> On 2/12/16, 11:40 AM, m...@kimwana.com wrote:
> > 
> >>> Perhaps I should have phrased this differently. I want to
> >>> force clients to ssl. When they hit http://app.myurl.com their
> >>> browser should load https://app.myurl.com
> > 
> >> Wouldn't mind knowing that myself. All the Tomcat installations
> >> I'm responsible for are set up to simply reject non-secured
> >> connections (that's EASY, just comment out the non-secured
> >> connector); I'm sure some customers would like it to behave as
> >> you describe.
> > 
> > Read the servlet spec.
> 
> +1
> 
> > Simply set transport-guarantee to CONFIDENTIAL for all URL
> > patterns (/*).  You can do this in the global conf/web.xml, if
> > desired.

Yeah-no. Nothing is that simple ;)

> Not quite: there is still a bit of Tomcat configuration that needs to
> be done. The default configuration will do this correctly (redirect
> port 8080 -> 8443). If you want different port numbers, you'll need to
> read the configuration reference for the HTTP connector.

jsvc is working for me but the redirect 80 --> 8080 (ssl) shows up in the url 
https://tomcat7.mynatnet.yo/8080

I need to figure out how to have that uri load with ssl as 
https://tomcat7.mynatnet.yo


> 
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAla+XogACgkQ9CaO5/Lv0PBYpACfcRriDcScS0UUbq6cFvOiCpfq
> QnUAnRGtVj7K0G+3PtUI2M5uF+mu3/hr
> =nzQi
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Msh,

On 2/11/16 2:33 PM, m...@kimwana.com wrote:
> On Thu, Feb 11, 2016 at 07:19:10PM +, Mark Thomas wrote:
>> On 11/02/2016 19:17, m...@kimwana.com wrote:
>>> If I want to run Tomcat using ssl only do I still need to set
>>> up a non-ssl connector and redirect the port?
>> 
>> That depends if you want Tomcat to respond at all if a user tries
>> to use a non-TLS connection.
> 
> I do not want any unencrypted traffic. Ideally I would have
> iptables redirect requests to port 80 to 8443.

That's not going to do what you want it to do (assuming that 8443 is
encrypted). Clients expect that port 80 is unencrypted, so sending
traffic from port 80 to port 8443 is likely to confuse all clients.

If you want to accept unencrypted connections and proxy them to
encrypted ones (i.e. actually take clients on port 80 and send them to
your encrypted connection available on port 8443 -- which is actually
really silly because it just wastes resources and provided no benefit
whatsoever), then use stunnel locally. Again, it makes no sense to do
this.

> I need to run Tomcat as the tomcat user so I can't listen on port
> 80 or 443.
> 
> I'm making iptables redirect inbound 80 --> 8443 but I think I need
> an outbound rule to allow the replies out.
> 
> Inbound: iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
> REDIRECT --to-ports 8443

Re-routing replies is not necessary. Google will help you find the
Tomcat wiki's documentation for how to do this.

I still think it's not necessary for you to do this for your job
interview. I think you've doing more work than strictly necessary.

> Or perhaps I need to set up httpd in front of Tomcat.

Needless complexity.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla973MACgkQ9CaO5/Lv0PCAfACgrEh9W2AzAo0H8mUHtevisxGa
cBYAn2aHZmiAA02fhyKIW2zEgPHIXrEJ
=Re1u
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-12 Thread msh
On Thu, Feb 11, 2016 at 02:33:06PM -0500, m...@kimwana.com wrote:
> On Thu, Feb 11, 2016 at 07:19:10PM +, Mark Thomas wrote:
> > On 11/02/2016 19:17, m...@kimwana.com wrote:
> > > If I want to run Tomcat using ssl only do I still need to set up a 
> > > non-ssl connector and redirect the port?
> > 
> > That depends if you want Tomcat to respond at all if a user tries to use
> > a non-TLS connection.

Perhaps I should have phrased this differently. I want to force clients to ssl. 
When they hit http://app.myurl.com their browser should load
https://app.myurl.com


> 
> I do not want any unencrypted traffic. Ideally I would have iptables redirect 
> requests to port 80 to 8443.
> I need to run Tomcat as the tomcat user so I can't listen on port 80 or 443. 
> 
> I'm making iptables redirect inbound 80 --> 8443 but I think I need an 
> outbound rule to allow the replies out.
> 
> Inbound:
>   iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT 
> --to-ports 8443
> 
> Or perhaps I need to set up httpd in front of Tomcat.
> 
> 
> > 
> > Mark
> > 
> > 
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-12 Thread James H. H. Lampert

On 2/12/16, 11:40 AM, m...@kimwana.com wrote:


Perhaps I should have phrased this differently. I want to force
clients to ssl. When they hit http://app.myurl.com their browser
should load https://app.myurl.com


Wouldn't mind knowing that myself. All the Tomcat installations I'm
responsible for are set up to simply reject non-secured connections 
(that's EASY, just comment out the non-secured connector); I'm

sure some customers would like it to behave as you describe.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Does Tomcat need a non-ssl connector?

2016-02-12 Thread Caldarale, Charles R
> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
> Subject: Re: Does Tomcat need a non-ssl connector?

> On 2/12/16, 11:40 AM, m...@kimwana.com wrote:

> > Perhaps I should have phrased this differently. I want to force
> > clients to ssl. When they hit http://app.myurl.com their browser
> > should load https://app.myurl.com

> Wouldn't mind knowing that myself. All the Tomcat installations I'm
> responsible for are set up to simply reject non-secured connections 
> (that's EASY, just comment out the non-secured connector); I'm
> sure some customers would like it to behave as you describe.

Read the servlet spec.  Simply set transport-guarantee to CONFIDENTIAL for all 
URL patterns (/*).  You can do this in the global conf/web.xml, if desired.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chuck,

On 2/12/16 3:06 PM, Caldarale, Charles R wrote:
>> From: James H. H. Lampert [mailto:jam...@touchtonecorp.com] 
>> Subject: Re: Does Tomcat need a non-ssl connector?
> 
>> On 2/12/16, 11:40 AM, m...@kimwana.com wrote:
> 
>>> Perhaps I should have phrased this differently. I want to
>>> force clients to ssl. When they hit http://app.myurl.com their
>>> browser should load https://app.myurl.com
> 
>> Wouldn't mind knowing that myself. All the Tomcat installations
>> I'm responsible for are set up to simply reject non-secured
>> connections (that's EASY, just comment out the non-secured
>> connector); I'm sure some customers would like it to behave as
>> you describe.
> 
> Read the servlet spec.

+1

> Simply set transport-guarantee to CONFIDENTIAL for all URL
> patterns (/*).  You can do this in the global conf/web.xml, if
> desired.

Not quite: there is still a bit of Tomcat configuration that needs to
be done. The default configuration will do this correctly (redirect
port 8080 -> 8443). If you want different port numbers, you'll need to
read the configuration reference for the HTTP connector.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla+XogACgkQ9CaO5/Lv0PBYpACfcRriDcScS0UUbq6cFvOiCpfq
QnUAnRGtVj7K0G+3PtUI2M5uF+mu3/hr
=nzQi
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-11 Thread msh
On Thu, Feb 11, 2016 at 07:19:10PM +, Mark Thomas wrote:
> On 11/02/2016 19:17, m...@kimwana.com wrote:
> > If I want to run Tomcat using ssl only do I still need to set up a non-ssl 
> > connector and redirect the port?
> 
> That depends if you want Tomcat to respond at all if a user tries to use
> a non-TLS connection.

I do not want any unencrypted traffic. Ideally I would have iptables redirect 
requests to port 80 to 8443.
I need to run Tomcat as the tomcat user so I can't listen on port 80 or 443. 

I'm making iptables redirect inbound 80 --> 8443 but I think I need an outbound 
rule to allow the replies out.

Inbound:
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT 
--to-ports 8443

Or perhaps I need to set up httpd in front of Tomcat.


> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does Tomcat need a non-ssl connector?

2016-02-11 Thread Mark Thomas
On 11/02/2016 19:17, m...@kimwana.com wrote:
> If I want to run Tomcat using ssl only do I still need to set up a non-ssl 
> connector and redirect the port?

That depends if you want Tomcat to respond at all if a user tries to use
a non-TLS connection.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org