-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Msh,
On 2/11/16 2:33 PM, m...@kimwana.com wrote: > On Thu, Feb 11, 2016 at 07:19:10PM +0000, Mark Thomas wrote: >> On 11/02/2016 19:17, m...@kimwana.com wrote: >>> If I want to run Tomcat using ssl only do I still need to set >>> up a non-ssl connector and redirect the port? >> >> That depends if you want Tomcat to respond at all if a user tries >> to use a non-TLS connection. > > I do not want any unencrypted traffic. Ideally I would have > iptables redirect requests to port 80 to 8443. That's not going to do what you want it to do (assuming that 8443 is encrypted). Clients expect that port 80 is unencrypted, so sending traffic from port 80 to port 8443 is likely to confuse all clients. If you want to accept unencrypted connections and proxy them to encrypted ones (i.e. actually take clients on port 80 and send them to your encrypted connection available on port 8443 -- which is actually really silly because it just wastes resources and provided no benefit whatsoever), then use stunnel locally. Again, it makes no sense to do this. > I need to run Tomcat as the tomcat user so I can't listen on port > 80 or 443. > > I'm making iptables redirect inbound 80 --> 8443 but I think I need > an outbound rule to allow the replies out. > > Inbound: iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j > REDIRECT --to-ports 8443 Re-routing replies is not necessary. Google will help you find the Tomcat wiki's documentation for how to do this. I still think it's not necessary for you to do this for your job interview. I think you've doing more work than strictly necessary. > Or perhaps I need to set up httpd in front of Tomcat. Needless complexity. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla973MACgkQ9CaO5/Lv0PCAfACgrEh9W2AzAo0H8mUHtevisxGa cBYAn2aHZmiAA02fhyKIW2zEgPHIXrEJ =Re1u -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
