You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Assaf Urieli <as...@gmail.com> on 2012/06/08 11:16:52 UTC
IP-based virtual hosting with useIPVHosts=true always goes to default host
Hi all,
I'm attempting to set up a multi-host system with a separate SSL
certificate per host.
According to the documentation, this is problematic using name-based
virtual hosting:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#General_Tips_on_Running_SSL
"Finally, using name-based virtual hosts on a secured connection can be
problematic."
So, I'm trying to accomplish this via IP-based virtual hosting, using the
useIPVHosts="true" flag.
(Note: I've tried name-based virtual hosting with useIPVHosts="false", and
it doesn't work either)
I've gone through the full thread discussing this at:
http://mail-archives.apache.org/mod_mbox/tomcat-users/201005.mbox/%3C4BFB9C17.20302@cox.net%3E
However, I'm still not managing to access the domain2.com host via SSL (4th
connector on list below).
* Tomcat version: 6.0.24 (standalone)
* OS: Ubuntu 10.0.4LTS
* JVM: java 1.6.0_22 (Sun distribution)
I've setup my server.xml as follows:
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1" address="1.2.3.4"
useIPVHosts="false"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8080" protocol="HTTP/1.1" address="5.6.7.8"
useIPVHosts="false"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
address="1.2.3.4"
keystoreFile="/home/tomcat6/.keystore1" keystorePass="xxxxxx"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
useIPVHosts="true" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
address="5.6.7.8"
keystoreFile="/home/tomcat6/.keystore2" keystorePass="xxxxxx"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
useIPVHosts="true" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>1.2.3.4</Alias>
<Alias>domain1.com</Alias>
<Alias>www.domain1.com</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/home/tomcat6/logs/domain1"
prefix="domain1_access_log." suffix=".log" pattern="%A %h %l
%u %t '%r' %s %b" resolveHosts="false"/>
</Host>
<Host name="domain2.com" appBase="/usr/share/domain2"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>5.6.7.8</Alias>
<Alias>domain2.com</Alias>
<Alias>www.domain2.com</Alias>
<Context path="" docBase="."/>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/home/tomcat6/logs/domain2"
prefix="domain2_access_log." suffix=".log" pattern="%A %h %l
%u %t '%r' %s %b" resolveHosts="false"/>
</Host>
</Engine>
</Service>
On the Ubuntu OS, I've configured my /etc/hosts file as follows:
127.0.0.1 localhost.localdomain localhost
1.2.3.4 www.domain1.com domain1.com domain1
5.6.7.8 www.domain2.com domain2.com domain2
My DNS settings contain the following A records:
for domain1.com
[blank] 1.2.3.4
www 1.2.3.4
for domain2.com
[blank] 5.6.7.8
www 5.6.7.8
When I use HTTP (without SSL), it works fine, as it's using the name-based
virtual hosting.
When I use HTTPS (with SSL and useIPVHosts="true"), I'm always sent to the
default host.
When I look at the log files generated by the AccessLogValve, I'm always
getting IP address 1.2.3.4 for the Local IP address (%A), regardless of how
I access the websites on the browser - via HTTP or HTTPs, and via IP
address or domain name.
Even if I enter the IP address http://5.6.7.8 or https://5.6.7.8 in the
browser, the access logs list 1.2.3.4 as the local IP.
Any suggestions on how to troubleshoot?
Thanks in advance,
Assaf
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Assaf Urieli <as...@gmail.com>.
Answering my own question to a certain extent:
* When an HTTP/HTTPS request is made, when and how do
> request.getLocalName() and request.getLocalAddr() get filled in?
>
>
>From v6.0.35 source code, org/apache/catalina/connector/CoyoteAdapter.java,
line 489:
if (connector.getUseIPVHosts()) {
serverName = req.localName();
When I dig deeper into the source code to where the request's local name is
getting set in the first place, it seems to be getting set from
socket.getLocalAddress(), on
org/apache/catalina/http11/Http11Processor.java, line 1063.
if ((localName == null) && (socket != null)) {
InetAddress inetAddr = socket.getLocalAddress();
if (inetAddr != null) {
localName = inetAddr.getHostName();
}
}
So my question is now: why would socket.getLocalAddress() always return the
default interface, rather than resolving the domain/IP in the request
header to the correct interface?
As stated before, in my case, http://1.2.3.4 and http:/5.6.7.8 are both
directed correctly to my web server, but they are always getting the
following settings:
* request.getLocalAddr(): the IP address from the primary interface in
/etc/network/interfaces = http://1.2.3.4
* request.getLocalName(): the name corresponding to the primary interface
IP from /etc/hosts = www.domain1.com
Is there any way to troubleshoot this?
Rgds,
Assaf
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Assaf Urieli <as...@gmail.com>.
Thanks Mark & Konstantin for your replies.
I'm still having no luck here.
I've tried to apply all of Mark's suggestions to Ubuntu.
SAN certificates are not currently an option for me (because of pricing,
and also because the two domains do not officially belong to the same legal
entity).
My question is:
* When an HTTP/HTTPS request is made, when and how do
request.getLocalName() and request.getLocalAddr() get filled in?
Note that in my case, http://1.2.3.4 and http:/5.6.7.8 are directed to the
correct server, but they are always getting the following settings:
* request.getLocalAddr(): the IP address from the primary interface in
/etc/network/interfaces
* request.getLocalName(): the name corresponding to the primary interface
IP from /etc/hosts
Rgds,
Assaf
PS, regarding Mark's info, I posted my /etc/network/interfaces file in a
previous post.
The only change I made now is that I removed the gateway from the second
interface (see updated file below).
All interfaces come up correctly, and I can ping both gateways.
My updated interfaces file below:
********************************
auto lo
iface lo inet loopback
auto eth0 eth0:0
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.0
gateway 1.2.3.1
pre-up iptables-restore < /etc/iptables.conf
iface eth0:0 inet static
address 5.6.7.8
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.conf
********************************
I've also updated server.xml to contain only 3 connectors.
Only one for HTTP (name-based virtual hosting) - no address, and
useIPVHosts = false:
<Connector port="8080" protocol="HTTP/1.1" useIPVHosts="false"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
And as before, for HTTPS for address 1.2.3.4:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
address="1.2.3.4"
keystoreFile="/home/tomcat6/.
keystore1" keystorePass="xxxxxx"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
useIPVHosts="true" />
And one for HTTPS for address 5.6.7.8:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
address="5.6.7.8"
keystoreFile="/home/tomcat6/.keystore2" keystorePass="xxxxxx"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
useIPVHosts="true" />
>
>
Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
Posted by Mark Eggers <it...@yahoo.com>.
>________________________________
> From: Konstantin Kolinko <kn...@gmail.com>
>To: Tomcat Users List <us...@tomcat.apache.org>
>Sent: Friday, June 8, 2012 3:02 AM
>Subject: Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
>
>2012/6/8 Assaf Urieli <as...@gmail.com>:
>> Hi all,
>>
>> I'm attempting to set up a multi-host system with a separate SSL
>> certificate per host.
>> According to the documentation, this is problematic using name-based
>> virtual hosting:
>> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#General_Tips_on_Running_SSL
>> "Finally, using name-based virtual hosts on a secured connection can be
>> problematic."
>>
>> So, I'm trying to accomplish this via IP-based virtual hosting, using the
>> useIPVHosts="true" flag.
>> (Note: I've tried name-based virtual hosting with useIPVHosts="false", and
>> it doesn't work either)
>>
>> I've gone through the full thread discussing this at:
>> http://mail-archives.apache.org/mod_mbox/tomcat-users/201005.mbox/%3C4BFB9C17.20302@cox.net%3E
>>
>> However, I'm still not managing to access the domain2.com host via SSL (4th
>> connector on list below).
>>
>> * Tomcat version: 6.0.24 (standalone)
>> * OS: Ubuntu 10.0.4LTS
>> * JVM: java 1.6.0_22 (Sun distribution)
>>
>> I've setup my server.xml as follows:
>> <Service name="Catalina">
>> <Connector port="8080" protocol="HTTP/1.1" address="1.2.3.4"
>> useIPVHosts="false"
>> connectionTimeout="20000"
>> URIEncoding="UTF-8"
>> redirectPort="8443" />
>>
>> <Connector port="8080" protocol="HTTP/1.1" address="5.6.7.8"
>> useIPVHosts="false"
>> connectionTimeout="20000"
>> URIEncoding="UTF-8"
>> redirectPort="8443" />
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> address="1.2.3.4"
>> keystoreFile="/home/tomcat6/.keystore1" keystorePass="xxxxxx"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
>> useIPVHosts="true" />
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> address="5.6.7.8"
>> keystoreFile="/home/tomcat6/.keystore2" keystorePass="xxxxxx"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
>> useIPVHosts="true" />
>>
>> <Engine name="Catalina" defaultHost="localhost">
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>>
>> <Host name="localhost" appBase="webapps"
>> unpackWARs="true" autoDeploy="true"
>> xmlValidation="false" xmlNamespaceAware="false">
>> <Alias>1.2.3.4</Alias>
>> <Alias>domain1.com</Alias>
>> <Alias>www.domain1.com</Alias>
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="/home/tomcat6/logs/domain1"
>> prefix="domain1_access_log." suffix=".log" pattern="%A %h %l
>> %u %t '%r' %s %b" resolveHosts="false"/>
>> </Host>
>>
>> <Host name="domain2.com" appBase="/usr/share/domain2"
>> unpackWARs="true" autoDeploy="true"
>> xmlValidation="false" xmlNamespaceAware="false">
>> <Alias>5.6.7.8</Alias>
>> <Alias>domain2.com</Alias>
>> <Alias>www.domain2.com</Alias>
>> <Context path="" docBase="."/>
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="/home/tomcat6/logs/domain2"
>> prefix="domain2_access_log." suffix=".log" pattern="%A %h %l
>> %u %t '%r' %s %b" resolveHosts="false"/>
>> </Host>
>> </Engine>
>> </Service>
>>
>> (...)
>>
>> When I look at the log files generated by the AccessLogValve, I'm always
>> getting IP address 1.2.3.4 for the Local IP address (%A), regardless of how
>> I access the websites on the browser - via HTTP or HTTPs, and via IP
>> address or domain name.
>>
>
>Looking at the code, the value used for host name in IP-based virtual
>hosts is ServletRequest.getLocalName(). It is not getLocalAddr() and
>there is no pattern in AccessLogValve that prints it. You can write
>simple JSP page that will display its value.
>
>Quote:
>[[[
> if (connector.getUseIPVHosts()) {
> serverName = req.localName();
>]]]
>
>>
>> Even if I enter the IP address http://5.6.7.8 or https://5.6.7.8 in the
>> browser, the access logs list 1.2.3.4 as the local IP.
>>
>
>This is odd.
>
>How 5.6.7.8 is configured at OS level? Do you have separate network
>card for it or it is something else?
+1
I don't quite know how this works in Ubuntu, but you can set this up with RedHat releases using one card. It's called a virtual interface, and I've tested it on both Fedora and CentOS.
There are several OS - related things you have to do.
1. Primary interface must be taken out of NetworkManager's control
NetworkManager doesn't seem to handle virtual interfaces very well.
2. Primary interface must be static.
This won't work if the primary interface is configured via DHCP.
In /etc/sysconfig/network-scripts (on RedHat-related releases - who knows on Ubuntu):
1. Edit your primary interface (probably ifcfg-eth0) to look like the following
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
# your hardware address
HWADDR=xx:xx:xx:xx:xx:xx
TYPE=Ethernet
# your network mask
NETMASK=255.255.255.0
# your IP address
IPADDR=192.168.6.yyy
# your gateway
GATEWAY=192.168.6.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
NM_CONTROLLED=no
2. Create a new file and call it ifcfg-eth0:0
Basically, take whatever your primary interface is, and add :0 to it.
The contents of that file would then be:
# yes - the :0 is here
DEVICE=eth0:0
BOOTPROTO=static
ONPARENT=yes
TYPE=Ethernet
# your network mask
NETMASK=255.255.255.0
# your IP address - different than above
IPADDR=192.168.6.zzz
# your gateway
GATEWAY=192.168.6.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
NM_CONTROLLED=no
Some things to note. Since you are using the same physical interface for both addresses, they should be on the same subnet unless you're using VLANs. If you are, then things get a bit more complicated (routes, 801.Q memberships, etc.)
If you want to add a third interface (second virtual interface), create another file with :1 ending.
Now that the interfaces are defined, you should be able to do as root:
service network restart
and see all of the interfaces come up (if you have things configured correctly).
Finally, add the new addresses and host names to /etc/hosts, and bind Tomcat to multiple IP addresses by using multiple connectors in server.xml (as you have done).
Hopefully this will get you running.
A completely different solution involving named virtual hosts and SAN certificates in Apache HTTPD is also possible. I use this second approach in production and it seems to work well. I actually use a mix of named virtual hosts with a SAN certificate and IP virtual hosts with a separate certificate all running out of one Apache HTTPD and then connected to multiple Tomcats via mod_jk . . .
Yes, it's a rat's nest, but a well-documented rat's nest.
. . . . just my two cents.
/mde/
>
>Your connector with address="5.6.7.8" - did it start successfully and
>did bind to the specified address? Tomcat itself will continue
>starting even if one of its connectors fails. (There is a system
>property that changes this behaviour of ignoring an error, though I do
>not remember whether it works in 6.0.24).
>
>Best regards,
>Konstantin Kolinko
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Assaf,
On 6/15/12 6:33 AM, Assaf Urieli wrote:
> So, the addresses to test are: http://www.joli-ciel.com/test.jsp
> http://www.moyshele.com/test.jsp http://178.79.152.69/test.jsp
> http://176.58.107.88/test.jsp
>
> And exactly the same four, but with HTTPS:
> https://www.joli-ciel.com/test.jsp
> https://www.moyshele.com/test.jsp https://178.79.152.69/test.jsp
> https://176.58.107.88/test.jsp
>
> Now, every single one of these gives the exact same values for
> request.getLocalName() and request.getLocalAddr().
> request.getLocalName(): www.joli-ciel.com request.getLocalAddr():
> 178.79.152.69 And this is why, even when useIPVHosts=true, I always
> get the HTTPS Connector corresponding to 178.79.152.69, which gives
> the wrong SSL certificate for https://www.moyshele.com
> Note (in case it's relevent) that /etc/iptables.conf is mapping
> port 8080 to port 80 and port 8443 to port 443 - relevent portions
> below: ************************************************ *nat
> :PREROUTING ACCEPT [11:3512] :POSTROUTING ACCEPT [13:844] :OUTPUT
> ACCEPT [13:844] -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT
> --to-ports 8443 -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 8080 -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT
> --to-ports 8443 -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT
> --to-ports 8080 COMMIT
> ************************************************
You are routing *all* traffic destined to 8080/8443->80/443 without
regard for the incoming interface. I'm not sure what iptables does
with that -- it's possible that you are re-routing everything to the
same interface which is why all your addresses look the same.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/fMzIACgkQ9CaO5/Lv0PAlsACgtKjLhHrCn009MPZLPXBdrvbq
wWoAoLEvyGVqw0zLJ/jRbs1PywY6hDWR
=JlkA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by André Warnier <aw...@ice-sa.com>.
Assaf Urieli wrote:
...
>
> My /etc/hosts file:
> ************************************************
> 178.79.152.69 www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com
> www.aplikaterm.com joli-ciel.com bilbo
Just following this thread and learning, but
note that an Internet reverse-DNS lookup on the IP address above does not return the same
name. It may be irrelevant now, but at some point with HTTPS it could become relevant.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Assaf,
On 6/18/12 4:46 AM, Assaf Urieli wrote:
> Hi all,
>
> I solved this issue following a parallel discussion on another
> forum: http://forum.linode.com/viewtopic.php?f=19&t=8991
>
> Basically, I had IPTables firewall rules rerouting port 443 traffic
> to port 8443, and port 80 traffic to port 8080. This is because the
> tomcat6 user cannot access ports < 1024 (only root can). However,
> this rerouting was always rerouting to my default IP.
Aah, too late. I just made that comment elsewhere in this thread.
Sorry I didn't get back to you sooner.
Note that you can use jsvc to get Tomcat to bind to ports <1024, and
it also lets you rotate catalina.out if you need to.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/fM54ACgkQ9CaO5/Lv0PDD/gCfYmHnHObyQ7OdF4p4iyP5F+HU
x5gAn3uweQ1cNcFMxkYiipzKvDGO6e3F
=IfRl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Assaf Urieli <as...@gmail.com>.
Hi all,
I solved this issue following a parallel discussion on another forum:
http://forum.linode.com/viewtopic.php?f=19&t=8991
Basically, I had IPTables firewall rules rerouting port 443 traffic to port
8443, and port 80 traffic to port 8080.
This is because the tomcat6 user cannot access ports < 1024 (only root can).
However, this rerouting was always rerouting to my default IP.
To solve this, I changed my iptables.conf file from:
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
> -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
to:
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 443 -j DNAT
--to-destination 178.79.152.69:8443
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 443 -j DNAT
--to-destination 176.58.107.88:8443
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 80 -j DNAT
--to-destination 178.79.152.69:8080
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 80 -j DNAT
--to-destination 176.58.107.88:8080
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 443 -j REDIRECT
--to-ports 8443
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 443 -j REDIRECT
--to-ports 8443
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 80 -j REDIRECT
--to-ports 8080
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 80 -j REDIRECT
--to-ports 8080
> ---- Comment ----
>
> And here's your first problem. You need to specifically state
> NM_CONTROLLED=no.
>
> Also, you need to add ONPARENT=yes to the eth0:0 interface file.
>
> I've included copies of the interface files in a previous message
>
> ---- Comment ----
>
Mark - unfortunately the NM_CONTROLLED and ONPARENT options don't exist in
Ubuntu, but I've solved this by rewriting my IPTables rules (see above).
Thanks for your suggestions & time taken to answer in detail.
Anyway, I've now got each of my websites serving its own SSL certificate
correctly.
When you go to:
https://www.moyshele.com/test.jsp
https://www.joli-ciel.com/test.jsp
You can see that the local IP and local name are now correct.
Thanks all for your help!
Best regards,
Assaf
Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
Posted by Mark Eggers <it...@yahoo.com>.
Comments are embedded below with:
---- Comment ----
some stuff
---- Comment ----
----- Original Message -----
> From: Assaf Urieli <as...@gmail.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc:
> Sent: Friday, June 15, 2012 3:33 AM
> Subject: Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
>
> Hi Chris,
>
>>
>> On 6/8/12 11:12 AM, Assaf Urieli wrote:
>> > Ok, this is strange. I created a test.jsp page that prints
>> > request.getLocalName(), request.getServerName(), and
>> > request.getLocalAddr(). I tried various scenarios in the browser:
>> > http://domain1.com, http://www.domain1.com, http:/1.2.3.4,
>> > http://domain2.com, http://www.domain2.com, http://5.6.7.8, as well
>> > as all of the above with https.
>>
>> What /real/ URLs are you using to hit your server? I dont see a port
>> number anywhere.
>>
>
> Sorry, I was trying to keep it generic up to now to see if I was simply
> doing something stupid, but I'll go ahead and publish my real domains/IPs.
>
---- Comment ----
First of all, my environment:
Fedora 15 (have to upgrade soon - EOL is at the end of this month)
JDK/JRE 1.6.0_32
Tomcat 6.0.35
Firewall off for this exercise
As I've written up previously, in order to have multiple IP addresses on a single interface with Linux, you need to create a second (third, fourth, etc.) file with the name ifcfg-eth0:n, where "n" starts at 0. This is assuming that your primary interface is eth0. The files will be found in /etc/sysconfig/network-scripts.
You MUST set NM_CONTROLLED=no in each interface file, otherwise the virtual interface will not come up.
In your /etc/hosts file, you need to have an entry for each interface. Mine looks like:
192.168.0.254 phoenix phoenix.mdeggers.org
192.168.0.253 phobos phobos.mdeggers.org
In order to access this from another machine (Windows 7), I've placed the entries in that machine's host file.
---- Comment ----
> So, my test page code is:
> <p>Java Version:<%= System.getProperty( "java.version" )
> %>
> <p>Local name:<%= request.getLocalName() %>
> <p>Server name:<%= request.getServerName() %>
> <p>Local IP:<%= request.getLocalAddr() %>
>
---- Comment ----
My code is similar, except I put it in a list. I created a simple web application called WhoAmI and dropped the WAR file into my environment. More on what my Tomcat configuration looks like below.
On my second host (phobos.mdeggers.org), I also have a small verification application running as ROOT. This just lets me know that a Tomcat virtual host is set up properly and working.
---- Comment ----
> So, the addresses to test are:
> http://www.joli-ciel.com/test.jsp
> http://www.moyshele.com/test.jsp
> http://178.79.152.69/test.jsp
> http://176.58.107.88/test.jsp
>
> And exactly the same four, but with HTTPS:
> https://www.joli-ciel.com/test.jsp
> https://www.moyshele.com/test.jsp
> https://178.79.152.69/test.jsp
> https://176.58.107.88/test.jsp
>
> Now, every single one of these gives the exact same values for
> request.getLocalName() and request.getLocalAddr().
> request.getLocalName(): www.joli-ciel.com
> request.getLocalAddr(): 178.79.152.69
> And this is why, even when useIPVHosts=true, I always get the HTTPS
> Connector corresponding to 178.79.152.69, which gives the wrong SSL
> certificate for https://www.moyshele.com
---- Comment ----
When I run the tests from a remote host using HTTP (didn't set up HTTPS), I get the expected results.
Going to phoenix.mdeggers.org:8080/WhoAmI/ produces the following:
Java version: 1.6.0_32
Local name: phoenix.mdeggers.org
Local IP: 192.168.0.254
Server name: phoenix.mdeggers.org
Going to phobos.mdeggers.org:8080/WhoAmI/ produces the following:
Java version: 1.6.0_32
Local name: phobos.mdeggers.org
Local IP: 192.168.0.253
Server name: phobos.mdeggers.org
---- Comment ----
>
> For info, my /etc/network/interfaces file:
> ************************************************
> auto lo
> iface lo inet loopback
>
> auto eth0 eth0:0
>
> iface eth0 inet static
> address 178.79.152.69
> netmask 255.255.255.0
> gateway 178.79.152.1
> pre-up iptables-restore < /etc/iptables.conf
>
> iface eth0:0 inet static
> address 176.58.107.88
> netmask 255.255.255.0
> pre-up iptables-restore < /etc/iptables.conf
> ************************************************
>
---- Comment ----
And here's your first problem. You need to specifically state NM_CONTROLLED=no.
Also, you need to add ONPARENT=yes to the eth0:0 interface file.
I've included copies of the interface files in a previous message
---- Comment ----
> Note (in case it's relevent) that /etc/iptables.conf is mapping port 8080
> to port 80 and port 8443 to port 443 - relevent portions below:
> ************************************************
> *nat
> :PREROUTING ACCEPT [11:3512]
> :POSTROUTING ACCEPT [13:844]
> :OUTPUT ACCEPT [13:844]
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
> -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> COMMIT
> ************************************************
>
> My /etc/hosts file:
> ************************************************
> 127.0.0.1 localhost.localdomain localhost
> 178.79.152.69 www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com
> www.aplikaterm.com joli-ciel.com bilbo
> 176.58.107.88 www.moyshele.com www.flyingpencil.com moyshele.com
> flyingpencil.com moyshele
>
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
> ************************************************
>
> The relevent portions of my server.xml file:
> ************************************************
> <Service name="Catalina">
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> URIEncoding="UTF-8"
> redirectPort="8443" />
>
---- Comment ----
So you're listening everywhere on port 8080? I'm not sure how this will work. I suspect that you have a default interface and everything will come through that. Given that you're having problems, could you add two HTTP connectors, one listening on each interface? For example, my portion of the server.xml file looks like this:
<Connector port="8080" protocol="HTTP/1.1"
address="192.168.0.254"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8080" protocol="HTTP/1.1"
address="192.168.0.253"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
---- Comment ----
> <Connector port="8443" protocol="HTTP/1.1"
> SSLEnabled="true"
> address="178.79.152.69"
> keystoreFile="/home/tomcat6/.keystore1"
> keystorePass="********"
> maxThreads="150" scheme="https"
> secure="true"
> clientAuth="false" sslProtocol="TLS"
> URIEncoding="UTF-8" />
>
> <Connector port="8443" protocol="HTTP/1.1"
> SSLEnabled="true"
> address="176.58.107.88"
> keystoreFile="/home/tomcat6/.keystore2"
> keystorePass="********"
> maxThreads="150" scheme="https"
> secure="true"
> clientAuth="false" sslProtocol="TLS"
> URIEncoding="UTF-8" />
>
> <Engine name="Catalina" defaultHost="localhost">
> <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false"
> xmlNamespaceAware="false">
> <Alias>178.79.152.69</Alias>
> <Alias>aplikaterm.com</Alias>
> <Alias>www.aplikaterm.com</Alias>
> <Alias>joli-ciel.com</Alias>
> <Alias>www.joli-ciel.com</Alias>
>
> <Valve
> className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/joliciel"
> prefix="joliciel_access_log." suffix=".log"
> pattern="%A %h
> %l %u %t '%r' %s %b" resolveHosts="false"/>
> </Host>
> <Host name="moyshele.com"
> appBase="/usr/share/moyshele"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false"
> xmlNamespaceAware="false">
> <Alias>176.58.107.88</Alias>
> <Alias>moyshele.com</Alias>
> <Alias>www.moyshele.com</Alias>
> <Context path="" docBase="."/>
> <Valve
> className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/moyshele"
> prefix="moyshele_access_log." suffix=".log"
> pattern="%A %h
> %l %u %t '%r' %s %b" resolveHosts="false"/>
> </Host>
> </Engine>
> </Service>
> ************************************************
---- Comment ----
My Host elements are a bit cleaner. I suggest that you make yours a bit cleaner until you get things worked out. Here are mine:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>phoenix.mdeggers.org</Alias>
<Alias>192.168.0.254</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="phoenix_access."
suffix=".log"
pattern="common"
resolveHosts="false"/>
</Host>
<!-- not a good place for a virtual host webapps directory -->
<Host name="phobos" appBase="phobos/webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>phobos.mdeggers.org</Alias>
<Alias>192.168.0.253</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="phobos_access."
suffix=".log"
pattern="common"
resolveHosts="false"/>
</Host>
---- Comment ----
>
> By the way, if I run netstat (with or without useIPVHosts=true), I get:
> ************************************************
> sudo netstat -ntlp
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN 1967/sshd
> tcp 0 0 127.0.0.1:5432 0.0.0.0:*
> LISTEN 2082/postgres
> tcp6 0 0 127.0.0.1:8005 :::*
> LISTEN 16815/java
> tcp6 0 0 :::8080 :::*
> LISTEN 16815/java
> tcp6 0 0 :::22 :::*
> LISTEN 1967/sshd
> tcp6 0 0 176.58.107.88:8443 :::*
> LISTEN 16815/java
> tcp6 0 0 178.79.152.69:8443 :::*
> LISTEN 16815/java
> ************************************************
>
---- Comment ----
My netstat, grepping for 8080:
netstat -an | grep 8080
tcp 0 0 192.168.0.253:8080 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.254:8080 0.0.0.0:* LISTEN
In short, this works as expected. I suspect that SSL would work the same way.
I didn't set up SSL, since I normally terminate SSL on a front end Apache HTTPD server. I have multiple named virtual hosts (with a SAN certificate) as well as some IP virtual hosts with virtual interfaces and separate certificates. From a configuration standpoint, it's a bit ugly (although includes and directories help with the organization). From an operational standpoint, it all works as expected.
---- Comment ----
. . . . just my two cents.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Assaf Urieli <as...@gmail.com>.
Hi Chris,
>
> On 6/8/12 11:12 AM, Assaf Urieli wrote:
> > Ok, this is strange. I created a test.jsp page that prints
> > request.getLocalName(), request.getServerName(), and
> > request.getLocalAddr(). I tried various scenarios in the browser:
> > http://domain1.com, http://www.domain1.com, http:/1.2.3.4,
> > http://domain2.com, http://www.domain2.com, http://5.6.7.8, as well
> > as all of the above with https.
>
> What /real/ URLs are you using to hit your server? I dont see a port
> number anywhere.
>
Sorry, I was trying to keep it generic up to now to see if I was simply
doing something stupid, but I'll go ahead and publish my real domains/IPs.
So, my test page code is:
<p>Java Version:<%= System.getProperty( "java.version" ) %>
<p>Local name:<%= request.getLocalName() %>
<p>Server name:<%= request.getServerName() %>
<p>Local IP:<%= request.getLocalAddr() %>
So, the addresses to test are:
http://www.joli-ciel.com/test.jsp
http://www.moyshele.com/test.jsp
http://178.79.152.69/test.jsp
http://176.58.107.88/test.jsp
And exactly the same four, but with HTTPS:
https://www.joli-ciel.com/test.jsp
https://www.moyshele.com/test.jsp
https://178.79.152.69/test.jsp
https://176.58.107.88/test.jsp
Now, every single one of these gives the exact same values for
request.getLocalName() and request.getLocalAddr().
request.getLocalName(): www.joli-ciel.com
request.getLocalAddr(): 178.79.152.69
And this is why, even when useIPVHosts=true, I always get the HTTPS
Connector corresponding to 178.79.152.69, which gives the wrong SSL
certificate for https://www.moyshele.com
For info, my /etc/network/interfaces file:
************************************************
auto lo
iface lo inet loopback
auto eth0 eth0:0
iface eth0 inet static
address 178.79.152.69
netmask 255.255.255.0
gateway 178.79.152.1
pre-up iptables-restore < /etc/iptables.conf
iface eth0:0 inet static
address 176.58.107.88
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.conf
************************************************
Note (in case it's relevent) that /etc/iptables.conf is mapping port 8080
to port 80 and port 8443 to port 443 - relevent portions below:
************************************************
*nat
:PREROUTING ACCEPT [11:3512]
:POSTROUTING ACCEPT [13:844]
:OUTPUT ACCEPT [13:844]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
************************************************
My /etc/hosts file:
************************************************
127.0.0.1 localhost.localdomain localhost
178.79.152.69 www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com
www.aplikaterm.com joli-ciel.com bilbo
176.58.107.88 www.moyshele.com www.flyingpencil.com moyshele.com
flyingpencil.com moyshele
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
************************************************
The relevent portions of my server.xml file:
************************************************
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
address="178.79.152.69"
keystoreFile="/home/tomcat6/.keystore1" keystorePass="********"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
address="176.58.107.88"
keystoreFile="/home/tomcat6/.keystore2" keystorePass="********"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>178.79.152.69</Alias>
<Alias>aplikaterm.com</Alias>
<Alias>www.aplikaterm.com</Alias>
<Alias>joli-ciel.com</Alias>
<Alias>www.joli-ciel.com</Alias>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/home/tomcat6/logs/joliciel"
prefix="joliciel_access_log." suffix=".log" pattern="%A %h
%l %u %t '%r' %s %b" resolveHosts="false"/>
</Host>
<Host name="moyshele.com" appBase="/usr/share/moyshele"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Alias>176.58.107.88</Alias>
<Alias>moyshele.com</Alias>
<Alias>www.moyshele.com</Alias>
<Context path="" docBase="."/>
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="/home/tomcat6/logs/moyshele"
prefix="moyshele_access_log." suffix=".log" pattern="%A %h
%l %u %t '%r' %s %b" resolveHosts="false"/>
</Host>
</Engine>
</Service>
************************************************
By the way, if I run netstat (with or without useIPVHosts=true), I get:
************************************************
sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 1967/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:*
LISTEN 2082/postgres
tcp6 0 0 127.0.0.1:8005 :::*
LISTEN 16815/java
tcp6 0 0 :::8080 :::*
LISTEN 16815/java
tcp6 0 0 :::22 :::*
LISTEN 1967/sshd
tcp6 0 0 176.58.107.88:8443 :::*
LISTEN 16815/java
tcp6 0 0 178.79.152.69:8443 :::*
LISTEN 16815/java
************************************************
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Assaf,
On 6/8/12 11:12 AM, Assaf Urieli wrote:
> Ok, this is strange. I created a test.jsp page that prints
> request.getLocalName(), request.getServerName(), and
> request.getLocalAddr(). I tried various scenarios in the browser:
> http://domain1.com, http://www.domain1.com, http:/1.2.3.4,
> http://domain2.com, http://www.domain2.com, http://5.6.7.8, as well
> as all of the above with https.
What /real/ URLs are you using to hit your server? I dont see a port
number anywhere.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/aMDYACgkQ9CaO5/Lv0PAEewCeKMaDc3OL0lNg+3QZLp5d2zan
P0sAoLRtBy05Mx12mCUNE/VPUiO5jewL
=9ipX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Assaf Urieli <as...@gmail.com>.
Hello,
> Looking at the code, the value used for host name in IP-based virtual
> hosts is ServletRequest.getLocalName(). It is not getLocalAddr() and
> there is no pattern in AccessLogValve that prints it. You can write
> simple JSP page that will display its value.
>
Ok, this is strange. I created a test.jsp page that prints
request.getLocalName(), request.getServerName(), and request.getLocalAddr().
I tried various scenarios in the browser: http://domain1.com,
http://www.domain1.com, http:/1.2.3.4, http://domain2.com,
http://www.domain2.com, http://5.6.7.8, as well as all of the above with
https.
The only parameter that changes in all these scenarios is
request.getServerName().
request.getLocalName() = www.domain1.com (always!)
request.getLocalAddr() = 1.2.3.4 (always!)
request.getServerName() = domain1.com, www.domain1.com, 1.2.3.4, domain2.com,
www.domain2.com, 5.6.7.8
> Quote:
> [[[
> if (connector.getUseIPVHosts()) {
> serverName = req.localName();
> ]]]
>
> Which explains why useIPVHosts changes nothing for me -
request.getLocalName() is always giving the same result.
What is it that sets request.getLocalName() in the first place? In what
scenario would the name be different?
> >
> > Even if I enter the IP address http://5.6.7.8 or https://5.6.7.8 in the
> > browser, the access logs list 1.2.3.4 as the local IP.
> >
>
> This is odd.
>
> How 5.6.7.8 is configured at OS level? Do you have separate network
> card for it or it is something else?
>
My /etc/network/interfaces file looks like this:
# The loopback interface
auto lo
iface lo inet loopback
# Configuration for eth0 and aliases
# This line ensures that the interface will be brought up during boot.
auto eth0 eth0:0
#iface eth0 inet dhcp
# eth0 - This is the main IP address that will be used for most outbound
connections.
# The address, netmask and gateway are all necessary
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.0
gateway 1.2.3.1
pre-up iptables-restore < /etc/iptables.conf
# eth0:0
# This is a second public IP address.
iface eth0:0 inet static
address 5.6.7.8
netmask 255.255.255.0
gateway 5.6.7.1
pre-up iptables-restore < /etc/iptables.conf
>
> Your connector with address="5.6.7.8" - did it start successfully and
> did bind to the specified address? Tomcat itself will continue
> starting even if one of its connectors fails. (There is a system
> property that changes this behaviour of ignoring an error, though I do
> not remember whether it works in 6.0.24).
>
How does one find out if a connector starts successfully and binds at a
specific address? Is there a log somewhere for this information? Nothing
obvious was written to the catalina.yyyy-MM-dd.log indicating failure.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Best regards,
Assaf
Re: IP-based virtual hosting with useIPVHosts=true always goes to
default host
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/6/8 Assaf Urieli <as...@gmail.com>:
> Hi all,
>
> I'm attempting to set up a multi-host system with a separate SSL
> certificate per host.
> According to the documentation, this is problematic using name-based
> virtual hosting:
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#General_Tips_on_Running_SSL
> "Finally, using name-based virtual hosts on a secured connection can be
> problematic."
>
> So, I'm trying to accomplish this via IP-based virtual hosting, using the
> useIPVHosts="true" flag.
> (Note: I've tried name-based virtual hosting with useIPVHosts="false", and
> it doesn't work either)
>
> I've gone through the full thread discussing this at:
> http://mail-archives.apache.org/mod_mbox/tomcat-users/201005.mbox/%3C4BFB9C17.20302@cox.net%3E
>
> However, I'm still not managing to access the domain2.com host via SSL (4th
> connector on list below).
>
> * Tomcat version: 6.0.24 (standalone)
> * OS: Ubuntu 10.0.4LTS
> * JVM: java 1.6.0_22 (Sun distribution)
>
> I've setup my server.xml as follows:
> <Service name="Catalina">
> <Connector port="8080" protocol="HTTP/1.1" address="1.2.3.4"
> useIPVHosts="false"
> connectionTimeout="20000"
> URIEncoding="UTF-8"
> redirectPort="8443" />
>
> <Connector port="8080" protocol="HTTP/1.1" address="5.6.7.8"
> useIPVHosts="false"
> connectionTimeout="20000"
> URIEncoding="UTF-8"
> redirectPort="8443" />
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> address="1.2.3.4"
> keystoreFile="/home/tomcat6/.keystore1" keystorePass="xxxxxx"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
> useIPVHosts="true" />
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> address="5.6.7.8"
> keystoreFile="/home/tomcat6/.keystore2" keystorePass="xxxxxx"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
> useIPVHosts="true" />
>
> <Engine name="Catalina" defaultHost="localhost">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> <Alias>1.2.3.4</Alias>
> <Alias>domain1.com</Alias>
> <Alias>www.domain1.com</Alias>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/domain1"
> prefix="domain1_access_log." suffix=".log" pattern="%A %h %l
> %u %t '%r' %s %b" resolveHosts="false"/>
> </Host>
>
> <Host name="domain2.com" appBase="/usr/share/domain2"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> <Alias>5.6.7.8</Alias>
> <Alias>domain2.com</Alias>
> <Alias>www.domain2.com</Alias>
> <Context path="" docBase="."/>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/domain2"
> prefix="domain2_access_log." suffix=".log" pattern="%A %h %l
> %u %t '%r' %s %b" resolveHosts="false"/>
> </Host>
> </Engine>
> </Service>
>
> (...)
>
> When I look at the log files generated by the AccessLogValve, I'm always
> getting IP address 1.2.3.4 for the Local IP address (%A), regardless of how
> I access the websites on the browser - via HTTP or HTTPs, and via IP
> address or domain name.
>
Looking at the code, the value used for host name in IP-based virtual
hosts is ServletRequest.getLocalName(). It is not getLocalAddr() and
there is no pattern in AccessLogValve that prints it. You can write
simple JSP page that will display its value.
Quote:
[[[
if (connector.getUseIPVHosts()) {
serverName = req.localName();
]]]
>
> Even if I enter the IP address http://5.6.7.8 or https://5.6.7.8 in the
> browser, the access logs list 1.2.3.4 as the local IP.
>
This is odd.
How 5.6.7.8 is configured at OS level? Do you have separate network
card for it or it is something else?
Your connector with address="5.6.7.8" - did it start successfully and
did bind to the specified address? Tomcat itself will continue
starting even if one of its connectors fails. (There is a system
property that changes this behaviour of ignoring an error, though I do
not remember whether it works in 6.0.24).
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org