-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/17/20 03:50, Mark Thomas wrote: > On 16/08/2020 18:00, James H. H. Lampert wrote: >> Permit me to clarify: >> >> 1. The existing httpd server on this box, and its certbot setup >> may be extended/expanded, but not otherwise disturbed. >> >> 2. Running Tomcat independently of httpd on this box is not an >> option, because *both* are to be visible to the outside world on >> port 443 of the same IP address. Doing so was not merely "an >> option," but *mandatory* on the other box, which has Tomcat and >> httpd on separate ports. >> >> 3. At this point, the concern is making certain that the httpd >> virtual host for the new subdomain provides for the needs of both >> Certbot and Tomcat. Then, I can worry about adding the new >> subdomain to Certbot. > > First of all, to confirm I am reading the config correctly: > > - httpd redirects all http requests to https - anything proxied to > Tomcat MUST have been received by httpd over https > > Given you don't mind whether proxying to Tomcat is over http or > https, I recommend http and an http connector in Tomcat with the > following settings: > > SSLEnabled="false", secure="true", scheme="https" This is the right sauce for telling Tomcat that the request is secure yet not encrypted, but that the reverse-proxy is handling the encryption (which is why it's "secure"). But I wouldn't recommend this unless you are sure it will be on the same box. If you decide to separate httpd from Tomcat on another server, I'd recommend encrypting the connection between them. For that, there is no need for a cert from a known CA: you can be your own CA. Just mint your own cert which is valid however long you want, install it in Tomcat, and make sure that httpd trusts it. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl88W6QACgkQHPApP6U8 pFjBRw/8C7VHEDxmbo2dvKnIA6/AIYu1NnrEdVYvVlBBDGYYcL35EJ5MgQFnkbEt uXAfRE7YIBkePuC1/C4Z+4TQzYqws7GTmqsKxjrc4qwLx/nmBgNm4UumMMQI2lJT htFbsNOJCshHw+260EQGSnF0qkSH+OU+Tg8oCLoJN8CpNHP7ND/rjJyEkKv0gfnq vhY6BXEc1CLXtqNBAjRke2g6p3Z2xJhpVLkTauZ067wvOWbFq3SjapVK4fq1iFEO 4m6W7SURtKgZmflqtq8LDlHgmix63O61LldC1CunZObKW9FLxxqRCMRUmhKStDJw +pmkjh11mtyILHhphuIjdKSdYsRere9JM0ewQ54JaAF2q7S5FXd1DPg328OfwnTh tac0lBeRXxEzZyxxcT3bpIZpket6W0tqfD1Tn56++vEnzGKvfsb+px0oAufEab1p HjmSmC823ixb0RSVP9V6DS9XapG6JoPnvnp10ekdlKF2XJ2uMB6j1+9oMy0pR/Rn Q4faxJhm9dnuPSYdSeY9HXWdOUD3I1zudasJUhCMmwa9dc3VWmbxsn2F0/xxLTvF FNbABkAnGo2rJ+dVqnyPtE2zQgRBZUVHuuGLxQFUsrB5bxnXnkTwD8pKBf8W64J+ L111/xdcZdYCCn1LY45uN7cnpsE+3TUtvzyovhhR2F0NCzVP3/o= =oAo4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
