enforcing SSL only for external clients

["Aggarwal, Ajay" <Aj...@stratus.com>]

My tomcat application (running on a linux host) has 2 types of clients.
Local clients coming on localhost (127.0.0.1) and external clients
coming on external interfaces. I want to enforce use of SSL only for
external clients. How do I do that? If I use <security-constraint> I am
assuming it will apply to both local as well as external clients.

 

-Ajay

Re: enforcing SSL only for external clients

[Nicholas Sushkin <ns...@openfinance.com>]

On Tuesday, December 07, 2010 14:34:55 Aggarwal, Ajay wrote:
> Aggarwal, Ajay wrote:
> > My tomcat application (running on a linux host) has 2 types of clients.
> > Local clients coming on localhost (127.0.0.1)
>   and external clients
> 
> > coming on external interfaces. I want to enforce use of SSL only for
> > external clients. How do I do that? If I use <security-constraint> I am
> > assuming it will apply to both local as well as external clients.

Perhaps Url Rewrite Filter http://www.tuckey.org/urlrewrite can be set up to 
redirect all http requests to https with the same URL?

Something like (not tested)

<rule> 
	<condition type="scheme" operator="equal">^http$</condition> 
	<condition type="remote-addr" operator="notequal">127.0.0.1</condition> 
	<from>/(.*)</from> 
	<to type="permanent-redirect" last="true">https://%{server-name}/$1</to> 
</rule> 

Configure 
-- 
Nicholas Sushkin, Senior Software Engineer, Manager of IT Operations
Open Finance Aggregation eXchange <http://www.aggex.com>

Re: enforcing SSL only for external clients

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ajay,

On 12/9/2010 11:29 AM, Aggarwal, Ajay wrote:
> You are correct. I benchmarked in both directions and performance is
> pretty comparable (http vs https). BTW, my application uses Java and
> Apache HTTP Components library to perform these file transfers.
> 
> While downloading from the server, I saw very similar %CPU and the
> total time taken for download was also about the same.
> 
> While uploading to the server, I saw that in my situation HTTP kept
> %CPU in 60-80% range, while HTTPS was in 70-80% range... marginal
> difference. And total time taken for upload via HTTPS was about 30%
> more than via HTTP.
> 
> I can live with this performance difference.

A little data can go a long way toward setting priorities :)

> I think we need to change Tomcat documentation slightly. See below
> from tomcat 6.0 documentation 
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html Section:
> General Tips on Running SSL

Patches -- even to the documentation -- are always welcome.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0BCjAACgkQ9CaO5/Lv0PBXTwCfXNt2YHSCEQJgccDscBZgZE0s
LnwAoKLcdhqGoxNLNyCzchyCEJEWqx90
=4ksq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Aggarwal, Ajay" <Aj...@stratus.com>]

Chris,

You are correct. I benchmarked in both directions and performance is pretty comparable (http vs https). BTW, my application uses Java and Apache HTTP Components library to perform these file transfers.

While downloading from the server, I saw very similar %CPU and the total time taken for download was also about the same. 

While uploading to the server, I saw that in my situation HTTP kept %CPU in 60-80% range, while HTTPS was in 70-80% range... marginal difference. And total time taken for upload via HTTPS was about 30% more than via HTTP.

I can live with this performance difference. 

I think we need to change Tomcat documentation slightly. See below from tomcat 6.0 documentation 
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
Section: General Tips on Running SSL

"Also, while the SSL protocol was designed to be as efficient as securely possible, encryption/decryption is a computationally expensive process from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and indeed a developer can pick and choose which pages require a secure connection and which do not."

-Ajay


-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 

-----BEGIN PGP SIGNED MESSAGE-----
Ajay,

On 12/8/2010 5:24 PM, Aggarwal, Ajay wrote:
> Most of the application will be over SSL for external clients. There
> is one part where the clients may upload or download a huge file over
> HTTP which I don't want to go through SSL. I am thinking
> uploading/downloading these huge files over SSL will create lot of
> stress on the server.

FWIW, it's the SSL handshake that is most stressful part of the
conversation. Once that's completed, the encryption on both sides is
symmetric and fairly low-stress on the connection.

I encourage you to benchmark your app under these conditions. It sounds
like you are making performance decisions without any data to back them up.

- -chris

Re: enforcing SSL only for external clients

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ajay,

On 12/8/2010 5:24 PM, Aggarwal, Ajay wrote:
> Most of the application will be over SSL for external clients. There
> is one part where the clients may upload or download a huge file over
> HTTP which I don't want to go through SSL. I am thinking
> uploading/downloading these huge files over SSL will create lot of
> stress on the server.

FWIW, it's the SSL handshake that is most stressful part of the
conversation. Once that's completed, the encryption on both sides is
symmetric and fairly low-stress on the connection.

I encourage you to benchmark your app under these conditions. It sounds
like you are making performance decisions without any data to back them up.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0ACXcACgkQ9CaO5/Lv0PAfoQCgsCjgE9822FdGNbHY5HQ9Xoyw
nz4An2YqcUk6m2XQcs4ZpAaWzoDm/WgW
=4dCx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Aggarwal, Ajay" <Aj...@stratus.com>]

These file transfers are performed using Java and Apache HTTP Components library. Security is being handled by requiring clients to pass a token, which was issued to the client upon successful authentication. 

But as I mentioned in my other email looks like my assumptions about HTTPS causing significantly more stress on my server for these large file transfers were wrong.

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Wednesday, December 08, 2010 5:58 PM
To: Tomcat Users List
Subject: Re: enforcing SSL only for external clients

Aggarwal, Ajay wrote:
> Most of the application will be over SSL for external clients. There is one part where the clients may upload or download a huge file over HTTP which I don't want to go through SSL. I am thinking uploading/downloading these huge files over SSL will create lot of stress on the server.
> 

Let me be constructively critical and provide my 2 cent :

If we are talking about a standard web application using a standard html interface and 
standard browsers, then such an upload would be triggered by a POST from a html form with 
a <input type="file"> in it, right ?
If the upload URL (target of the form) is not within the HTTPS protected part, then anyone 
could access it and post a huge file to your site, no ?  That may cause more stress on 
your server than doing this via HTTPS ever would.

Or else, how are you going to ensure that any client uploading a huge file to your server 
is entitled to do so ?  Plus, you may need to know who is doing this, just to know what to 
do with the file.  So you would need a form of authentication that starts under HTTPS, but 
is valid also when posting the form under HTTP.  Not necessarily evident, and in any case 
not evident with any of the standard Tomcat authentication methods, as Christopher pointed 
out.

Note that there can be ways to achieve a reasonable level of security for doing this kind 
of thing (reasonable being a flexible concept dependent upon your precise context).
But running most of the site under HTTPS except for that upload portion seems leaky to me.

Better and cheaper maybe to get a bigger server.
You run the risk otherwise to spend more than the difference, trying to find out ways to 
do this securely, which is what HTTPS provides as a matter of fact.

I would run a test, uploading the same file over HTTP and over HTTPS, and measure the 
system's reaction, to determine really what overhead this causes, percentage-wise, for the 
server.  Decryption should be 99.9% CPU, and in my experience that is a facet where modern 
servers are rarely overloaded.  With huge files, your communication bandwidth is more 
lilely to be the limiting factor.

And if it really overloads the server, then again the solution may be with a front-end 
which takes care of the HTTPS part.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/9/2010 1:50 PM, André Warnier wrote:
> Assume that the upload URL in question is handled by an application
> requiring HTTPS.
> And assume that the web application requires some form of user
> authentication.

Ok.

> Are you telling me that if a user connects for the first time to the
> site using this "upload URL", Tomcat is going to read the entire POST
> request prior to checking if this user is authenticated ?

It might not even need to be an upload URL.

If the authenticator rejects the request, or even if the application
rejects the request for some reason, I believe there's a loop in the
Tomcat code before shutting everything down that looks something like this:

while(in.read())
  ;

That means that you can hold-up a thread as long as you can keep sending
data. I'm not sure what happens if the servlet explicitly closes the
input stream... clearly Tomcat can't drain it once it's closed.

I may be wrong -- this used to be the behavior; it may have changed
since then.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0BNvEACgkQ9CaO5/Lv0PC5YwCeIzI4s/DEqStd1oftm/AZ/GY3
+RQAmwb5Jq6ZvCH4855VSlez/fxzqvCM
=sjH1
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[André Warnier <aw...@ice-sa.com>]

Christopher,

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> André,
> 
> On 12/8/2010 5:58 PM, André Warnier wrote:
>> If we are talking about a standard web application using a standard html
>> interface and standard browsers, then such an upload would be triggered
>> by a POST from a html form with a <input type="file"> in it, right ?
>> If the upload URL (target of the form) is not within the HTTPS protected
>> part, then anyone could access it and post a huge file to your site, no
>> ?  That may cause more stress on your server than doing this via HTTPS
>> ever would.
> 
> Here's the bad news: this can happen anyway. If I initiate an upload to
> your webapp via HTTPS -- even if I don't have an session -- I can still
> waste a lot of resources.
> 
> I haven't confirmed this myself -- someone hopefully will -- but Tomcat
> will consume the entire request body before closing the connection from
> the client. 

Assume that the upload URL in question is handled by an application requiring HTTPS.
And assume that the web application requires some form of user authentication.

Are you telling me that if a user connects for the first time to the site using this 
"upload URL", Tomcat is going to read the entire POST request prior to checking if this 
user is authenticated ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/8/2010 5:58 PM, André Warnier wrote:
> If we are talking about a standard web application using a standard html
> interface and standard browsers, then such an upload would be triggered
> by a POST from a html form with a <input type="file"> in it, right ?
> If the upload URL (target of the form) is not within the HTTPS protected
> part, then anyone could access it and post a huge file to your site, no
> ?  That may cause more stress on your server than doing this via HTTPS
> ever would.

Here's the bad news: this can happen anyway. If I initiate an upload to
your webapp via HTTPS -- even if I don't have an session -- I can still
waste a lot of resources.

I haven't confirmed this myself -- someone hopefully will -- but Tomcat
will consume the entire request body before closing the connection from
the client. That means that if I upload 1GiB to your server, your server
is going to read every bit of it -- over HTTPS if I choose -- before
returning the request processor to the pool. Of course, all those bytes
are simply discarded... it's not like that 1GiB is read entirely into
memory or anything.

But the whole file will be read, wasting all that CPU time for SSL and
all that clock time waiting for the bytes to arrive, only to be ignored.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0BCv4ACgkQ9CaO5/Lv0PBgoACdE6eYh/AjBw4VIXoqqVGYXf9k
4j8AniYyABorFpUnR5Q/QN98M1E4Bi6F
=q4jw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[André Warnier <aw...@ice-sa.com>]

Aggarwal, Ajay wrote:
> Most of the application will be over SSL for external clients. There is one part where the clients may upload or download a huge file over HTTP which I don't want to go through SSL. I am thinking uploading/downloading these huge files over SSL will create lot of stress on the server.
> 

Let me be constructively critical and provide my 2 cent :

If we are talking about a standard web application using a standard html interface and 
standard browsers, then such an upload would be triggered by a POST from a html form with 
a <input type="file"> in it, right ?
If the upload URL (target of the form) is not within the HTTPS protected part, then anyone 
could access it and post a huge file to your site, no ?  That may cause more stress on 
your server than doing this via HTTPS ever would.

Or else, how are you going to ensure that any client uploading a huge file to your server 
is entitled to do so ?  Plus, you may need to know who is doing this, just to know what to 
do with the file.  So you would need a form of authentication that starts under HTTPS, but 
is valid also when posting the form under HTTP.  Not necessarily evident, and in any case 
not evident with any of the standard Tomcat authentication methods, as Christopher pointed 
out.

Note that there can be ways to achieve a reasonable level of security for doing this kind 
of thing (reasonable being a flexible concept dependent upon your precise context).
But running most of the site under HTTPS except for that upload portion seems leaky to me.

Better and cheaper maybe to get a bigger server.
You run the risk otherwise to spend more than the difference, trying to find out ways to 
do this securely, which is what HTTPS provides as a matter of fact.

I would run a test, uploading the same file over HTTP and over HTTPS, and measure the 
system's reaction, to determine really what overhead this causes, percentage-wise, for the 
server.  Decryption should be 99.9% CPU, and in my experience that is a facet where modern 
servers are rarely overloaded.  With huge files, your communication bandwidth is more 
lilely to be the limiting factor.

And if it really overloads the server, then again the solution may be with a front-end 
which takes care of the HTTPS part.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Aggarwal, Ajay" <Aj...@stratus.com>]

Most of the application will be over SSL for external clients. There is one part where the clients may upload or download a huge file over HTTP which I don't want to go through SSL. I am thinking uploading/downloading these huge files over SSL will create lot of stress on the server.

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Wednesday, December 08, 2010 5:14 PM
To: Tomcat Users List
Subject: Re: enforcing SSL only for external clients

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/8/2010 5:01 PM, André Warnier wrote:
> Aggarwal, Ajay wrote:
>> For external clients, I want to enforce SSL only on part of my
>> application (certain URLs) not all.
>>
>> I will look into URL Rewrite as suggested by Nicholas.
>
> Mixing SSL and non-SSL parts within the same application is - in my
> humble view - a recipe for a lot of complications and user inconvenience.
> (Such as : some browsers will pop up a message to the user, when
> switching from HTTP to HTTPS and vice-versa)

+1

Other considerations:

- - If you want to protect user credentials, you must use SSL during
  authentication
- - If you authenticate using SSL, you will likely lose your session when
  dropping down to non-secure

The best advice is to simply use SSL if you care about the security of
your app and your users.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0AAzcACgkQ9CaO5/Lv0PCwFQCeMvpGXtjcoMO1SvoDHC6je2rB
C7wAoKuKtaDJnlIdwpYyzDhi+Fi07XCO
=Im2l
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/8/2010 5:01 PM, André Warnier wrote:
> Aggarwal, Ajay wrote:
>> For external clients, I want to enforce SSL only on part of my
>> application (certain URLs) not all.
>>
>> I will look into URL Rewrite as suggested by Nicholas.
>
> Mixing SSL and non-SSL parts within the same application is - in my
> humble view - a recipe for a lot of complications and user inconvenience.
> (Such as : some browsers will pop up a message to the user, when
> switching from HTTP to HTTPS and vice-versa)

+1

Other considerations:

- - If you want to protect user credentials, you must use SSL during
  authentication
- - If you authenticate using SSL, you will likely lose your session when
  dropping down to non-secure

The best advice is to simply use SSL if you care about the security of
your app and your users.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0AAzcACgkQ9CaO5/Lv0PCwFQCeMvpGXtjcoMO1SvoDHC6je2rB
C7wAoKuKtaDJnlIdwpYyzDhi+Fi07XCO
=Im2l
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[André Warnier <aw...@ice-sa.com>]

Aggarwal, Ajay wrote:
> Thanks to all who have given different suggestions.
> 
> Binding HTTP (port 80) to 127.0.0.1 and HTTPS (port 443) to external/public IP will not work for me. My situation is slightly more complicated. 

Now why did I guess that already ?
Probably the experience of customer-written specifications.
:-)

For external clients, I want to enforce SSL only on part of my application (certain URLs) 
not all.
> 
> I will look into URL Rewrite as suggested by Nicholas.
> 
And when you really take into account all aspects of the requirements (authentication for 
the externals ?), you may still want to have a second look at the 2 <Host> possibilities.

Mixing SSL and non-SSL parts within the same application is - in my humble view - a recipe 
for a lot of complications and user inconvenience.
(Such as : some browsers will pop up a message to the user, when switching from HTTP to 
HTTPS and vice-versa)

Q: if a part of it, for some category of users, has to go through HTTPS, then what stops 
you from making it all HTTPS for everyone, internal and external ?

Q: what about a simple front-end proxy, which would take care of the HTTPS part for the 
externals, and connect internally to Tomcat over standard HTTP ?
The internals can go around the proxy and access the application directly via HTTP.

A minimal Apache httpd, running on the same box, would do that easily.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Aggarwal, Ajay" <Aj...@stratus.com>]

Thanks to all who have given different suggestions.

Binding HTTP (port 80) to 127.0.0.1 and HTTPS (port 443) to external/public IP will not work for me. My situation is slightly more complicated. For external clients, I want to enforce SSL only on part of my application (certain URLs) not all. 

I will look into URL Rewrite as suggested by Nicholas.

-Ajay

Re: enforcing SSL only for external clients

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

On 12/7/2010 6:02 PM, Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com] 
>> Subject: Re: enforcing SSL only for external clients
> 
>> You will probably need 2 separate <Connectors>, one for HTTP and 
>> the other for HTTPS.
> 
> I think that's true.

It's definitely true: a single connector can't serve both secure and
non-secure. ;)

>> You probably need to set the "useIPVHosts" attribute inside your 
>> <Connector> tags to "true".
> 
> Probably not necessary, nor are multiple <Host> elements.

If the OP /really wants/ to use <transport-guarantee>, then dual hosts
will be necessary.

> How about just setting the address attribute for the port 80
> <Connector> to "127.0.0.1", and the port 443 <Connector> to the
> public IP address, and *do not* set <transport-guarantee> to
> CONFIDENTIAL in the web.xml files.

I like this solution, unless of course the OP feels strongly about using
<transport-guarantee>.

If the web application needs to provide it's own enforcement of these
requirements, it can be done with a custom filter or even with Tucky's
urlrewrite. That way, the webapp can protect itself instead of having to
rely on the (independent) server configuration.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz/0T0ACgkQ9CaO5/Lv0PBGUwCgwSlYBCLwTfj3vgMpEo8dq90r
7GgAnRiNlPdKJmVWOY206/a2Ii36zJ8c
=XXNO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: André Warnier [mailto:aw@ice-sa.com] 
> Subject: Re: enforcing SSL only for external clients

> And, while we are at it, how about IP-based VHosts ?
> Are they described anywhere in the docs ? 

Not that I can find, other than the attribute description for the <Connector> elements which you already pointed out.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: André Warnier [mailto:aw@ice-sa.com] 
> Subject: Re: enforcing SSL only for external clients

> You will probably need 2 separate <Connectors>, one for HTTP and 
> the other for HTTPS.

I think that's true.

> You probably need to set the "useIPVHosts" attribute inside your 
> <Connector> tags to "true".

Probably not necessary, nor are multiple <Host> elements.

How about just setting the address attribute for the port 80 <Connector> to "127.0.0.1", and the port 443 <Connector> to the public IP address, and *do not* set <transport-guarantee> to CONFIDENTIAL in the web.xml files.  

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[André Warnier <aw...@ice-sa.com>]

Aggarwal, Ajay wrote:
> Yes local clients are programs running on the same machine as the server and they access my application over the localhost IP, i.e. 127.0.0.1. Whereas external clients access my application over external interface, i.e. public IP. And yes, this machine running the server is connected directly to the internet with an interface having a "public" IP.
> 

Allright then.

I'm doing a bit of guesswork here, because I have never used this myself.
And also, apart from a cryptic reference in the Connector documentation, there does not 
seem to be documentation for this.

You will probably need 2 separate <Connectors>, one for HTTP and the other for HTTPS.

You probably need to set the "useIPVHosts" attribute inside your <Connector> tags to 
"true". (see http://tomcat.apache.org/tomcat-6.0-doc/config/http.html).

This may help for the next part : 
http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html
but it does not talk about "IP-based" virtual hosts, only about name-based ones, so I will 
continue to guess.

You will probably need to define 2 separate <Host> sections, each one with its "name" 
attribute set to the respective IP address which you want it to respond to.

Each one should also have its own "appBase" pointing to a distinct "webapps" directory.
And inside these 2 webapps directories, you will need a separate copy of your application.
In one you will set the configuration (in WEB-INF/web.xml) to not require SSL, and in the 
other to require it.

Alternatively to the above, you may find a way to achieve this by using the 
URLRewriteFilter, see http://www.tuckey.org/urlrewrite/

Note : that attribute "useIPVHosts" of the Connector seems to be the only place where 
IP-based V-hosts are mentioned in the online documentation.
But I found some links which may be helpful in Google when searching for :
tomcat "useIPVHosts"




> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com] 
> Sent: Tuesday, December 07, 2010 2:27 PM
> To: Tomcat Users List
> Subject: Re: enforcing SSL only for external clients
> 
> Aggarwal, Ajay wrote:
>> My tomcat application (running on a linux host) has 2 types of clients.
>> Local clients coming on localhost (127.0.0.1)
> 
> that sounds strange, unless the clients are really programs running on the same machine as 
> the server.
> 
>   and external clients
>> coming on external interfaces. I want to enforce use of SSL only for
>> external clients. How do I do that? If I use <security-constraint> I am
>> assuming it will apply to both local as well as external clients.
>>
> I think you need to describe your network setup a bit more in detail.
> For example, is this machine connected directly to the Internet with an interface having a 
> "public" IP address, or is there something in-between ?
> Draw us a picture maybe ?
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: enforcing SSL only for external clients

["Aggarwal, Ajay" <Aj...@stratus.com>]

Yes local clients are programs running on the same machine as the server and they access my application over the localhost IP, i.e. 127.0.0.1. Whereas external clients access my application over external interface, i.e. public IP. And yes, this machine running the server is connected directly to the internet with an interface having a "public" IP.

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Tuesday, December 07, 2010 2:27 PM
To: Tomcat Users List
Subject: Re: enforcing SSL only for external clients

Aggarwal, Ajay wrote:
> My tomcat application (running on a linux host) has 2 types of clients.
> Local clients coming on localhost (127.0.0.1)

that sounds strange, unless the clients are really programs running on the same machine as 
the server.

  and external clients
> coming on external interfaces. I want to enforce use of SSL only for
> external clients. How do I do that? If I use <security-constraint> I am
> assuming it will apply to both local as well as external clients.
> 
I think you need to describe your network setup a bit more in detail.
For example, is this machine connected directly to the Internet with an interface having a 
"public" IP address, or is there something in-between ?
Draw us a picture maybe ?




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: enforcing SSL only for external clients

[André Warnier <aw...@ice-sa.com>]

Aggarwal, Ajay wrote:
> My tomcat application (running on a linux host) has 2 types of clients.
> Local clients coming on localhost (127.0.0.1)

that sounds strange, unless the clients are really programs running on the same machine as 
the server.

  and external clients
> coming on external interfaces. I want to enforce use of SSL only for
> external clients. How do I do that? If I use <security-constraint> I am
> assuming it will apply to both local as well as external clients.
> 
I think you need to describe your network setup a bit more in detail.
For example, is this machine connected directly to the Internet with an interface having a 
"public" IP address, or is there something in-between ?
Draw us a picture maybe ?




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org