-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Garret,
On 2/8/19 08:27, Garret Wilson wrote:
> On 2/7/2019 9:54 PM, Christopher Schultz wrote:
>> … I would argue that adding Apache httpd into the mix (where is
>> it not already there) is more complicated than using Let's
>> Encrypt with Tomcat.
>
>
> OK, I guess I didn't figure in the part about adding/configuring
> the connector. But still there are a few things I have doubts
> about, just looking over the document quickly:
>
> * There's still the issue about listening on lower port numbers.
> From the presentation, it looks like I would need to teach myself
> about iptables.
Or use jsvc. Or authbind. There are lots of ways to make
lower-numbered ports work these days. Are the students running their
own servers / VMs / containers / whatever? I mean... not everyone can
have port 80 on the same machine, so...
jsvc is fairly straightforward. catalina.sh supports it pretty much
directly.
> I wonder if students (and I) would find mucking with iptable
> configurations easier than just installing apache using APT and
> editing some XML files. (I don't know; I haven't looked into it
> deeply.) And the presentation tantalizingly mentioned something
> called "jsvc" but didn't provide any further details. I'll have to
> research that. Then I'll search for "jsvc vs iptables", etc. So
> the presentation is a good thing to tell me what to look for.
jsvc is a native wrapper around Tomcat that can elevate privileges,
bind to port 80 (and 443, or whatever you need), then drop privileges.
> * What about forwarding from the non-secure site to the HTTPS
> site? Apache makes that pretty easy; actually it's a little arcane,
> but once you have the virtual host file one wants one can use it as
> a pattern. I'll note that the presentation didn't cover that.
Just put this into your web.xml like always (right?):
<security-constraint>
<web-resource-collection>
<web-resource-name>Whole site</web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Tomcat will handle the redirect if you try to access the application
via a non-secure protocol.
> Or is that something iptables is responsible for, too?
Nope, iptables doesn't re-write protocols. It only re-wires ports. If
you connect to a secure service with a non-secure protocol, the TLS
handshake will fail. At least, on Tomcat it will.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxdwtAACgkQHPApP6U8
pFgPAxAAi8EEFByG47X9hmad00CWNEs2eV/8QMDtWdNtGasDJ95vPxYxRjvE/crZ
WiOSxv6aGBtv2aZ/yOW/PJ+dccb7gup0R2KRL+Z9snjvAD3R6mEIYSx0QZ/bQAz9
qERVd2LV2s22Suea6KU1Dcws9PqLw6l9R+I1FgywqTjvFcKmlG9BeHZetvhjesby
tCoM/plhCCO1Jo48Nyha0ew4s8TPQ0CkAx0i344y/e7K+PFwRpzvhtP+Q8Nje///
lx1Kq29BHshCImeD76/FCjLNQonr/PNDaoqPDnrRqji8Nvks78zAg0ejFSDSKXvg
//fbFNAEpkK+OWkS+2HjyR93DKkHLAnP7nVj2Gcl+5ehqy0tqKL4lZFLbRyNxc81
Wz50G67YgaEFDJzXZwFGn5eTFyiynlu9DmWRKPJB9UpJvWwJe0MVkTxwQ0N9oaYe
++HU9fjSUDAxAm6vcVEReujra7B+6UYOgiafbNjGAcgXp4du3pt5cnHvuPJzFfU4
EXDgLAsdoKOIm55AUUwXNIAnKPTsXjzOSuVp0SPXjwXaAz21Uxw7cWBbAKeznKDV
gIaKfBw40FwyZaKQxzb+ag5R+Apm4Zvy8hQq6vVn5CzZcTaTq0ME9zj5pWM6DB1j
dOwZmMvAkg7ZtvGkBv5m+vAakLFrM0Wp4cRyvriB2V6eHSeyQW8=
=WdDP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
