Some notes from October 2011 referenced below:
On 4/7/2013 8:47 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Kevin,
On 4/6/13 10:10 PM, Kevin Jenkins wrote:
I have a server that has two hosts: First:
http://masterserver2.raknet.com/
Second (using alias) https://lobby3.raknet.com
<https://milestone.lobby3.raknet.com:444/>
https://milestone.lobby3.raknet.com:444/
I would like have access be on these specific URLS. Right now you
can use untrusted URLs, such as https://masterserver2.raknet.com/
https://milestone.lobby3.raknet.com/
Additionally, I would like to access milestone.lobby3.raknet.com on
port 443 rather than 444 (so that 443 does not display a warning
like it does now).
I setup two connectors because I did not know how else to specify
there are two ssl certificate files
If you want two separate hostnames served under HTTPS and you:
a. Don't have a wildcard or other special type of certificate
or
b. Don't have Server Name Indication capabilities
From the list archives:
http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3c1318710394.66976.yahoomail...@web125511.mail.ne1.yahoo.com%3E
Wildcard certificates would work in this case because the hosts are part
of the same domain.
SNI is apparently client-side only for Java.
...then you will need to configure a <Connector> for each hostname on
a separate interface/port combination with separate certificates.
The easiest way to do this is to set up a second interface with a
separate IP address. This is usually trivial to do, and it doesn't
really interfere with networking on the server. Just create a second
interface with a second IP address, map DNS properly, and then set up
your web server to bind specifically to the second IP address for the
second hostname's SSL virtual host.
In a Tomcat-only setup this is the way to go. Secondary or virtual IP
addresses are easy to set up.
Your <Connectors> look just fine (other than the use of port 444, of
course). Once you have a second interface/IP, you'll want to use the
"address" attribute of the <Connector> to choose the interface to
listen on. I would choose one <Connector> to listen on *all*
interfaces to be a catch-all in case your IP address(es) change(s) and
you forget to re-configure everything: a security warning due to a
mismatched-host is better for users than an unreachable host.
- -chris
The other solution is to front the Tomcat systems with an Apache HTTPD
server and use named virtual hosts in SSL. Apparently the configuration
checking routine throws a warning on startup, but the actual
configuration works (on Apache HTTPD 2.2, I've not tried 2.4).
. . . . just my two cents.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
