tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <its_toas...@yahoo.com>
Subject Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
Date Fri, 08 Jun 2012 17:49:07 GMT
>________________________________
> From: Konstantin Kolinko <knst.kolinko@gmail.com>
>To: Tomcat Users List <users@tomcat.apache.org> 
>Sent: Friday, June 8, 2012 3:02 AM
>Subject: Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
> 
>2012/6/8 Assaf Urieli <assaf.urieli@gmail.com>:
>> Hi all,
>>
>> I'm attempting to set up a multi-host system with a separate SSL
>> certificate per host.
>> According to the documentation, this is problematic using name-based
>> virtual hosting:
>> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#General_Tips_on_Running_SSL
>> "Finally, using name-based virtual hosts on a secured connection can be
>> problematic."
>>
>> So, I'm trying to accomplish this via IP-based virtual hosting, using the
>> useIPVHosts="true" flag.
>> (Note: I've tried name-based virtual hosting with useIPVHosts="false", and
>> it doesn't work either)
>>
>> I've gone through the full thread discussing this at:
>> http://mail-archives.apache.org/mod_mbox/tomcat-users/201005.mbox/%3C4BFB9C17.20302@cox.net%3E
>>
>> However, I'm still not managing to access the domain2.com host via SSL (4th
>> connector on list below).
>>
>> * Tomcat version: 6.0.24 (standalone)
>> * OS: Ubuntu 10.0.4LTS
>> * JVM: java 1.6.0_22 (Sun distribution)
>>
>> I've setup my server.xml as follows:
>> <Service name="Catalina">
>>    <Connector port="8080" protocol="HTTP/1.1" address="1.2.3.4"
>> useIPVHosts="false"
>>               connectionTimeout="20000"
>>               URIEncoding="UTF-8"
>>               redirectPort="8443" />
>>
>>    <Connector port="8080" protocol="HTTP/1.1"  address="5.6.7.8"
>> useIPVHosts="false"
>>               connectionTimeout="20000"
>>               URIEncoding="UTF-8"
>>               redirectPort="8443" />
>>
>>    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> address="1.2.3.4"
>>           keystoreFile="/home/tomcat6/.keystore1" keystorePass="xxxxxx"
>>           maxThreads="150" scheme="https" secure="true"
>>           clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
>> useIPVHosts="true" />
>>
>>    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> address="5.6.7.8"
>>           keystoreFile="/home/tomcat6/.keystore2" keystorePass="xxxxxx"
>>           maxThreads="150" scheme="https" secure="true"
>>           clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8"
>> useIPVHosts="true" />
>>
>>    <Engine name="Catalina" defaultHost="localhost">
>>        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>>             resourceName="UserDatabase"/>
>>
>>        <Host name="localhost"  appBase="webapps"
>>            unpackWARs="true" autoDeploy="true"
>>            xmlValidation="false" xmlNamespaceAware="false">
>>            <Alias>1.2.3.4</Alias>
>>            <Alias>domain1.com</Alias>
>>            <Alias>www.domain1.com</Alias>
>>            <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="/home/tomcat6/logs/domain1"
>>               prefix="domain1_access_log." suffix=".log" pattern="%A %h %l
>> %u %t '%r' %s %b" resolveHosts="false"/>
>>        </Host>
>>
>>        <Host name="domain2.com"  appBase="/usr/share/domain2"
>>            unpackWARs="true" autoDeploy="true"
>>            xmlValidation="false" xmlNamespaceAware="false">
>>            <Alias>5.6.7.8</Alias>
>>            <Alias>domain2.com</Alias>
>>            <Alias>www.domain2.com</Alias>
>>            <Context path="" docBase="."/>
>>            <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="/home/tomcat6/logs/domain2"
>>               prefix="domain2_access_log." suffix=".log" pattern="%A %h %l
>> %u %t '%r' %s %b" resolveHosts="false"/>
>>        </Host>
>>    </Engine>
>> </Service>
>>
>> (...)
>>
>> When I look at the log files generated by the AccessLogValve, I'm always
>> getting IP address 1.2.3.4 for the Local IP address (%A), regardless of how
>> I access the websites on the browser - via HTTP or HTTPs, and via IP
>> address or domain name.
>>
>
>Looking at the code, the value used for host name in IP-based virtual
>hosts is ServletRequest.getLocalName(). It is not getLocalAddr() and
>there is no pattern in AccessLogValve that prints it. You can write
>simple JSP page that will display its value.
>
>Quote:
>[[[
>        if (connector.getUseIPVHosts()) {
>            serverName = req.localName();
>]]]
>
>>
>> Even if I enter the IP address http://5.6.7.8 or https://5.6.7.8 in the
>> browser, the access logs list 1.2.3.4 as the local IP.
>>
>
>This is odd.
>
>How 5.6.7.8 is configured at OS level? Do you have separate network
>card for it or it is something else?

+1

I don't quite know how this works in Ubuntu, but you can set this up with RedHat releases
using one card. It's called a virtual interface, and I've tested it on both Fedora and CentOS.

There are several OS - related things you have to do.

1. Primary interface must be taken out of NetworkManager's control

NetworkManager doesn't seem to handle virtual interfaces very well.

2. Primary interface must be static.

This won't work if the primary interface is configured via DHCP.

In /etc/sysconfig/network-scripts (on RedHat-related releases - who knows on Ubuntu):

1. Edit your primary interface (probably ifcfg-eth0) to look like the following


DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
# your hardware address
HWADDR=xx:xx:xx:xx:xx:xx
TYPE=Ethernet
# your network mask
NETMASK=255.255.255.0
# your IP address
IPADDR=192.168.6.yyy
# your gateway
GATEWAY=192.168.6.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
NM_CONTROLLED=no

2. Create a new file and call it ifcfg-eth0:0

Basically, take whatever your primary interface is, and add :0 to it.

The contents of that file would then be:
# yes - the :0 is here
DEVICE=eth0:0
BOOTPROTO=static
ONPARENT=yes
TYPE=Ethernet
# your network mask
NETMASK=255.255.255.0
# your IP address - different than above
IPADDR=192.168.6.zzz
# your gateway
GATEWAY=192.168.6.1
USERCTL=no
IPV6INIT=no
PEERDNS=yes
NM_CONTROLLED=no

Some things to note. Since you are using the same physical interface for both addresses, they
should be on the same subnet unless you're using VLANs. If you are, then things get a bit
more complicated (routes, 801.Q memberships, etc.)

If you want to add a third interface (second virtual interface), create another file with
:1 ending.

Now that the interfaces are defined, you should be able to do as root:

service network restart

and see all of the interfaces come up (if you have things configured correctly).

Finally, add the new addresses and host names to /etc/hosts, and bind Tomcat to multiple IP
addresses by using multiple connectors in server.xml (as you have done).

Hopefully this will get you running.

A completely different solution involving named virtual hosts and SAN certificates in Apache
HTTPD is also possible. I use this second approach in production and it seems to work well.
I actually use a mix of named virtual hosts with a SAN certificate and IP virtual hosts with
a separate certificate all running out of one Apache HTTPD and then connected to multiple
Tomcats via mod_jk . . .

Yes, it's a rat's nest, but a well-documented rat's nest.

. . . . just my two cents.
/mde/

>
>Your connector with address="5.6.7.8" - did it start successfully and
>did bind to the specified address? Tomcat itself will continue
>starting even if one of its connectors fails. (There is a system
>property that changes this behaviour of ignoring an error, though I do
>not remember whether it works in 6.0.24).
>
>Best regards,
>Konstantin Kolinko
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message