tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jaakko Taipale" <jaakko.taip...@dbmanager.fi>
Subject VS: Tomcat configuration with multiple services
Date Wed, 04 Feb 2009 11:15:35 GMT
Thanks for advices, <transport-guarantee> 'tip' was exactly what I need. I
have now following configuration:

server.xml:
 <Service name="Catalina">
   <Connector port="80" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="443" />
   <Connector 
	port="443" minSpareThreads="5" maxSpareThreads="75"
	enableLookups="true" disableUploadTimeout="true" 
	acceptCount="100"  maxThreads="200"
	scheme="https" secure="true" SSLEnabled="true"
	keystoreFile="/path/keystore" keystorePass="********"
	clientAuth="false" sslProtocol="TLS"/>

   <Engine name="Catalina" defaultHost="mydomain.com">

 	<Host name="mydomain.com" appBase="httpapps"
       	unpackWARs="true" autoDeploy="true"
       	xmlValidation="false" xmlNamespaceAware="false" >
	</Host>

	 <Host name="admin.mydomain.com" appBase="adminapps"
       	unpackWARs="true" autoDeploy="true"
       	xmlValidation="false" xmlNamespaceAware="false">
	</Host>
   </Engine>
 </Service>

...and I added this in admin application web.xml for ssl forwarding:
	<security-constraint>
	  <web-resource-collection>
	    <web-resource-name>SLL Forwarding</web-resource-name>
	    <url-pattern>/*</url-pattern>
	  </web-resource-collection>
	  <user-data-constraint>
	    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
	  </user-data-constraint>
	</security-constraint>


The reason why I have two <Host> element is that I have configured my
applications to different appBase directories as ROOT. That way I got urls:
http://mydomain.com and
https://admin.mydomain.com 
don't want to show my appName in url like
http://mydomain.com/myapp and
https://admin.mydomain.com/myadminapp

Is there better way? I know I could use UrlRewriteFilter module but right
now I wouldn't like to add any additional modules to my Tomcat.

--
Jaakko


-----Alkuperäinen viesti-----
Lähettäjä: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com] 
Lähetetty: 3. helmikuuta 2009 16:44
Vastaanottaja: Tomcat Users List
Aihe: RE: Tomcat configuration with multiple services

> From: Jaakko Taipale [mailto:jaakko.taipale@dbmanager.fi]
> Subject: VS: Tomcat configuration with multiple services
>
>    <Connector port="80" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
>         <Connector
>         port="443" minSpareThreads="5" maxSpareThreads="75"
>         enableLookups="true" disableUploadTimeout="true"
>         acceptCount="100"  maxThreads="200"
>         scheme="https" secure="true" SSLEnabled="true"
>         keystoreFile="/path/somekeystore" keystorePass="*********"
>         clientAuth="false" sslProtocol="TLS"/>

Your redirectPort should target the configured HTTPS port, not thin air.

>    <Engine name="Public" defaultHost="mydomain.com">
>         <Host name="mydomain.com" appBase="httpapps"
>         unpackWARs="true" autoDeploy="true"
>         xmlValidation="false" xmlNamespaceAware="false">
>         </Host>
>          <Host name="hastobehttps.mydomain.com" appBase="httpsapps"
>         unpackWARs="true" autoDeploy="true"
>         xmlValidation="false" xmlNamespaceAware="false">
>         </Host>
>    </Engine>

What are you trying to achieve with the two <Host> elements?

> How can I force that users use https(or prevent http) when they access 
> to hastobehttps.mydomain.com?

Read the servlet spec; use a <transport-guarantee> of CONFIDENTIAL for all
your webapps.  If you want HTTPS to be used for everything, put the
<security-constraint> element in conf/web.xml so it will be picked up by all
webapps.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message