You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ognjen Blagojevic <og...@etf.bg.ac.rs> on 2009/05/09 19:21:35 UTC
Sanity check: Multiple SSL virtual hosts
Hi all,
I just configured Tomcat 6.0.18 (over CentOS 5.3 and Java 1.6.0u13) to
work with two virtual hosts over https, and wanted to check is this the
proper configuration: two https connectors (bounded to the IPs) with two
keystores, two Host elements, all inside one Service element.
Here is the server.xml excerpt:
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
address="123.123.123.111"
keystoreFile="/home/tomcat/.keystore-111" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
address="123.123.123.222"
keystoreFile="/home/tomcat/.keystore-222" />
<Engine name="Catalina" defaultHost="host1.company.com">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="host1.company.com" appBase="host1apps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Host name="host2.company.com" appBase="host2apps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
DNS resolves host1 to 123.123.123.111 and host2 to 123.123.123.222.
Does this look right?
Regards,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Sanity check: Multiple SSL virtual hosts
Posted by Martin Gainty <mg...@hotmail.com>.
I noticed you are using the same port 8443 for 2 different connectors
each connector needs their own IP/port combination
Martin Gainty
______________________________________________
Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Date: Sat, 9 May 2009 19:21:35 +0200
> From: ognjen@etf.bg.ac.rs
> To: users@tomcat.apache.org
> Subject: Sanity check: Multiple SSL virtual hosts
>
> Hi all,
>
> I just configured Tomcat 6.0.18 (over CentOS 5.3 and Java 1.6.0u13) to
> work with two virtual hosts over https, and wanted to check is this the
> proper configuration: two https connectors (bounded to the IPs) with two
> keystores, two Host elements, all inside one Service element.
>
> Here is the server.xml excerpt:
>
> <Service name="Catalina">
>
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> address="123.123.123.111"
> keystoreFile="/home/tomcat/.keystore-111" />
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> address="123.123.123.222"
> keystoreFile="/home/tomcat/.keystore-222" />
>
> <Engine name="Catalina" defaultHost="host1.company.com">
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <Host name="host1.company.com" appBase="host1apps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> </Host>
>
> <Host name="host2.company.com" appBase="host2apps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> </Host>
> </Engine>
> </Service>
>
>
> DNS resolves host1 to 123.123.123.111 and host2 to 123.123.123.222.
>
> Does this look right?
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Insert movie times and more without leaving Hotmail®.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009
RE: Sanity check: Multiple SSL virtual hosts
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mark Thomas [mailto:markt@apache.org]
> Subject: Re: Sanity check: Multiple SSL virtual hosts
>
> It should work. The only potential issue is that a request to
> 123.123.123.111 can still access host2
Shouldn't there be <Alias> elements for the IP addresses for each <Host> to insure proper routing for accesses by IP address and not domain name?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Sanity check: Multiple SSL virtual hosts
Posted by Martin Gainty <mg...@hotmail.com>.
wrong again
Martin Gainty
______________________________________________
Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> From: Chuck.Caldarale@unisys.com
> To: users@tomcat.apache.org
> Date: Sat, 9 May 2009 22:23:26 -0500
> Subject: RE: Sanity check: Multiple SSL virtual hosts
>
> > From: Martin Gainty [mailto:mgainty@hotmail.com]
> > Subject: RE: Sanity check: Multiple SSL virtual hosts
>
> > I noticed you are using the same port 8443 for 2 different connectors
> > each connector needs their own IP/port combination
>
> ??? The OP's config clearly shows a separate IP address for each of the port 8443 connectors, so he obviously already knew that and accounted for it.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Hotmail® goes with you.
http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009
RE: Sanity check: Multiple SSL virtual hosts
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin Gainty [mailto:mgainty@hotmail.com]
> Subject: RE: Sanity check: Multiple SSL virtual hosts
> I noticed you are using the same port 8443 for 2 different connectors
> each connector needs their own IP/port combination
??? The OP's config clearly shows a separate IP address for each of the port 8443 connectors, so he obviously already knew that and accounted for it.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sanity check: Multiple SSL virtual hosts
Posted by Mark Thomas <ma...@apache.org>.
Ognjen Blagojevic wrote:
> Does this look right?
It should work. The only potential issue is that a request to
123.123.123.111 can still access host2 (although they will get a warning
about certificate validity). It would require playing with name
resolution (eg local hosts file) to do this.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org