2012/6/8 Assaf Urieli <assaf.uri...@gmail.com>:
> Hi all,
>
> I'm attempting to set up a multi-host system with a separate SSL
> certificate per host.
> According to the documentation, this is problematic using name-based
> virtual hosting:
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#General_Tips_on_Running_SSL
> "Finally, using name-based virtual hosts on a secured connection can be
> problematic."
>
> So, I'm trying to accomplish this via IP-based virtual hosting, using the
> useIPVHosts="true" flag.
> (Note: I've tried name-based virtual hosting with useIPVHosts="false", and
> it doesn't work either)
>
> I've gone through the full thread discussing this at:
> http://mail-archives.apache.org/mod_mbox/tomcat-users/201005.mbox/%3c4bfb9c17.20...@cox.net%3E
>
> However, I'm still not managing to access the domain2.com host via SSL (4th
> connector on list below).
>
> * Tomcat version: 6.0.24 (standalone)
> * OS: Ubuntu 10.0.4LTS
> * JVM: java 1.6.0_22 (Sun distribution)
>
> I've setup my server.xml as follows:
> <Service name="Catalina">
> <Connector port="8080" protocol="HTTP/1.1" address="1.2.3.4"
> useIPVHosts="false"
> connectionTimeout="20000"
> URIEncoding="UTF-8"
> redirectPort="8443" />
>
> <Connector port="8080" protocol="HTTP/1.1" address="5.6.7.8"
> useIPVHosts="false"
> connectionTimeout="20000"
> URIEncoding="UTF-8"
> redirectPort="8443" />
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> address="1.2.3.4"
> keystoreFile="/home/tomcat6/.keystore1" keystorePass="xxxxxx"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
> useIPVHosts="true" />
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> address="5.6.7.8"
> keystoreFile="/home/tomcat6/.keystore2" keystorePass="xxxxxx"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
> useIPVHosts="true" />
>
> <Engine name="Catalina" defaultHost="localhost">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> <Alias>1.2.3.4</Alias>
> <Alias>domain1.com</Alias>
> <Alias>www.domain1.com</Alias>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/domain1"
> prefix="domain1_access_log." suffix=".log" pattern="%A %h %l
> %u %t '%r' %s %b" resolveHosts="false"/>
> </Host>
>
> <Host name="domain2.com" appBase="/usr/share/domain2"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
> <Alias>5.6.7.8</Alias>
> <Alias>domain2.com</Alias>
> <Alias>www.domain2.com</Alias>
> <Context path="" docBase="."/>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/domain2"
> prefix="domain2_access_log." suffix=".log" pattern="%A %h %l
> %u %t '%r' %s %b" resolveHosts="false"/>
> </Host>
> </Engine>
> </Service>
>
> (...)
>
> When I look at the log files generated by the AccessLogValve, I'm always
> getting IP address 1.2.3.4 for the Local IP address (%A), regardless of how
> I access the websites on the browser - via HTTP or HTTPs, and via IP
> address or domain name.
>
Looking at the code, the value used for host name in IP-based virtual
hosts is ServletRequest.getLocalName(). It is not getLocalAddr() and
there is no pattern in AccessLogValve that prints it. You can write
simple JSP page that will display its value.
Quote:
[[[
if (connector.getUseIPVHosts()) {
serverName = req.localName();
]]]
>
> Even if I enter the IP address http://5.6.7.8 or https://5.6.7.8 in the
> browser, the access logs list 1.2.3.4 as the local IP.
>
This is odd.
How 5.6.7.8 is configured at OS level? Do you have separate network
card for it or it is something else?
Your connector with address="5.6.7.8" - did it start successfully and
did bind to the specified address? Tomcat itself will continue
starting even if one of its connectors fails. (There is a system
property that changes this behaviour of ignoring an error, though I do
not remember whether it works in 6.0.24).
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
