tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: enforcing SSL only for external clients
Date Tue, 07 Dec 2010 22:36:35 GMT
Aggarwal, Ajay wrote:
> Yes local clients are programs running on the same machine as the server and they access
my application over the localhost IP, i.e. Whereas external clients access my application
over external interface, i.e. public IP. And yes, this machine running the server is connected
directly to the internet with an interface having a "public" IP.

Allright then.

I'm doing a bit of guesswork here, because I have never used this myself.
And also, apart from a cryptic reference in the Connector documentation, there does not 
seem to be documentation for this.

You will probably need 2 separate <Connectors>, one for HTTP and the other for HTTPS.

You probably need to set the "useIPVHosts" attribute inside your <Connector> tags to

"true". (see

This may help for the next part :
but it does not talk about "IP-based" virtual hosts, only about name-based ones, so I will

continue to guess.

You will probably need to define 2 separate <Host> sections, each one with its "name"

attribute set to the respective IP address which you want it to respond to.

Each one should also have its own "appBase" pointing to a distinct "webapps" directory.
And inside these 2 webapps directories, you will need a separate copy of your application.
In one you will set the configuration (in WEB-INF/web.xml) to not require SSL, and in the

other to require it.

Alternatively to the above, you may find a way to achieve this by using the 
URLRewriteFilter, see

Note : that attribute "useIPVHosts" of the Connector seems to be the only place where 
IP-based V-hosts are mentioned in the online documentation.
But I found some links which may be helpful in Google when searching for :
tomcat "useIPVHosts"

> -----Original Message-----
> From: André Warnier [] 
> Sent: Tuesday, December 07, 2010 2:27 PM
> To: Tomcat Users List
> Subject: Re: enforcing SSL only for external clients
> Aggarwal, Ajay wrote:
>> My tomcat application (running on a linux host) has 2 types of clients.
>> Local clients coming on localhost (
> that sounds strange, unless the clients are really programs running on the same machine
> the server.
>   and external clients
>> coming on external interfaces. I want to enforce use of SSL only for
>> external clients. How do I do that? If I use <security-constraint> I am
>> assuming it will apply to both local as well as external clients.
> I think you need to describe your network setup a bit more in detail.
> For example, is this machine connected directly to the Internet with an interface having
> "public" IP address, or is there something in-between ?
> Draw us a picture maybe ?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message