You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ms...@kimwana.com on 2016/02/11 01:04:37 UTC
ssl config questions
I have the fillowing problem to solve for a job interview.
Install the latest version of Apache Tomcat 7 using the latest version of Oracle Java 8. Done.
Running under a non-root account. Done.
With the provided helloworld.war deployed under the /app web context (https://<hostname>/app) Done.
With HTTPS enabled using a self-signed certificate that you generate Done.
* Ensure the web application is available to the Internet for both HTTP and HTTPS
* HTTP requests should be redirected to HTTPS automatically
I need help with the last two tasks.
Do I need two redirecting connectors?
'iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080' could be the first step.
Then . . .
<Connector port="8080"
enableLookups="false"
redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
enableLookups="false"
redirectPort="8443" />
How do I tell Tomcat to use ssl on a specific port? I was able to load the site in my browser without specifying a port which seemed like a win but I need to see that good old self-signed cert warning in my browser before I can call it a day.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ssl config questions
Posted by ms...@kimwana.com.
On Fri, Feb 12, 2016 at 10:53:12AM -0700, George Sexton wrote:
>
> On 2/11/2016 11:30 AM, msh@kimwana.com wrote:
> >On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote:
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>Msh,
> >>
> >>On 2/10/16 7:04 PM, msh@kimwana.com wrote:
> >>>I have the fillowing problem to solve for a job interview.
> >A few thoughts:
> >
> >(1) There is no (stated) requirement that the non-secure web service
> >be listening on port 80. There is no (stated) requirement that the
> >secure web service be listening on port 443. Perhaps you could
> >simplify things by not worrying about traditional port numbers for
> >HTTP and HTTPS.
> >Yeah. It took me a while to remember that http protocol can run on any practically any non-reserved port.
> >Of course browsers expect port 80 so I added a rule in my iptables config
> >
> >-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443
>
> You can also use JSVC which will allow you to bind to reserved
> ports. There are some other advantages to JSVC as well. For example,
> in some cases, if the JVM fails, it can perform a re-start.
I guess a lot of folks use Apache httpd as a proxy for Tomcat.
I don't even know what JSVC is. Heh!
I've worked in several Tomcat shops but there were always load balancers handling such duties.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ssl config questions
Posted by ms...@kimwana.com.
On Fri, Feb 12, 2016 at 10:53:12AM -0700, George Sexton wrote:
>
>
> On 2/11/2016 11:30 AM, msh@kimwana.com wrote:
> >On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote:
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>Msh,
> >>
> >>On 2/10/16 7:04 PM, msh@kimwana.com wrote:
> >>>I have the fillowing problem to solve for a job interview.
> >A few thoughts:
> >
> >(1) There is no (stated) requirement that the non-secure web service
> >be listening on port 80. There is no (stated) requirement that the
> >secure web service be listening on port 443. Perhaps you could
> >simplify things by not worrying about traditional port numbers for
> >HTTP and HTTPS.
> >Yeah. It took me a while to remember that http protocol can run on any practically any non-reserved port.
> >Of course browsers expect port 80 so I added a rule in my iptables config
> >
> >-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443
>
> You can also use JSVC which will allow you to bind to reserved
> ports. There are some other advantages to JSVC as well. For example,
> in some cases, if the JVM fails, it can perform a re-start.
So I would run JSVC as root or as an unprivileged user?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ssl config questions
Posted by George Sexton <ge...@mhsoftware.com>.
On 2/11/2016 11:30 AM, msh@kimwana.com wrote:
> On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Msh,
>>
>> On 2/10/16 7:04 PM, msh@kimwana.com wrote:
>>> I have the fillowing problem to solve for a job interview.
> A few thoughts:
>
> (1) There is no (stated) requirement that the non-secure web service
> be listening on port 80. There is no (stated) requirement that the
> secure web service be listening on port 443. Perhaps you could
> simplify things by not worrying about traditional port numbers for
> HTTP and HTTPS.
> Yeah. It took me a while to remember that http protocol can run on any practically any non-reserved port.
> Of course browsers expect port 80 so I added a rule in my iptables config
>
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443
You can also use JSVC which will allow you to bind to reserved ports.
There are some other advantages to JSVC as well. For example, in some
cases, if the JVM fails, it can perform a re-start.
>
> which I think should work. I guess netcat will help me test that theory.
>
>
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Re: ssl config questions
Posted by ms...@kimwana.com.
On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Msh,
>
> On 2/10/16 7:04 PM, msh@kimwana.com wrote:
> > I have the fillowing problem to solve for a job interview.
Fillowing. Heh! Thanks for the help.
> You have two connectors, but they are both HTTP (non-secure). Part of
> "installing Tomcat as non-root" means that binding to port 443 isn't
> going to work. You need to use a different port.
Yeah, I did realize this. ssl can work
>
> A few thoughts:
>
> (1) There is no (stated) requirement that the non-secure web service
> be listening on port 80. There is no (stated) requirement that the
> secure web service be listening on port 443. Perhaps you could
> simplify things by not worrying about traditional port numbers for
> HTTP and HTTPS.
Yeah. It took me a while to remember that http protocol can run on any practically any non-reserved port.
Of course browsers expect port 80 so I added a rule in my iptables config
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443
which I think should work. I guess netcat will help me test that theory.
>
> (2) Everything you need to know about configuring SSL is in Tomcat's
> Users Guide[1] or Configuration Guide[2].
>
> - -chris
>
> [1] http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla8xMgACgkQ9CaO5/Lv0PCIOwCgrSddUZzULTPzL++vmYdQ6P5s
> P2AAoLzk+fasGjjzHOxEilTmvzn6DaUV
> =CuhC
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: ssl config questions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Msh,
On 2/10/16 7:04 PM, msh@kimwana.com wrote:
> I have the fillowing problem to solve for a job interview.
Hmm. On the one hand, its YOUR job interview. On the other hand, if
you don't know this answer, you need to be able to find out the
answer, of course. How about we help you *just a little* to help yoursel
f.
> Install the latest version of Apache Tomcat 7 using the latest
> version of Oracle Java 8. Done. Running under a non-root
> account. Done. With the provided
> helloworld.war deployed under the /app web context
> (https://<hostname>/app) Done.
>
> With HTTPS enabled using a self-signed certificate that you
> generate Done.
>
> * Ensure the web application is available to the Internet for both
> HTTP and HTTPS
>
> * HTTP requests should be redirected to HTTPS automatically
>
> I need help with the last two tasks.
>
> Do I need two redirecting connectors?
>
> 'iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j
> REDIRECT --to-port 8080' could be the first step.
>
> Then . . .
>
> <Connector port="8080" enableLookups="false" redirectPort="443" />
>
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11Protocol"
> enableLookups="false" redirectPort="8443" />
>
> How do I tell Tomcat to use ssl on a specific port? I was able to
> load the site in my browser without specifying a port which seemed
> like a win but I need to see that good old self-signed cert
> warning in my browser before I can call it a day.
You have two connectors, but they are both HTTP (non-secure). Part of
"installing Tomcat as non-root" means that binding to port 443 isn't
going to work. You need to use a different port.
A few thoughts:
(1) There is no (stated) requirement that the non-secure web service
be listening on port 80. There is no (stated) requirement that the
secure web service be listening on port 443. Perhaps you could
simplify things by not worrying about traditional port numbers for
HTTP and HTTPS.
(2) Everything you need to know about configuring SSL is in Tomcat's
Users Guide[1] or Configuration Guide[2].
- -chris
[1] http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAla8xMgACgkQ9CaO5/Lv0PCIOwCgrSddUZzULTPzL++vmYdQ6P5s
P2AAoLzk+fasGjjzHOxEilTmvzn6DaUV
=CuhC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org