You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christoph Kukulies <ku...@kukulies.org.INVALID> on 2024/01/08 09:40:15 UTC
Secure connection - only ipv6 listener at port 8443
Hi,
I'm trying to connect to a tomcat9 server for which I made an entry in server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
and the following entries are also present, FWIW:
<Connector port="8082" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
proxyName="cms.mysite.de" maxThreads="150" enableLookups="false"
redirectPort="8443" acceptCount="100" connectionTimeout="20000"
disableUploadTimeout="true" />
<Connector port="8081" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
proxyName="othername.de" maxThreads="150" enableLookups="false"
redirectPort="8443" acceptCount="100" connectionTimeout="20000"
disableUploadTimeout="true" />
<Connector port="8080" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
proxyName="other.de" maxThreads="150" enableLookups="false"
redirectPort="8443" acceptCount="100" connectionTimeout="20000"
disableUploadTimeout="true" />
<Connector port="8086" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
proxyName="alternate.de" maxThreads="150" enableLookups="false"
redirectPort="8443" acceptCount="100" connectionTimeout="20000"
disableUploadTimeout="true" />
Connection to the server through port 8443 seems to work (filtered by ufw)
but I'm wondering why I don't see any tcp/v4 connection.
root@mail:/var/lib/tomcat9/logs# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 25 ALLOW IN Anywhere
[ 2] 443 ALLOW IN Anywhere
[ 3] 993 ALLOW IN Anywhere
[ 4] 587 ALLOW IN Anywhere
[ 5] 80 ALLOW IN Anywhere
[ 6] 22 ALLOW IN 33.180.24.29
[ 7] 8080/tcp ALLOW IN 33.180.24.29
[ 8] 8443/tcp ALLOW IN 33.180.24.29
[ 9] 25 (v6) ALLOW IN Anywhere (v6)
[10] 443 (v6) ALLOW IN Anywhere (v6)
[11] 993 (v6) ALLOW IN Anywhere (v6)
[12] 587 (v6) ALLOW IN Anywhere (v6)
[13] 80 (v6) ALLOW IN Anywhere (v6)
root@mail:/var/lib/tomcat9/logs# netstat -an | grep 8443
tcp6 0 0 :::8443 :::* LISTEN
08-Jan-2024 10:25:55.513 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.58 (Ubuntu)]
08-Jan-2024 10:25:55.532 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/var/lib/tomcat9/webapps/ROOT.war]
08-Jan-2024 10:26:07.487 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
08-Jan-2024 10:26:23.038 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/var/lib/tomcat9/webapps/ROOT.war] has finished in [27,506] ms
08-Jan-2024 10:26:23.043 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8082"]
08-Jan-2024 10:26:23.079 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8081"]
08-Jan-2024 10:26:23.094 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
08-Jan-2024 10:26:23.098 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8086"]
08-Jan-2024 10:26:23.108 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-apr-8443"]
08-Jan-2024 10:26:23.133 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [27735] milliseconds
root@mail:/var/lib/tomcat9/logs# lsof -i :8443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 177550 tomcat 43u IPv6 1853946 0t0 TCP *:8443 (LISTEN)
root@mail:/var/lib/tomcat9/logs#
--
Christoph
Re: Secure connection - only ipv6 listener at port 8443
Posted by Christoph Kukulies <ku...@kukulies.org.INVALID>.
Ubuntu 22.04.3
Thanks. Output is indeed "0". So it listens to both protocol versions. Will stick with this of course :)
--
Christoph
> Am 08.01.2024 um 11:15 schrieb EML <sa...@cyconix.com>:
>
> Run this command (I'm assuming you're on Linux):
>
> $ cat /proc/sys/net/ipv6/bindv6only
>
> The default output is 0 on Linux (the Windows equivalent is apparently 1). 0 means that an IPv6 socket will connect to *both* IPv6 and IPv4 (look up IPV6_V6ONLY).
>
> You can force Java to listen to IPv4 only, with something like 'Environment="JAVA_OPTS_APPEND=-Djava.net.preferIPv4Stack=true', but you probably don't want to do this.
>
> On 08/01/2024 09:40, Christoph Kukulies wrote:
>> Hi,
>>
>> I'm trying to connect to a tomcat9 server for which I made an entry in server.xml:
>>
>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true" >
>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>> <SSLHostConfig>
>> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
>> certificateFile="conf/localhost-rsa-cert.pem"
>> certificateChainFile="conf/localhost-rsa-chain.pem"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>>
>> and the following entries are also present, FWIW:
>>
>> <Connector port="8082" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
>> proxyName="cms.mysite.de <http://cms.mysite.de/> <http://cms.mysite.de <http://cms.mysite.de/>>" maxThreads="150" enableLookups="false"
>> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>> <Connector port="8081" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
>> proxyName="othername.de <http://othername.de/> <http://othername.de <http://othername.de/>>" maxThreads="150" enableLookups="false"
>> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>> <Connector port="8080" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
>> proxyName="other.de <http://other.de/> <http://other.de <http://other.de/>>" maxThreads="150" enableLookups="false"
>> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>> <Connector port="8086" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
>> proxyName="alternate.de <http://alternate.de/> <http://alternate.de <http://alternate.de/>>" maxThreads="150" enableLookups="false"
>> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
>> disableUploadTimeout="true" />
>>
>>
>> Connection to the server through port 8443 seems to work (filtered by ufw)
>> but I'm wondering why I don't see any tcp/v4 connection.
>>
>> root@mail:/var/lib/tomcat9/logs# ufw status numbered
>> Status: active
>>
>> To Action From
>> -- ------ ----
>> [ 1] 25 ALLOW IN Anywhere
>> [ 2] 443 ALLOW IN Anywhere
>> [ 3] 993 ALLOW IN Anywhere
>> [ 4] 587 ALLOW IN Anywhere
>> [ 5] 80 ALLOW IN Anywhere
>> [ 6] 22 ALLOW IN 33.180.24.29
>> [ 7] 8080/tcp ALLOW IN 33.180.24.29
>> [ 8] 8443/tcp ALLOW IN 33.180.24.29
>> [ 9] 25 (v6) ALLOW IN Anywhere (v6)
>> [10] 443 (v6) ALLOW IN Anywhere (v6)
>> [11] 993 (v6) ALLOW IN Anywhere (v6)
>> [12] 587 (v6) ALLOW IN Anywhere (v6)
>> [13] 80 (v6) ALLOW IN Anywhere (v6)
>>
>> root@mail:/var/lib/tomcat9/logs# netstat -an | grep 8443
>> tcp6 0 0 :::*8443* :::* LISTEN
>> 08-Jan-2024 10:25:55.513 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.58 (Ubuntu)]
>> 08-Jan-2024 10:25:55.532 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/var/lib/tomcat9/webapps/ROOT.war]
>> 08-Jan-2024 10:26:07.487 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
>> 08-Jan-2024 10:26:23.038 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/var/lib/tomcat9/webapps/ROOT.war] has finished in [27,506] ms
>> 08-Jan-2024 10:26:23.043 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8082"]
>> 08-Jan-2024 10:26:23.079 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8081"]
>> 08-Jan-2024 10:26:23.094 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
>> 08-Jan-2024 10:26:23.098 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8086"]
>> 08-Jan-2024 10:26:23.108 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-apr-8443"]
>> 08-Jan-2024 10:26:23.133 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [27735] milliseconds
>>
>> root@mail:/var/lib/tomcat9/logs# lsof -i :8443
>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>> java 177550 tomcat 43u IPv6 1853946 0t0 TCP *:8443 (LISTEN)
>> root@mail:/var/lib/tomcat9/logs#
>>
>> --
>> Christoph
Re: Secure connection - only ipv6 listener at port 8443
Posted by EML <sa...@cyconix.com>.
Run this command (I'm assuming you're on Linux):
$ cat /proc/sys/net/ipv6/bindv6only
The default output is 0 on Linux (the Windows equivalent is apparently
1). 0 means that an IPv6 socket will connect to *both* IPv6 and IPv4
(look up IPV6_V6ONLY).
You can force Java to listen to IPv4 only, with something like
'Environment="JAVA_OPTS_APPEND=-Djava.net.preferIPv4Stack=true', but you
probably don't want to do this.
On 08/01/2024 09:40, Christoph Kukulies wrote:
> Hi,
>
> I'm trying to connect to a tomcat9 server for which I made an entry in
> server.xml:
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" >
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig>
> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
> certificateFile="conf/localhost-rsa-cert.pem"
> certificateChainFile="conf/localhost-rsa-chain.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> and the following entries are also present, FWIW:
>
> <Connector port="8082" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
> proxyName="cms.mysite.de
> <http://cms.mysite.de>" maxThreads="150" enableLookups="false"
> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" />
> <Connector port="8081" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
> proxyName="othername.de
> <http://othername.de>" maxThreads="150" enableLookups="false"
> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" />
> <Connector port="8080" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
> proxyName="other.de
> <http://other.de>" maxThreads="150" enableLookups="false"
> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" />
> <Connector port="8086" maxHttpHeaderSize="8192" protocol="HTTP/1.1"
> proxyName="alternate.de
> <http://alternate.de>" maxThreads="150" enableLookups="false"
> redirectPort="8443" acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" />
>
>
> Connection to the server through port 8443 seems to work (filtered by ufw)
> but I'm wondering why I don't see any tcp/v4 connection.
>
> root@mail:/var/lib/tomcat9/logs# ufw status numbered
> Status: active
>
> To Action From
> -- ------ ----
> [ 1] 25 ALLOW IN Anywhere
> [ 2] 443 ALLOW IN Anywhere
> [ 3] 993 ALLOW IN Anywhere
> [ 4] 587 ALLOW IN Anywhere
> [ 5] 80 ALLOW IN Anywhere
> [ 6] 22 ALLOW IN 33.180.24.29
> [ 7] 8080/tcp ALLOW IN 33.180.24.29
> [ 8] 8443/tcp ALLOW IN 33.180.24.29
> [ 9] 25 (v6) ALLOW IN Anywhere (v6)
> [10] 443 (v6) ALLOW IN Anywhere (v6)
> [11] 993 (v6) ALLOW IN Anywhere (v6)
> [12] 587 (v6) ALLOW IN Anywhere (v6)
> [13] 80 (v6) ALLOW IN Anywhere (v6)
>
> root@mail:/var/lib/tomcat9/logs# netstat -an | grep 8443
> tcp6 0 0 :::*8443* :::*
> LISTEN
> 08-Jan-2024 10:25:55.513 INFO [main]
> org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
> engine: [Apache Tomcat/9.0.58 (Ubuntu)]
> 08-Jan-2024 10:25:55.532 INFO [main]
> org.apache.catalina.startup.HostConfig.deployWAR Deploying web
> application archive [/var/lib/tomcat9/webapps/ROOT.war]
> 08-Jan-2024 10:26:07.487 INFO [main]
> org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was
> scanned for TLDs yet contained no TLDs. Enable debug logging for this
> logger for a complete list of JARs that were scanned but no TLDs were
> found in them. Skipping unneeded JARs during scanning can improve
> startup time and JSP compilation time.
> 08-Jan-2024 10:26:23.038 INFO [main]
> org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
> application archive [/var/lib/tomcat9/webapps/ROOT.war] has finished
> in [27,506] ms
> 08-Jan-2024 10:26:23.043 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8082"]
> 08-Jan-2024 10:26:23.079 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8081"]
> 08-Jan-2024 10:26:23.094 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8080"]
> 08-Jan-2024 10:26:23.098 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8086"]
> 08-Jan-2024 10:26:23.108 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["https-openssl-apr-8443"]
> 08-Jan-2024 10:26:23.133 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in [27735]
> milliseconds
>
> root@mail:/var/lib/tomcat9/logs# lsof -i :8443
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> java 177550 tomcat 43u IPv6 1853946 0t0 TCP *:8443 (LISTEN)
> root@mail:/var/lib/tomcat9/logs#
>
> --
> Christoph
>