On 16/08/2020 18:00, James H. H. Lampert wrote: > Permit me to clarify: > > 1. The existing httpd server on this box, and its certbot setup may be > extended/expanded, but not otherwise disturbed. > > 2. Running Tomcat independently of httpd on this box is not an option, > because *both* are to be visible to the outside world on port 443 of the > same IP address. Doing so was not merely "an option," but *mandatory* on > the other box, which has Tomcat and httpd on separate ports. > > 3. At this point, the concern is making certain that the httpd virtual > host for the new subdomain provides for the needs of both Certbot and > Tomcat. Then, I can worry about adding the new subdomain to Certbot.
First of all, to confirm I am reading the config correctly: - httpd redirects all http requests to https - anything proxied to Tomcat MUST have been received by httpd over https Given you don't mind whether proxying to Tomcat is over http or https, I recommend http and an http connector in Tomcat with the following settings: SSLEnabled="false", secure="true", scheme="https" I'd be wary of directory traversal issues with the IP controls on Manager and Host Manager access in httpd. There are some edge cases where the Servlet spec's view on matching URIs to targets and the HTTP spec's view are not entirely consistent. This has been known to expose directory traversal issues. I'd recommend using the RemoteIpValve to expose the original IP to Tomcat and then perform the IP filtering in Tomcat. Whether you keep the filtering in httpd (pro of early rejection vs con of having to keep configs in sync) is up to you. HTH, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
