Some notes from October 2011 referenced below:

On 4/7/2013 8:47 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kevin,

On 4/6/13 10:10 PM, Kevin Jenkins wrote:
I have a server that has two hosts: First:
http://masterserver2.raknet.com/

Second (using alias) https://lobby3.raknet.com
<https://milestone.lobby3.raknet.com:444/>
https://milestone.lobby3.raknet.com:444/

I would like have access be on these specific URLS. Right now you
can use untrusted URLs, such as https://masterserver2.raknet.com/
https://milestone.lobby3.raknet.com/

Additionally, I would like to access milestone.lobby3.raknet.com on
port 443 rather than 444 (so that 443 does not display a warning
like it does now).

I setup two connectors because I did not know how else to specify
there are two ssl certificate files

If you want two separate hostnames served under HTTPS and you:

a. Don't have a wildcard or other special type of certificate
or
b. Don't have Server Name Indication capabilities


From the list archives:

http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3c1318710394.66976.yahoomail...@web125511.mail.ne1.yahoo.com%3E

Wildcard certificates would work in this case because the hosts are part of the same domain.

SNI is apparently client-side only for Java.

...then you will need to configure a <Connector> for each hostname on
a separate interface/port combination with separate certificates.

The easiest way to do this is to set up a second interface with a
separate IP address. This is usually trivial to do, and it doesn't
really interfere with networking on the server. Just create a second
interface with a second IP address, map DNS properly, and then set up
your web server to bind specifically to the second IP address for the
second hostname's SSL virtual host.


In a Tomcat-only setup this is the way to go. Secondary or virtual IP addresses are easy to set up.

Your <Connectors> look just fine (other than the use of port 444, of
course). Once you have a second interface/IP, you'll want to use the
"address" attribute of the <Connector> to choose the interface to
listen on. I would choose one <Connector> to listen on *all*
interfaces to be a catch-all in case your IP address(es) change(s) and
you forget to re-configure everything: a security warning due to a
mismatched-host is better for users than an unreachable host.

- -chris

The other solution is to front the Tomcat systems with an Apache HTTPD server and use named virtual hosts in SSL. Apparently the configuration checking routine throws a warning on startup, but the actual configuration works (on Apache HTTPD 2.2, I've not tried 2.4).

. . . . just my two cents.
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to