-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthew,
On 5/5/16 9:09 PM, Matthew Herzog wrote: > You said, "the http-bio-8443 endpoint is an HTTP connector, not an > AJP13 connector." > > This is confusing to me because all the tutorials I have read don't > say anything about commenting out the line in server.xml that > reads: > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> Usually tutorials are written to get you started quickly, and don't want to explain what's really going on. Read the documentation for "redirectPort" on this page: https://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html (or this page) https://tomcat.apache.org/tomcat-8.0-doc/config/http.html The redirectPort has meaning, but it's not the meaning you were thinking. The real port being used above is 8009. You can set the redirect port to 12345 and you will still use port 8009 to connect to your AJP connector. In your case, it appears you are not even using your AJP connector, so its configuration is essentially meaningless. > I had assumed port 8443 was analogous to port 443. Bad assumption > on my part. 8443 is traditionally the port used by non-privileged processes to listen for HTTPS requests. That's why you'll likely see a <Connector port="8443" SSLEngine="on" secure="true" ... /> somewhere in your configuration. In order to use TLS (the modern name for what used to be called SSL), you definitely need to have a keystore. (I suppose you could use NULL authentication and/or key exchange and yes, I guess you could use a pre-shared key, but I don't believe Tomcat currently supports such setups, and obviously using NULL authentication and/or key exchange pretty much means that you aren't using encryption, so there's no point in using HTTPS at that point.) But, really: don't run Tomcat as root. If there's a reason you think you should be (or need to be) running Tomcat as root, let us know and we'll tell you how to fix that so you don't need to run as root anymore. Hope that helps, - -chris > On Thu, May 5, 2016 at 5:28 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Matthew, > > On 5/5/16 5:05 PM, Matthew Herzog wrote: >>>> when I run the startup script >>>> >>>> /usr/bin/java -Djava.security.egd=file:/dev/./urandom >>>> -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m >>>> -XX:+UseConcMarkSweepGC -classpath >>>> /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-ju li. > >>>> jar:/usr/share/java/commons-daemon.jar >>>> >>>> > -Dcatalina.base=/usr/share/tomcat > -Dcatalina.home=/usr/share/tomcat >>>> -Djava.endorsed.dirs= >>>> -Djava.io.tmpdir=/var/cache/tomcat/temp >>>> -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.prop ert > >>>> ies >>>> >>>> > -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager >>>> org.apache.catalina.startup.Bootstrap start >>>> >>>> I see the following error. >>>> >>>> SEVERE: Failed to initialize end point associated with >>>> ProtocolHandler ["http-bio-8443"] >>>> >>>> java.io.FileNotFoundException: /root/.keystore (No such file >>>> or directory) So if I change my ajp config from >>>> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" >>>> /> to >>>> >>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="80" >>>> /> >>>> >>>> will I be able to avoid the keystore work? I'm doing a proof >>>> of concept so my cluster will never be exposed to the >>>> Internet. > > You are confused about a few things: > > 1. It's never good to run as root. Stop doing that. > > 2. The "redirectPort" attribute doesn't have any effect on what > ports Tomcat binds to. > > 3. The http-bio-8443 endpoint is an HTTP connector, not an AJP13 > connector. > > 4. If you want to enable TLS, then yes, you will need a keystore. > > So, if you don't need HTTPS, then disable whatever connector you > have that looks kind of like this: > > <Connector port="443" secure="true" ... /> > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcsHHoACgkQ9CaO5/Lv0PBKhQCgsJu9C2UMC96ZGNdP5NB3OwpV +qoAnA7gObq81vvSAtQg49aTwjZw7oN6 =TA7w -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
