On Mon, May 13, 2024 at 10:17 PM lavanya tech <lavanyatech...@gmail.com>
wrote:
Hi Chris,
Sorry, If I did confuse. It’s important that
https://server.lbg.com:8443/towl is always working. Goal is not to
disable /towl, but just redirect or aliasing
https//example.lbg.com/ to https://server.lbg.com:8443/towl
Thanks,
Lavanya
On Monday, May 13, 2024, Christopher Schultz <ch...@christopherschultz.net
wrote:
Lavanya,
On 5/13/24 05:57, lavanya tech wrote:
Somehow made it work now i can only access urls as you mentioned before
https://example.lbg.com and https://server.lbg.com with port 8443 and
with
out
https://example.lbg.com/towl and https://server.lbg.com/towl --> I
have an
error now File not found.
So i think we need to make work https://example.lbg.com/ to
https://server.lbg.com/towl
I'm sorry, I'm still confused as to which way you want things.
Do you want to redirect /towl -> / or do you want to redirect / - > /towl?
Or does it depend upon the hostname? It would really be better if you
could settle on one specific beahvior.
-chris
On Mon, May 13, 2024 at 9:41 AM lavanya tech <lavanyatech...@gmail.com>
wrote:
Hi Chris,
Where are you defining the RewriteValve itself?
Defined rewritevalve here
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve
className="org.apache.catalina.valves.rewrite.RewriteValve" />
resource="conf/rewrite.config" />
2) reated rewrite.config and added as below under conf/
RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
already have this mappings /* in web.xml file)
<security-constraint>
<web-resource-collection>
<web-resource-name>Logging Area</web-resource-name>
<description>
Authentication for registered users.
</description>
<url-pattern>/*</url-pattern>
<url-pattern>/api/v1/search</url-pattern> <!-- protect search
endpoint whitelisted above -->
<url-pattern>/api/v1/suggest/*</url-pattern> <!-- protect
suggest
endpoint whitelisted above -->
</web-resource-collection>
<auth-constraint>
<role-name>LDAP_USER</role-name>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
4) Restarted Tomcat, Then I cannot access
https://server.lbg.com:8443/towl
--> Have below error
Message java.nio.file.NoSuchFileException:
/git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
Description The server encountered an unexpected condition that
prevented
it from fulfilling the request.
5) Also https://example.lbg.com doesnot work anymore
Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
How can I do that. I already changed towl.war to ROOT.war
But still both the urls have error as mentioned above.
Si I revereted back the changes.
That's weird. Try stopping, deleting the work/ directory and restarting.
--> I have this wierd behavior for some reason, thoudh index.jsp is
located
no changes were made to file. After deleting cookies url works
where Am I going wrong.
Thanks,
Lavanya
On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 5/10/24 04:37, lavanya tech wrote:
I tried the below and have the issues.
1)proxyPort="443" and proxyName="example.lbg.com" to the connector
2) remanmed towl.war to ROOT.war
3) created rewrite.config and added as below under conf/
Where are you defining the RewriteValve itself?
RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
If this is being handled by the ROOT servlet then I think it's right.
4) added this in web.xml file of /webapps/towl/web.xml/
<!-- Servlet mappings -->
<!-- Add your existing servlet mappings here -->
<!-- Security constraint to restrict access to /towl path -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access to
/towl</web-resource-name>
<url-pattern>/towl/*</url-pattern>
No, this is wrong. Since this is the "towl" application and not ROOT,
you want to map /* and not /towl/* because the application will never
see the /towl/ as it's an application/context prefix that Tomcat will
remove.
</web-resource-collection>
<auth-constraint>
<!-- Deny access to all roles -->
</auth-constraint>
</security-constraint>
Also I noticed that even if I rename the towl application to ROOT,
when
i
call the url with https://example.lbg.com/towl --> this towl
directory
is
getting created under webapps by default
If webapps/towl is being created, then it's happening for some other
reason. Do you have anything under conf/Catalina/*/towl.xml which
points
to a WAR file or something? If so, remove that.
5) Resarted tomcat and I have the below error and all the urls have the
same issue
Message org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
That's weird. Try stopping, deleting the work/ directory and
restarting.
Description The server encountered an unexpected condition that
prevented
it from fulfilling the request.
Exception
org.apache.jasper.JasperException: org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
org.apache.jasper.servlet.JspServletWrapper.handleJspException(
JspServletWrapper.java:578)
org.apache.jasper.servlet.JspServletWrapper.service(
JspServletWrapper.java:422)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.se
rver.WsFilter.doFilter(WsFilter.java:51)
Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
This should allow you to reach the application at both
https://example.lbg.com/ and https://server.lbg.com/ as well as both
of
those with port 8443.
Then use the applications and make sure they are working as expected.
Then, we'll add the /towl handling.
-chris
On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 5/9/24 13:48, lavanya tech wrote:
Thank you so much for your explanation. I will try these options.
Do server and example both resolve to the same IP?
-yes
Good, that significantly reduces the complexity required, since you
can
do it will a single process (Tomcat) in a single environment.
So I need follow both 4a/b and 5a/b steps here or any of them ?
If I setup exactly by using below steps , then I should access both
the
urls right ? https://server.lbg.com:8443/towl and
https://example.lbg.com
If you visit either hostname with /towl, you will be redirected to
example.lbg.com/ with no port number. example:8443 will still work
and
no redirect will take place... unless you specifically make
arrangements
for that. We can do that later if you really want to.
Let's get the other things working, first.
-chris
On Thursday, May 9, 2024, Christopher Schultz <
ch...@christopherschultz.net>
wrote:
Lavanya,
On 5/9/24 02:58, lavanya tech wrote:
Just giving background again of this topic again.
1) The application team who is working they wanted to access the
url
https://server.lbg.com:8443/towl —> which should redirect or
point
to
https://example.lbg.com
Is that a typo? You want specifically https://server.lbg.com/towl
and
https://example.lbg.com/ to point to your application?
— It’s not the Typo the requirements are still
the
same.
Okay.
Do server and example both resolve to the same IP?
2) Hence I added firewall rule to redirect port 443 to 8443. And
the
url
https://example.lbg.com started working but its pointing to
https://server.lbg.com:8443 indeed and not
https://server.lbg.com:8443/to
wl
But then they wanted the point 1 to have it. If I understood
correctly. So
basically to achieve this we wanted a reverse proxy setup ?
I didnot define any additional host in server.xml file on just
left
to
default to local host.
Here's what you have to do in order to support this odd
configuration.
1. Configure your firewall to route port 443 -> 8443. I suspect
this
is
already done.
2. Deploy Tomcat on server.lbg.com with a <Connector> on port
8443.
This
is the default, so there shouldn't be anything to do. I suspect this
is
already done. You should set proxyPort="443" and proxyName="
example.lbg.com" in your <Connector>. This will ensure that any
URLs
generated by Tomcat or your application will point to
https://example.lbg.com/ and not to server.lbg.com or have a port
number
or whatever.
3. Re-name your application directory or WAR file from towl -> ROOT
(upper
case is important). So if you have tomcat/webapps/towl re-name that
to
tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name
that
to
tomcat/webapps/ROOT.war.
The last thing to do is get /towl to re-direct to /. There are a
few
ways
of doing that.
4a. Configure your application (now called ROOT and deployed on /
and
not
/towl anymore) to handle the /towl URL and specifically redirect
this
back
to /. This is oddly specific and has the application trying to
redirect
to
itself which is weird.
4b. Create a new application called towl or towl.war which will be
deployed on /towl and have THAT redirect to /. I think this is
cleaner
because you can call the application anything you'd like and it will
still
work. You don't have to match URL patterns yourself, you just
re-name
the
WAR file if you suddenly want to use /towl2 instead of /towl.
There are several ways to redirect.
5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A
few
notes: (1) the (*) means "capture this string" and \1 means "put the
string
back. This allows you to redirect /towl/foo/bar to /foo/bar instead
of
losing the /foo/bar. This syntax may not be perfect, adapt it to your
needs. (2) Remember that the towl application is deployed on /towl
so
you
don't want to redirect /towl/foo/bar you only want redirect /foo/bar
since
the URL will be relative to the current context (/towl). Got that?
Finally,
(3) you need to use a global redirect that does *NOT* redirect back
to
the
/towl application. Normally, if you redirect to /foo you'll get an
application-relative redirect from something like a rewrite
valve/filter/whatever. Take care to redirect relative to the SERVER
and
not
to the application.
5b. Write your own servlet to do a specific redirect.
I hope that helps,
-chris
On Wednesday, May 8, 2024, Christopher Schultz <
ch...@christopherschultz.net>
wrote:
Lavanya,
On 5/8/24 06:48, lavanya tech wrote:
I figured out how I can it make it work with 443. Now the URls
are
working.
I added iptables route 443 to 8443 and it started working.
nslookup example.lbg.com
Non-authoritative answer:
Name: server.lbg.com
Address: 192.168.200.105
Aliases: example.lbg.com
I have some application towl running with apache tomcat. I have
the
below
URLs working.
https://server.lbg.com:8443/towl
https://server.lbg.com
https://example.lbg.com
https://example.lbg.com/towl
Now i wanted to disable the url https://example.lbg.com/towl
and
https://server.lbg.com and access only the other remaining two.
I would *highly* recommend that you pick either /towl or / and not
try to
do both, unless you want to deploy the application twice (which is
fine,
just deploy towl.war and ROOT.war as copies of each other). If you
try to
re-write /towl to / or / to /towl, you'll find you spend the rest
of
your
days tracking-down edge-cases and "fixing" them -- likely making
things
confusing and, probably, worse.
In the end our goal to makesure that the links are not always
dead as
soon
as the towl is moved to a new machine. Can you pelase assit me
how
to do
that?
The goal should be that "moving" the application only means
changing
DNS
and everything else works as expected.
If you:
1. Deploy the application with a single context (e.g. /towl,
which
I
recommend)
2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT
application that does nothing but redirect ; my personal
preference)
3. Do not define any <Host> other than "localhost" and make it
the
default. Do not bother with any <Alias> elements since they are
not
necessary.
Moving the application should only require that you:
4. Deploy the same application with the same configuration in the
new
location
5. Change DNS to point example.lbg.com and server.lbg.com to the
new
location of the service
Hope that helps,
-chris
On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/30/24 07:10, lavanya tech wrote:
Can you tell me how to do the below ? How should I setup Tomcat
in
server.xml ?
If you want to use port 443 (the default port for HTTPS) then you
will
need to change Tomcat to bind to port 443 (if that's allowed on
your
OS)
or arrange to have port 443 routed to port 8443. You may need
additional
configuration in Tomcat (specifically: proxyPort) to avoid having
Tomcat
generate URLs with ":8443" in them.
Looking forward to your reply.
If Tomcat is listening on port 8443 then you will need to include
that
in your URL, period. If you want to allow URLs without a port
number,
you will have to arrange to have something listening on port 443.
On Windows, Tomcat can listen directly on port 443. On UNIX and
UNIX-like systems, you won't be able to do this without running
Tomcat
as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
There are other ways to get port 443 working, but I'll need to
know
more
about your environment. The port issue is "easier" than figuring
out
whatever is going on with your DNS, aliases, etc. so I would
recommend
we fix one thing at a time.
-chris
On Mon, Apr 29, 2024 at 2:03 PM lavanya tech <
lavanyatech...@gmail.com>
wrote:
Hi Chris,
There is no issues with browser, because I tested with different
browsers
and it all works fine. I am sure that there is no issue with the
certificate.
Because I was able to establish successful connections
with
port
8443, it
just doesnot work with out port
curl https://example.lbg.com/towl
curl: (56) Received HTTP code 504 from proxy after CONNECT
curl: (56) Received HTTP code 504 from proxy after CONNECT
If you want to use port 443 (the default port for HTTPS) then you
will
need to change Tomcat to bind to port 443 (if that's allowed on
your
OS)
or arrange to have port 443 routed to port 8443. You may need
additional
configuration in Tomcat (specifically: proxyPort) to avoid having
Tomcat
generate URLs with ":8443" in them.
<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxThreads="150"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="path_to_your_keystore_file"
keystorePass="your_keystore_password"
keystoreType="PKCS12"
clientAuth="false" sslProtocol="TLS"
proxyPort="443"/>
should i use connect port like the above ? But you mentioned
before
we
dont need any configuration changes. Please clarify I am not able
to
figure
this out and I have this issue many days pending. How to make it
work
with
port 8443 and with out port
Also I wanted to use weburl with alias name permanently instead
of
the
hostname. How can I achieve both
Thanks,
Lavanya
-->
On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/25/24 07:24, lavanya tech wrote:
Hi Chris,
One question / doubt:
As I mentioned earlier, the below URLS already working in the
browser
https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl -> redirect ( which means
when I
hit in
browser) it points to https://server.lbg.com:8443/towl ---> To
be
frank,
even I donot need redirect here, not sure why it redirects.
My question is why its working even though SAN is not registered
with
the
certificate ? It doesnot even throw warning in the browser.
I'm not sure. Is it possible you have dismissed this error in the
past
and the browser is remembering that? Try this with a different web
browser or maybe with curl from the command-line to see what
happens.
Why https://server.lbg.com/towl or https://example.lbg.com/towl
-->
How it
should work with New SAN certificate ?
You don't need to worry about the port number or application
name,
only
the hostname is a part of the SAN.
-chris
On Thu, Apr 25, 2024 at 10:16 AM lavanya tech <
lavanyatech...@gmail.com
wrote:
Hi Chris,
Thanks I will request new certificate with SANs and I will try to
fix
the
things from our end.
Best Regards,
Lavanya
On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/24/24 15:39, lavanya tech wrote:
Local host means the machine i am logged in to server.lbg.com
You are right, example.lbg.com is CNAME record.
Okay, thanks for clearing that up.
I dont have any SAN configured for the certificate. The
certificate
is
requested for only server.lbg.com
You will never be able to make a secure request to anything other
than
server.lbg.com without seeing an error. I highly recommend
adding
the
other hostname as a SAN to your certificate if you really want to
support this.
Even if you wanted https://example.lbg.com/whatever to return an
HTTP
302 redirect to https://server.lbg.com/whatever, the user would
see a
certificate hostname mismatch error which is ugly. It's best to
make
it
work without users seeing ugly things.
So if i just request new certificate with SAN it should work ? If
yes, I
will request for it and follow your steps as below suggested.
Yes, it should.
Should i use CName record or DNS? Does it make difference?
CNAME *is* DNS.
Whenever possible, use hostnames and not IP addresses as SANs.
It's
more
flexible that way, and users get to see hostnames instead of IP
addresses.
-chris
On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/24/24 07:37, lavanya tech wrote:
Sorry I understood wrongly here with regards to my environment,
Let me
start from the beginning. I donot want to use redirect at all. I
simply
wanted to force apache tomcat to use both localhost and dns name
of
the
localhost via url.
When you say "force" what do you mean?
When you say "use both localhost and DNS name" what do you mean?
When you say "localhost" do you mean 127.0.0.1 or "the machine
I'm
logged-into right now"?
I have DNS resollution as below.
server.lbg.com --> localhost
Is that a CNAME record?
nslookup server.lbg.com (localhost)
Name: server.lbg.com
Address: 192.168.100.20
alias: example.lbg.com
That's a weird DNS response. The DNS name "localhost" should
*always*
return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
191.168.100.20.
We have working the below urls working:
https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to
What do you mean "redirect"? Does it return a 30x response that
causes
the
browser to make a new request to \/
https://server.lbg.com:8443/towl --> still works --> we have
SSL
configured for the same but this SSL certificate doesnot have
additional
DNS setup.
What SANs are in your certificate? How many certificates do you
have?
But I would need to somehow access https://example.lbg.com -->
which
means
I would need to access via 443 here ?
I'm so confused. What needs to access what?
I tried to adding the below to server.xml as below, but that
doesnot
seems
to work.
<Connector port="80"
protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="20000"
redirectPort="443" />
This will only redirect (HTTP 302) requests to
http://yourhost/anything
to https://yourhost/anything *if the application specifically
requests
CONFIDENTIAL transport*. It doesn't just redirect everything by
default. If
you want it to redirect everything, you'll need to set that up
e.g.
using
RewriteValve. There are other options, too.
Do i need additional SSL certificate for the
https://example.lbg.com
to
make it work ?
If you don't want your browser to complain, you will need at
least
one
TLS
certificate that contains every Subject Alternative Name (SAN)
for
every
possible hostname you expect to use with this service. You ca do
it
with
multiple certificates as well, but a single cert with multiple
SANs
is
less
work.
Do i need to set up an additional web server for this like apache
or
nginx
for redirecting requests?
No.
Please stop saying "redirect" because it sounds like you almost
never
mean
"HTTP 30x redirect" and that's confusing everything.
I *think* you only need the following:
1. A TLS certificate with the following SANs:
* server.lbg.com
* example.lbg.com
* localhost (you shouldn't do this)
2. DNS configured for all hostnames:
* server.lbg.com -> A 192.168.100.20
* example.lgb.com -> A 192.168.100.20
3. Tomcat configured with a single <Host> which is the default
virtual
host. Note that this is the *default Tomcat configuration* and
doesn't
need
to be changed from the default.
4. Tomcat configured with your certificate like this:
<Connector ...
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateFile="/path/to/your/cert.crt"
certificateKeyFile="/path/to/your/key.pem" />
<!-- You may need certificateKeyPassword in
<Certificate>
-->
</SSLHostConfig>
</Connector>
If your SANs are configured properly, this should allow you to
connect
using any of these URLs:
$ curl https://server.lbg.com/towl/login.jsp
(returns login page)
$ curl https://example.lbg.com/towl/login.jsp
(returns login page)
If your application's web.xml contains something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>theapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
... then these URLs insecure HTTP URLs should redirect your
clients:
$ curl http://server.lbg.com/towl/login.jsp
(returns HTTP 302 redirect to
https://server.lbg.com/towl/login.jsp
)
$ curl https://server.lbg.com/towl/login.jsp
(returns HTTP 302 redirect to
https://example.lbg.com/towl/login.jsp)
I don't think you need any use of the RewriteValve unless you
want
to
handle sending HTTP 302 redirect responses to insecure requests
without
specifying the CONFIDENTIAL transport-guarantee in your
application's
web.xml file. But I don't see any reason NOT to have that in
there.
-chris
On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Lavanya,
On 4/22/24 05:21, lavanya tech wrote:
Could you please explain, what you exactly mean ? So here
redirect
is
not a
solution right ?
Redirecting is fine.
Perhaps you should take a step back and decide: what do you
actually
want, here? You might be trying to solve problem X by applying
solution
Y, and you've already decided that solution Y is correct so you
are
trying to get help with that.
Perhaps ask for help with Problem X?
For example, "I don't want users to have to type the name of my
application to reach it so I want example.com/ to go to my
application
instead of example.com/myapp/".
Or, "I have multiple domains and I want all of them to redirect
to
the
canonical domain example.com and to go to me web application
/myapp
so
everything goes to example.com/myapp/".
"You'd have to use a glob/regex if
you wanted to check for [anything and maybe nothing.]
example.com
."
There is nothing in your configuration or question that suggests
that
the hostname in the request is relevant, but you are making it a
*requirement* that the request contains a specific Host header.
IF
you
don't actually need that, why do you have it?
-chris
On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
Ammu,
On 4/19/24 08:32, lavanya tech wrote:
Thank you very much. I removed <Host> for example.com as
well
as
adding
an
<Alias> in server.xml
I copied context.xml file
/git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
Removed < in rewrite.config files.
But still I dont redirect the URL.
If you have <Context> in server.xml and also your application
in
the
webapps/ directory, then you will be double-deploying your
application.
Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
/git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are
important)
and remove the <Context> element from your server.xml.
Then start your server and read the logs.
*nslookup alias.example.com <http://alias.example.com>
gives-->Non-authoritative answer:Name: www.example.com
<http://www.example.com>Address: 192.168.200.10Aliases:
alias.example.com
<http://alias.example.com>*
Just to give some information here, *www.example.com
<http://www.example.com>* has alias* "alias.example.com
<http://alias.example.com>"*
But https://www.example.com:7777/example --> works fine with
out
issues
but
the alias doesnot works (https://alias.example.com)
So i am not sure if the redirect url helps or if its correct
Your rewrite configuration says that you have to be using host
"example.com" but your request goes to www.example.com. Your
configuration should only redirect a request such as:
$ curl -v http://example.com:7777/something
HTTP/1.1 301 Moved Permanently
...
Location: https://www.example.com:7777/example
If you
