Hi Chris,
If we create new java.filter as below then we can redirect the urls ?
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebFilter("/*")
public class UrlRedirectionFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String requestUrl = httpRequest.getRequestURL().toString();
// Check if the request URL matches the target URL
if (requestUrl.equals("https://example.lbg.com";)) {
// Perform redirect to the desired destination URL
httpResponse.sendRedirect("https://server.lbg.com/towl";);
return;
}
// For all other URLs, disable access
httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
}
// Other methods of the Filter interface (init(), destroy()) can be
left empty for this example
}
Thanks,
Lavanya
On Fri, May 10, 2024 at 10:37 AM lavanya tech <lavanyatech...@gmail.com>
wrote:
> Hi Chris,
>
> I tried the below and have the issues.
>
> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
> 2) remanmed towl.war to ROOT.war
> 3) created rewrite.config and added as below under conf/
>
> RewriteCond %{REQUEST_URI} ^/towl/(.*)
> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
> 4) added this in web.xml file of /webapps/towl/web.xml/
>
> <!-- Servlet mappings -->
> <!-- Add your existing servlet mappings here -->
>
> <!-- Security constraint to restrict access to /towl path -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Restricted Access to
> /towl</web-resource-name>
> <url-pattern>/towl/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- Deny access to all roles -->
> </auth-constraint>
> </security-constraint>
>
> Also I noticed that even if I rename the towl application to ROOT, when i
> call the url with https://example.lbg.com/towl --> this towl directory is
> getting created under webapps by default
>
> 5) Resarted tomcat and I have the below error and all the urls have the
> same issue
>
> Message org.apache.jasper.JasperException:
> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>
> Description The server encountered an unexpected condition that prevented
> it from fulfilling the request.
>
> Exception
>
> org.apache.jasper.JasperException: org.apache.jasper.JasperException:
> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
> jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
>
> On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Lavanya,
>>
>> On 5/9/24 13:48, lavanya tech wrote:
>> > Thank you so much for your explanation. I will try these options.
>> >
>> > Do server and example both resolve to the same IP?
>> > -yes
>>
>> Good, that significantly reduces the complexity required, since you can
>> do it will a single process (Tomcat) in a single environment.
>>
>> > So I need follow both 4a/b and 5a/b steps here or any of them ?
>> >
>> > If I setup exactly by using below steps , then I should access both the
>> > urls right ? https://server.lbg.com:8443/towl and
>> https://example.lbg.com
>>
>> If you visit either hostname with /towl, you will be redirected to
>> example.lbg.com/ with no port number. example:8443 will still work and
>> no redirect will take place... unless you specifically make arrangements
>> for that. We can do that later if you really want to.
>>
>> Let's get the other things working, first.
>>
>> -chris
>>
>> > On Thursday, May 9, 2024, Christopher Schultz <
>> ch...@christopherschultz.net>
>> > wrote:
>> >
>> >> Lavanya,
>> >>
>> >> On 5/9/24 02:58, lavanya tech wrote:
>> >>
>> >>> Just giving background again of this topic again.
>> >>>
>> >>> 1) The application team who is working they wanted to access the url
>> >>> https://server.lbg.com:8443/towl —> which should redirect or point to
>> >>> https://example.lbg.com
>> >>>
>> >>> Is that a typo? You want specifically https://server.lbg.com/towl and
>> >>> https://example.lbg.com/ to point to your application?
>> >>> — It’s not the Typo the requirements are still the
>> same.
>> >>>
>> >>
>> >> Okay.
>> >>
>> >> Do server and example both resolve to the same IP?
>> >>
>> >> 2) Hence I added firewall rule to redirect port 443 to 8443. And the
>> url
>> >>> https://example.lbg.com started working but its pointing to
>> >>> https://server.lbg.com:8443 indeed and not
>> https://server.lbg.com:8443/to
>> >>> wl
>> >>>
>> >>> But then they wanted the point 1 to have it. If I understood
>> correctly. So
>> >>> basically to achieve this we wanted a reverse proxy setup ?
>> >>>
>> >>> I didnot define any additional host in server.xml file on just left to
>> >>> default to local host.
>> >>>
>> >>
>> >> Here's what you have to do in order to support this odd configuration.
>> >>
>> >> 1. Configure your firewall to route port 443 -> 8443. I suspect this is
>> >> already done.
>> >>
>> >> 2. Deploy Tomcat on server.lbg.com with a <Connector> on port 8443.
>> This
>> >> is the default, so there shouldn't be anything to do. I suspect this is
>> >> already done. You should set proxyPort="443" and proxyName="
>> >> example.lbg.com" in your <Connector>. This will ensure that any URLs
>> >> generated by Tomcat or your application will point to
>> >> https://example.lbg.com/ and not to server.lbg.com or have a port
>> number
>> >> or whatever.
>> >>
>> >> 3. Re-name your application directory or WAR file from towl -> ROOT
>> (upper
>> >> case is important). So if you have tomcat/webapps/towl re-name that to
>> >> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name
>> that to
>> >> tomcat/webapps/ROOT.war.
>> >>
>> >> The last thing to do is get /towl to re-direct to /. There are a few
>> ways
>> >> of doing that.
>> >>
>> >> 4a. Configure your application (now called ROOT and deployed on / and
>> not
>> >> /towl anymore) to handle the /towl URL and specifically redirect this
>> back
>> >> to /. This is oddly specific and has the application trying to
>> redirect to
>> >> itself which is weird.
>> >>
>> >> 4b. Create a new application called towl or towl.war which will be
>> >> deployed on /towl and have THAT redirect to /. I think this is cleaner
>> >> because you can call the application anything you'd like and it will
>> still
>> >> work. You don't have to match URL patterns yourself, you just re-name
>> the
>> >> WAR file if you suddenly want to use /towl2 instead of /towl.
>> >>
>> >> There are several ways to redirect.
>> >>
>> >> 5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A few
>> >> notes: (1) the (*) means "capture this string" and \1 means "put the
>> string
>> >> back. This allows you to redirect /towl/foo/bar to /foo/bar instead of
>> >> losing the /foo/bar. This syntax may not be perfect, adapt it to your
>> >> needs. (2) Remember that the towl application is deployed on /towl so
>> you
>> >> don't want to redirect /towl/foo/bar you only want redirect /foo/bar
>> since
>> >> the URL will be relative to the current context (/towl). Got that?
>> Finally,
>> >> (3) you need to use a global redirect that does *NOT* redirect back to
>> the
>> >> /towl application. Normally, if you redirect to /foo you'll get an
>> >> application-relative redirect from something like a rewrite
>> >> valve/filter/whatever. Take care to redirect relative to the SERVER
>> and not
>> >> to the application.
>> >>
>> >> 5b. Write your own servlet to do a specific redirect.
>> >>
>> >> I hope that helps,
>> >> -chris
>> >>
>> >> On Wednesday, May 8, 2024, Christopher Schultz <
>> >>> ch...@christopherschultz.net>
>> >>> wrote:
>> >>>
>> >>> Lavanya,
>> >>>>
>> >>>> On 5/8/24 06:48, lavanya tech wrote:
>> >>>>
>> >>>> I figured out how I can it make it work with 443. Now the URls are
>> >>>>> working.
>> >>>>> I added iptables route 443 to 8443 and it started working.
>> >>>>>
>> >>>>> nslookup example.lbg.com
>> >>>>>
>> >>>>> Non-authoritative answer:
>> >>>>> Name: server.lbg.com
>> >>>>> Address: 192.168.200.105
>> >>>>> Aliases: example.lbg.com
>> >>>>>
>> >>>>>
>> >>>>> I have some application towl running with apache tomcat. I have the
>> >>>>> below
>> >>>>> URLs working.
>> >>>>>
>> >>>>> https://server.lbg.com:8443/towl
>> >>>>> https://server.lbg.com
>> >>>>> https://example.lbg.com
>> >>>>> https://example.lbg.com/towl
>> >>>>>
>> >>>>>
>> >>>>> Now i wanted to disable the url https://example.lbg.com/towl and
>> >>>>> https://server.lbg.com and access only the other remaining two.
>> >>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>>
>> >>>> I would *highly* recommend that you pick either /towl or / and not
>> try to
>> >>>> do both, unless you want to deploy the application twice (which is
>> fine,
>> >>>> just deploy towl.war and ROOT.war as copies of each other). If you
>> try to
>> >>>> re-write /towl to / or / to /towl, you'll find you spend the rest of
>> your
>> >>>> days tracking-down edge-cases and "fixing" them -- likely making
>> things
>> >>>> confusing and, probably, worse.
>> >>>>
>> >>>> In the end our goal to makesure that the links are not always dead
>> as
>> >>>> soon
>> >>>>
>> >>>>> as the towl is moved to a new machine. Can you pelase assit me how
>> to do
>> >>>>> that?
>> >>>>>
>> >>>>>
>> >>>> The goal should be that "moving" the application only means changing
>> DNS
>> >>>> and everything else works as expected.
>> >>>>
>> >>>> If you:
>> >>>>
>> >>>> 1. Deploy the application with a single context (e.g. /towl, which I
>> >>>> recommend)
>> >>>>
>> >>>> 2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT
>> >>>> application that does nothing but redirect ; my personal preference)
>> >>>>
>> >>>> 3. Do not define any <Host> other than "localhost" and make it the
>> >>>> default. Do not bother with any <Alias> elements since they are not
>> >>>> necessary.
>> >>>>
>> >>>> Moving the application should only require that you:
>> >>>>
>> >>>> 4. Deploy the same application with the same configuration in the new
>> >>>> location
>> >>>>
>> >>>> 5. Change DNS to point example.lbg.com and server.lbg.com to the new
>> >>>> location of the service
>> >>>>
>> >>>> Hope that helps,
>> >>>> -chris
>> >>>>
>> >>>> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Lavanya,
>> >>>>
>> >>>> On 4/30/24 07:10, lavanya tech wrote:
>> >>>>
>> >>>> Can you tell me how to do the below ? How should I setup Tomcat in
>> >>>> server.xml ?
>> >>>>
>> >>>>
>> >>>> If you want to use port 443 (the default port for HTTPS) then you
>> will
>> >>>> need to change Tomcat to bind to port 443 (if that's allowed on your
>> OS)
>> >>>> or arrange to have port 443 routed to port 8443. You may need
>> additional
>> >>>> configuration in Tomcat (specifically: proxyPort) to avoid having
>> Tomcat
>> >>>> generate URLs with ":8443" in them.
>> >>>>
>> >>>> Looking forward to your reply.
>> >>>>
>> >>>>
>> >>>> If Tomcat is listening on port 8443 then you will need to include
>> that
>> >>>> in your URL, period. If you want to allow URLs without a port number,
>> >>>> you will have to arrange to have something listening on port 443.
>> >>>>
>> >>>> On Windows, Tomcat can listen directly on port 443. On UNIX and
>> >>>> UNIX-like systems, you won't be able to do this without running
>> Tomcat
>> >>>> as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
>> >>>>
>> >>>> There are other ways to get port 443 working, but I'll need to know
>> more
>> >>>> about your environment. The port issue is "easier" than figuring out
>> >>>> whatever is going on with your DNS, aliases, etc. so I would
>> recommend
>> >>>> we fix one thing at a time.
>> >>>>
>> >>>> -chris
>> >>>>
>> >>>> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech <
>> lavanyatech...@gmail.com>
>> >>>> wrote:
>> >>>>
>> >>>> Hi Chris,
>> >>>>
>> >>>> There is no issues with browser, because I tested with different
>> >>>>
>> >>>> browsers
>> >>>>
>> >>>> and it all works fine. I am sure that there is no issue with the
>> >>>> certificate.
>> >>>> Because I was able to establish successful connections with port
>> >>>>
>> >>>> 8443, it
>> >>>>
>> >>>> just doesnot work with out port
>> >>>>
>> >>>> curl https://example.lbg.com/towl
>> >>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
>> >>>> curl: (56) Received HTTP code 504 from proxy after CONNECT
>> >>>>
>> >>>>
>> >>>> If you want to use port 443 (the default port for HTTPS) then you
>> will
>> >>>> need to change Tomcat to bind to port 443 (if that's allowed on your
>> OS)
>> >>>> or arrange to have port 443 routed to port 8443. You may need
>> additional
>> >>>> configuration in Tomcat (specifically: proxyPort) to avoid having
>> Tomcat
>> >>>> generate URLs with ":8443" in them.
>> >>>>
>> >>>> <Connector port="443" protocol="HTTP/1.1"
>> >>>> connectionTimeout="20000"
>> >>>> redirectPort="8443"
>> >>>> maxThreads="150"
>> >>>> scheme="https" secure="true" SSLEnabled="true"
>> >>>> keystoreFile="path_to_your_keystore_file"
>> >>>> keystorePass="your_keystore_password"
>> >>>> keystoreType="PKCS12"
>> >>>> clientAuth="false" sslProtocol="TLS"
>> >>>> proxyPort="443"/>
>> >>>>
>> >>>> should i use connect port like the above ? But you mentioned before
>> we
>> >>>> dont need any configuration changes. Please clarify I am not able to
>> >>>>
>> >>>> figure
>> >>>>
>> >>>> this out and I have this issue many days pending. How to make it work
>> >>>>
>> >>>> with
>> >>>>
>> >>>> port 8443 and with out port
>> >>>>
>> >>>> Also I wanted to use weburl with alias name permanently instead of
>> the
>> >>>> hostname. How can I achieve both
>> >>>>
>> >>>> Thanks,
>> >>>> Lavanya
>> >>>>
>> >>>>
>> >>>> -->
>> >>>>
>> >>>>
>> >>>> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Lavanya,
>> >>>>
>> >>>> On 4/25/24 07:24, lavanya tech wrote:
>> >>>>
>> >>>> Hi Chris,
>> >>>>
>> >>>> One question / doubt:
>> >>>>
>> >>>> As I mentioned earlier, the below URLS already working in the browser
>> >>>>
>> >>>> https://server.lbg.com:8443/towl
>> >>>> https://example.lbg.com:8443/towl -> redirect ( which means when I
>> >>>>
>> >>>> hit in
>> >>>>
>> >>>> browser) it points to https://server.lbg.com:8443/towl ---> To be
>> >>>>
>> >>>> frank,
>> >>>>
>> >>>> even I donot need redirect here, not sure why it redirects.
>> >>>>
>> >>>> My question is why its working even though SAN is not registered with
>> >>>>
>> >>>> the
>> >>>>
>> >>>> certificate ? It doesnot even throw warning in the browser.
>> >>>>
>> >>>>
>> >>>> I'm not sure. Is it possible you have dismissed this error in the
>> past
>> >>>> and the browser is remembering that? Try this with a different web
>> >>>> browser or maybe with curl from the command-line to see what happens.
>> >>>>
>> >>>> Why https://server.lbg.com/towl or https://example.lbg.com/towl -->
>> >>>>
>> >>>> How it
>> >>>>
>> >>>> should work with New SAN certificate ?
>> >>>>
>> >>>>
>> >>>> You don't need to worry about the port number or application name,
>> only
>> >>>> the hostname is a part of the SAN.
>> >>>>
>> >>>> -chris
>> >>>>
>> >>>> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech <
>> >>>>
>> >>>> lavanyatech...@gmail.com
>> >>>>
>> >>>>
>> >>>> wrote:
>> >>>>
>> >>>> Hi Chris,
>> >>>>
>> >>>>
>> >>>> Thanks I will request new certificate with SANs and I will try to fix
>> >>>>
>> >>>> the
>> >>>>
>> >>>> things from our end.
>> >>>>
>> >>>> Best Regards,
>> >>>> Lavanya
>> >>>>
>> >>>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Lavanya,
>> >>>>
>> >>>> On 4/24/24 15:39, lavanya tech wrote:
>> >>>>
>> >>>> Local host means the machine i am logged in to server.lbg.com
>> >>>>
>> >>>> You are right, example.lbg.com is CNAME record.
>> >>>>
>> >>>>
>> >>>> Okay, thanks for clearing that up.
>> >>>>
>> >>>> I dont have any SAN configured for the certificate. The certificate
>> >>>>
>> >>>> is
>> >>>>
>> >>>> requested for only server.lbg.com
>> >>>>
>> >>>>
>> >>>> You will never be able to make a secure request to anything other
>> >>>>
>> >>>> than
>> >>>>
>> >>>> server.lbg.com without seeing an error. I highly recommend adding
>> >>>>
>> >>>> the
>> >>>>
>> >>>> other hostname as a SAN to your certificate if you really want to
>> >>>> support this.
>> >>>>
>> >>>> Even if you wanted https://example.lbg.com/whatever to return an
>> >>>>
>> >>>> HTTP
>> >>>>
>> >>>> 302 redirect to https://server.lbg.com/whatever, the user would
>> >>>>
>> >>>> see a
>> >>>>
>> >>>> certificate hostname mismatch error which is ugly. It's best to make
>> >>>>
>> >>>> it
>> >>>>
>> >>>> work without users seeing ugly things.
>> >>>>
>> >>>> So if i just request new certificate with SAN it should work ? If
>> >>>>
>> >>>> yes, I
>> >>>>
>> >>>> will request for it and follow your steps as below suggested.
>> >>>>
>> >>>>
>> >>>> Yes, it should.
>> >>>>
>> >>>> Should i use CName record or DNS? Does it make difference?
>> >>>>
>> >>>>
>> >>>> CNAME *is* DNS.
>> >>>>
>> >>>> Whenever possible, use hostnames and not IP addresses as SANs. It's
>> >>>>
>> >>>> more
>> >>>>
>> >>>> flexible that way, and users get to see hostnames instead of IP
>> >>>>
>> >>>> addresses.
>> >>>>
>> >>>>
>> >>>> -chris
>> >>>>
>> >>>> On Wednesday, April 24, 2024, Christopher Schultz <
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Lavanya,
>> >>>>
>> >>>> On 4/24/24 07:37, lavanya tech wrote:
>> >>>>
>> >>>> Sorry I understood wrongly here with regards to my environment,
>> >>>>
>> >>>> Let me
>> >>>>
>> >>>> start from the beginning. I donot want to use redirect at all. I
>> >>>>
>> >>>> simply
>> >>>>
>> >>>> wanted to force apache tomcat to use both localhost and dns name
>> >>>>
>> >>>> of
>> >>>>
>> >>>> the
>> >>>>
>> >>>> localhost via url.
>> >>>>
>> >>>>
>> >>>> When you say "force" what do you mean?
>> >>>>
>> >>>> When you say "use both localhost and DNS name" what do you mean?
>> >>>>
>> >>>> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
>> >>>> logged-into right now"?
>> >>>>
>> >>>> I have DNS resollution as below.
>> >>>>
>> >>>>
>> >>>> server.lbg.com --> localhost
>> >>>>
>> >>>>
>> >>>> Is that a CNAME record?
>> >>>>
>> >>>> nslookup server.lbg.com (localhost)
>> >>>>
>> >>>> Name: server.lbg.com
>> >>>> Address: 192.168.100.20
>> >>>> alias: example.lbg.com
>> >>>>
>> >>>>
>> >>>> That's a weird DNS response. The DNS name "localhost" should
>> >>>>
>> >>>> *always*
>> >>>>
>> >>>> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
>> >>>> 191.168.100.20.
>> >>>>
>> >>>> We have working the below urls working:
>> >>>>
>> >>>> https://server.lbg.com:8443/towl
>> >>>> https://example.lbg.com:8443/towl --> redirects to
>> >>>>
>> >>>>
>> >>>> What do you mean "redirect"? Does it return a 30x response that
>> >>>>
>> >>>> causes
>> >>>>
>> >>>> the
>> >>>>
>> >>>> browser to make a new request to \/
>> >>>>
>> >>>> https://server.lbg.com:8443/towl --> still works --> we have SSL
>> >>>>
>> >>>> configured for the same but this SSL certificate doesnot have
>> >>>>
>> >>>> additional
>> >>>>
>> >>>> DNS setup.
>> >>>>
>> >>>>
>> >>>> What SANs are in your certificate? How many certificates do you
>> >>>>
>> >>>> have?
>> >>>>
>> >>>>
>> >>>> But I would need to somehow access https://example.lbg.com -->
>> >>>>
>> >>>> which
>> >>>>
>> >>>> means
>> >>>> I would need to access via 443 here ?
>> >>>>
>> >>>>
>> >>>> I'm so confused. What needs to access what?
>> >>>>
>> >>>> I tried to adding the below to server.xml as below, but that
>> >>>>
>> >>>> doesnot
>> >>>>
>> >>>> seems
>> >>>>
>> >>>> to work.
>> >>>>
>> >>>> <Connector port="80"
>> >>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> >>>> connectionTimeout="20000"
>> >>>> redirectPort="443" />
>> >>>>
>> >>>>
>> >>>> This will only redirect (HTTP 302) requests to
>> >>>>
>> >>>> http://yourhost/anything
>> >>>>
>> >>>> to https://yourhost/anything *if the application specifically
>> >>>>
>> >>>> requests
>> >>>>
>> >>>> CONFIDENTIAL transport*. It doesn't just redirect everything by
>> >>>>
>> >>>> default. If
>> >>>>
>> >>>> you want it to redirect everything, you'll need to set that up
>> >>>>
>> >>>> e.g.
>> >>>>
>> >>>> using
>> >>>>
>> >>>> RewriteValve. There are other options, too.
>> >>>>
>> >>>> Do i need additional SSL certificate for the
>> >>>>
>> >>>> https://example.lbg.com
>> >>>>
>> >>>> to
>> >>>>
>> >>>> make it work ?
>> >>>>
>> >>>>
>> >>>> If you don't want your browser to complain, you will need at least
>> >>>>
>> >>>> one
>> >>>>
>> >>>> TLS
>> >>>>
>> >>>> certificate that contains every Subject Alternative Name (SAN) for
>> >>>>
>> >>>> every
>> >>>>
>> >>>> possible hostname you expect to use with this service. You ca do
>> >>>>
>> >>>> it
>> >>>>
>> >>>> with
>> >>>>
>> >>>> multiple certificates as well, but a single cert with multiple
>> >>>>
>> >>>> SANs
>> >>>>
>> >>>> is
>> >>>>
>> >>>> less
>> >>>>
>> >>>> work.
>> >>>>
>> >>>> Do i need to set up an additional web server for this like apache
>> >>>>
>> >>>> or
>> >>>>
>> >>>> nginx
>> >>>>
>> >>>> for redirecting requests?
>> >>>>
>> >>>>
>> >>>> No.
>> >>>>
>> >>>> Please stop saying "redirect" because it sounds like you almost
>> >>>>
>> >>>> never
>> >>>>
>> >>>> mean
>> >>>>
>> >>>> "HTTP 30x redirect" and that's confusing everything.
>> >>>>
>> >>>> I *think* you only need the following:
>> >>>>
>> >>>> 1. A TLS certificate with the following SANs:
>> >>>>
>> >>>> * server.lbg.com
>> >>>> * example.lbg.com
>> >>>> * localhost (you shouldn't do this)
>> >>>>
>> >>>> 2. DNS configured for all hostnames:
>> >>>>
>> >>>> * server.lbg.com -> A 192.168.100.20
>> >>>> * example.lgb.com -> A 192.168.100.20
>> >>>>
>> >>>> 3. Tomcat configured with a single <Host> which is the default
>> >>>>
>> >>>> virtual
>> >>>>
>> >>>> host. Note that this is the *default Tomcat configuration* and
>> >>>>
>> >>>> doesn't
>> >>>>
>> >>>> need
>> >>>>
>> >>>> to be changed from the default.
>> >>>>
>> >>>> 4. Tomcat configured with your certificate like this:
>> >>>>
>> >>>> <Connector ...
>> >>>> SSLEnabled="true">
>> >>>> <SSLHostConfig>
>> >>>> <Certificate
>> >>>> certificateFile="/path/to/your/cert.crt"
>> >>>> certificateKeyFile="/path/to/your/key.pem" />
>> >>>> <!-- You may need certificateKeyPassword in
>> >>>>
>> >>>> <Certificate>
>> >>>>
>> >>>> -->
>> >>>>
>> >>>> </SSLHostConfig>
>> >>>> </Connector>
>> >>>>
>> >>>> If your SANs are configured properly, this should allow you to
>> >>>>
>> >>>> connect
>> >>>>
>> >>>> using any of these URLs:
>> >>>>
>> >>>> $ curl https://server.lbg.com/towl/login.jsp
>> >>>>
>> >>>> (returns login page)
>> >>>>
>> >>>> $ curl https://example.lbg.com/towl/login.jsp
>> >>>>
>> >>>> (returns login page)
>> >>>>
>> >>>> If your application's web.xml contains something like this:
>> >>>>
>> >>>> <security-constraint>
>> >>>> <web-resource-collection>
>> >>>> <web-resource-name>theapp</web-resource-name>
>> >>>> <url-pattern>/*</url-pattern>
>> >>>> </web-resource-collection>
>> >>>> <user-data-constraint>
>> >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> >>>> </user-data-constraint>
>> >>>> </security-constraint>
>> >>>>
>> >>>> ... then these URLs insecure HTTP URLs should redirect your
>> >>>>
>> >>>> clients:
>> >>>>
>> >>>>
>> >>>> $ curl http://server.lbg.com/towl/login.jsp
>> >>>>
>> >>>> (returns HTTP 302 redirect to
>> >>>>
>> >>>> https://server.lbg.com/towl/login.jsp
>> >>>>
>> >>>> )
>> >>>>
>> >>>>
>> >>>> $ curl https://server.lbg.com/towl/login.jsp
>> >>>>
>> >>>> (returns HTTP 302 redirect to
>> >>>>
>> >>>> https://example.lbg.com/towl/login.jsp)
>> >>>>
>> >>>>
>> >>>> I don't think you need any use of the RewriteValve unless you want
>> >>>>
>> >>>> to
>> >>>>
>> >>>> handle sending HTTP 302 redirect responses to insecure requests
>> >>>>
>> >>>> without
>> >>>>
>> >>>> specifying the CONFIDENTIAL transport-guarantee in your
>> >>>>
>> >>>> application's
>> >>>>
>> >>>> web.xml file. But I don't see any reason NOT to have that in
>> >>>>
>> >>>> there.
>> >>>>
>> >>>>
>> >>>> -chris
>> >>>>
>> >>>> On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
>> >>>>
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Lavanya,
>> >>>>
>> >>>>
>> >>>> On 4/22/24 05:21, lavanya tech wrote:
>> >>>>
>> >>>> Could you please explain, what you exactly mean ? So here
>> >>>>
>> >>>> redirect
>> >>>>
>> >>>> is
>> >>>>
>> >>>>
>> >>>> not a
>> >>>>
>> >>>> solution right ?
>> >>>>
>> >>>>
>> >>>> Redirecting is fine.
>> >>>>
>> >>>> Perhaps you should take a step back and decide: what do you
>> >>>>
>> >>>> actually
>> >>>>
>> >>>> want, here? You might be trying to solve problem X by applying
>> >>>>
>> >>>> solution
>> >>>>
>> >>>> Y, and you've already decided that solution Y is correct so you
>> >>>>
>> >>>> are
>> >>>>
>> >>>> trying to get help with that.
>> >>>>
>> >>>> Perhaps ask for help with Problem X?
>> >>>>
>> >>>> For example, "I don't want users to have to type the name of my
>> >>>> application to reach it so I want example.com/ to go to my
>> >>>>
>> >>>> application
>> >>>>
>> >>>> instead of example.com/myapp/".
>> >>>>
>> >>>> Or, "I have multiple domains and I want all of them to redirect
>> >>>>
>> >>>> to
>> >>>>
>> >>>> the
>> >>>>
>> >>>> canonical domain example.com and to go to me web application
>> >>>>
>> >>>> /myapp
>> >>>>
>> >>>> so
>> >>>>
>> >>>> everything goes to example.com/myapp/".
>> >>>>
>> >>>> "You'd have to use a glob/regex if
>> >>>>
>> >>>> you wanted to check for [anything and maybe nothing.]
>> >>>>
>> >>>> example.com
>> >>>>
>> >>>> ."
>> >>>>
>> >>>>
>> >>>>
>> >>>> There is nothing in your configuration or question that suggests
>> >>>>
>> >>>> that
>> >>>>
>> >>>> the hostname in the request is relevant, but you are making it a
>> >>>> *requirement* that the request contains a specific Host header.
>> >>>>
>> >>>> IF
>> >>>>
>> >>>> you
>> >>>>
>> >>>> don't actually need that, why do you have it?
>> >>>>
>> >>>> -chris
>> >>>>
>> >>>> On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
>> >>>>
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Ammu,
>> >>>>
>> >>>>
>> >>>> On 4/19/24 08:32, lavanya tech wrote:
>> >>>>
>> >>>> Thank you very much. I removed <Host> for example.com as
>> >>>>
>> >>>> well
>> >>>>
>> >>>> as
>> >>>>
>> >>>>
>> >>>> adding
>> >>>>
>> >>>>
>> >>>> an
>> >>>>
>> >>>>
>> >>>> <Alias> in server.xml
>> >>>> I copied context.xml file
>> >>>>
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
>> >>>>
>> >>>> Removed < in rewrite.config files.
>> >>>>
>> >>>> But still I dont redirect the URL.
>> >>>>
>> >>>>
>> >>>> If you have <Context> in server.xml and also your application
>> >>>>
>> >>>> in
>> >>>>
>> >>>> the
>> >>>>
>> >>>> webapps/ directory, then you will be double-deploying your
>> >>>>
>> >>>> application.
>> >>>>
>> >>>>
>> >>>> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are
>> >>>> important)
>> >>>> and remove the <Context> element from your server.xml.
>> >>>>
>> >>>> Then start your server and read the logs.
>> >>>>
>> >>>> *nslookup alias.example.com <http://alias.example.com>
>> >>>>
>> >>>> gives-->Non-authoritative answer:Name: www.example.com
>> >>>> <http://www.example.com>Address: 192.168.200.10Aliases:
>> >>>>
>> >>>> alias.example.com
>> >>>>
>> >>>> <http://alias.example.com>*
>> >>>>
>> >>>>
>> >>>> Just to give some information here, *www.example.com
>> >>>> <http://www.example.com>* has alias* "alias.example.com
>> >>>> <http://alias.example.com>"*
>> >>>> But https://www.example.com:7777/example --> works fine with
>> >>>>
>> >>>> out
>> >>>>
>> >>>>
>> >>>> issues
>> >>>>
>> >>>>
>> >>>> but
>> >>>>
>> >>>>
>> >>>> the alias doesnot works (https://alias.example.com)
>> >>>> So i am not sure if the redirect url helps or if its correct
>> >>>>
>> >>>>
>> >>>> Your rewrite configuration says that you have to be using host
>> >>>> "example.com" but your request goes to www.example.com. Your
>> >>>> configuration should only redirect a request such as:
>> >>>>
>> >>>> $ curl -v http://example.com:7777/something
>> >>>>
>> >>>> HTTP/1.1 301 Moved Permanently
>> >>>> ...
>> >>>> Location: https://www.example.com:7777/example
>> >>>>
>> >>>> If you make a request like:
>> >>>>
>> >>>> $ curl -v http://www.example.com:7777/something
>> >>>>
>> >>>> I wouldn't expect a redirect because of your "host" condition.
>> >>>>
>> >>>> The
>> >>>>
>> >>>> "%{HTTP_HOST} example.com" looks at the entire Host header
>> >>>>
>> >>>> and
>> >>>>
>> >>>> not
>> >>>>
>> >>>> just
>> >>>> anything that ends in "example.com". You'd have to use a
>> >>>>
>> >>>> glob/regex if
>> >>>>
>> >>>> you wanted to check for [anything and maybe nothing.]
>> >>>>
>> >>>> example.com.
>> >>>>
>> >>>>
>> >>>> You'd also have to make sure that your application is serving
>> >>>>
>> >>>> responses
>> >>>>
>> >>>> to requests to / which is why I'm recommending you use the
>> >>>>
>> >>>> ROOT
>> >>>>
>> >>>> web
>> >>>>
>> >>>> application name instead of "towl".
>> >>>>
>> >>>> -chris
>> >>>>
>> >>>> On Fri, Apr 19, 2024 at 1:21 PM Christopher Schultz <
>> >>>>
>> >>>> ch...@christopherschultz.net> wrote:
>> >>>>
>> >>>> Ammu,
>> >>>>
>> >>>>
>> >>>> On 4/18/24 09:34, lavanya tech wrote:
>> >>>>
>> >>>> I am attaching server.xml and context.xml and
>> >>>>
>> >>>> rewrite.config
>> >>>>
>> >>>> files.
>> >>>>
>> >>>> The paths are
>> >>>>
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/towl/context.xml
>> >>>> <Context>
>> >>>> <Valve
>> >>>>
>> >>>> className="org.apache.catalina.valves.rewrite.RewriteValve"
>> >>>>
>> >>>>
>> >>>> />
>> >>>>
>> >>>>
>> >>>> <!-- Other context configuration -->
>> >>>> </Context>
>> >>>>
>> >>>>
>> >>>> This file ^^^ is in the wrong place. It should be in
>> >>>>
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
>> >>>>
>> >>>>
>> >>>>
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/towl/WEB-INF/rewrite.config
>> >>>>
>> >>>>
>> >>>> <RewriteCond %{HTTP_HOST} example.com [NC]
>> >>>> <RewriteRule ^/(.*)$ https://www.example.com:7777/example
>> >>>>
>> >>>> [R=301,L]
>> >>>>
>> >>>>
>> >>>>
>> >>>> Why do you have < symbols at the beginning of these lines?
>> >>>>
>> >>>> server.xml
>> >>>>
>> >>>>
>> >>>> > [...]
>> >>>>
>> >>>>
>> >>>>
>> >>>> <Host name="example.com" appBase="webapps"
>> >>>>
>> >>>> unpackWARs="true"
>> >>>>
>> >>>>
>> >>>> autoDeploy="true">
>> >>>>
>> >>>> <Context path="" docBase="towl" />
>> >>>>
>> >>>>
>> >>>> It's best not to define any <Context> in server.xml. I would
>> >>>>
>> >>>> remove
>> >>>>
>> >>>>
>> >>>> this
>> >>>>
>> >>>>
>> >>>> <Context> entirely and allow Tomcat to auto-reploy from your
>> >>>>
>> >>>> webapps/towl directory. If you need this application to be
>> >>>>
>> >>>> deployed
>> >>>>
>> >>>> as
>> >>>> the ROOT context (on / and not /towl) then you should
>> >>>>
>> >>>> re-name
>> >>>>
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/towl to
>> >>>> /git/app/apache-tomcat-10.1.11/webapps/ROOT
>> >>>>
>> >>>> You also don't need a <Host> for example.com as well as
>> >>>>
>> >>>> adding
>> >>>>
>> >>>> an
>> >>>>
>> >>>> <Alias> for the same domain (though this is probably to
>> >>>>
>> >>>> anonymize the
>> >>>>
>> >>>>
>> >>>>
>> >>>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> >> For additional commands, e-mail: users-h...@tomcat.apache.org
>> >>
>> >>
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
