tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <its_toas...@yahoo.com>
Subject Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
Date Fri, 15 Jun 2012 18:06:14 GMT
Comments are embedded below with:

---- Comment ----
some stuff
---- Comment ---- 


----- Original Message -----

> From: Assaf Urieli <assaf.urieli@gmail.com>
> To: Tomcat Users List <users@tomcat.apache.org>
> Cc: 
> Sent: Friday, June 15, 2012 3:33 AM
> Subject: Re: IP-based virtual hosting with useIPVHosts=true always goes to default host
> 
> Hi Chris,
> 
>> 
>>  On 6/8/12 11:12 AM, Assaf Urieli wrote:
>>  > Ok, this is strange. I created a test.jsp page that prints
>>  > request.getLocalName(), request.getServerName(), and
>>  > request.getLocalAddr(). I tried various scenarios in the browser:
>>  > http://domain1.com, http://www.domain1.com, http:/1.2.3.4,
>>  > http://domain2.com, http://www.domain2.com, http://5.6.7.8, as well
>>  > as all of the above with https.
>> 
>>  What /real/ URLs are you using to hit your server? I dont see a port
>>  number anywhere.
>> 
> 
> Sorry, I was trying to keep it generic up to now to see if I was simply
> doing something stupid, but I'll go ahead and publish my real domains/IPs.
>

---- Comment ---- 
First of all, my environment:

Fedora 15 (have to upgrade soon - EOL is at the end of this month)
JDK/JRE 1.6.0_32
Tomcat 6.0.35
Firewall off for this exercise

As I've written up previously, in order to have multiple IP addresses on a single interface
with Linux, you need to create a second (third, fourth, etc.) file with the name ifcfg-eth0:n,
where "n" starts at 0. This is assuming that your primary interface is eth0. The files will
be found in /etc/sysconfig/network-scripts.

You MUST set NM_CONTROLLED=no in each interface file, otherwise the virtual interface will
not come up.

In your /etc/hosts file, you need to have an entry for each interface. Mine looks like:

192.168.0.254 phoenix phoenix.mdeggers.org
192.168.0.253 phobos phobos.mdeggers.org

In order to access this from another machine (Windows 7), I've placed the entries in that
machine's host file.

---- Comment ----  

> So, my test page code is:
> <p>Java Version:<%= System.getProperty( "java.version" ) 
> %>
> <p>Local name:<%= request.getLocalName() %>
> <p>Server name:<%= request.getServerName() %>
> <p>Local IP:<%= request.getLocalAddr() %>
> 

---- Comment ----  


My code is similar, except I put it in a list. I created a simple web application called WhoAmI
and dropped the WAR file into my environment. More on what my Tomcat configuration looks like
below.

On my second host (phobos.mdeggers.org), I also have a small verification application running
as ROOT. This just lets me know that a Tomcat virtual host is set up properly and working.

---- Comment ----  


> So, the addresses to test are:
> http://www.joli-ciel.com/test.jsp
> http://www.moyshele.com/test.jsp
> http://178.79.152.69/test.jsp
> http://176.58.107.88/test.jsp
> 
> And exactly the same four, but with HTTPS:
> https://www.joli-ciel.com/test.jsp
> https://www.moyshele.com/test.jsp
> https://178.79.152.69/test.jsp
> https://176.58.107.88/test.jsp
> 
> Now, every single one of these gives the exact same values for
> request.getLocalName() and request.getLocalAddr().
> request.getLocalName(): www.joli-ciel.com
> request.getLocalAddr(): 178.79.152.69
> And this is why, even when useIPVHosts=true, I always get the HTTPS
> Connector corresponding to 178.79.152.69, which gives the wrong SSL
> certificate for https://www.moyshele.com

---- Comment ----  

When I run the tests from a remote host using HTTP (didn't set up HTTPS), I get the expected
results. 

Going to phoenix.mdeggers.org:8080/WhoAmI/ produces the following:

Java version: 1.6.0_32
Local name: phoenix.mdeggers.org
Local IP: 192.168.0.254
Server name: phoenix.mdeggers.org

Going to phobos.mdeggers.org:8080/WhoAmI/ produces the following:

Java version: 1.6.0_32
Local name: phobos.mdeggers.org
Local IP: 192.168.0.253
Server name: phobos.mdeggers.org

---- Comment ----   


> 

> For info, my /etc/network/interfaces file:
> ************************************************
> auto lo
> iface lo inet loopback
> 
> auto eth0 eth0:0
> 
> iface eth0 inet static
> address 178.79.152.69
> netmask 255.255.255.0
> gateway 178.79.152.1
>         pre-up iptables-restore < /etc/iptables.conf
> 
> iface eth0:0 inet static
> address 176.58.107.88
> netmask 255.255.255.0
>         pre-up iptables-restore < /etc/iptables.conf
> ************************************************
> 

---- Comment ----   

And here's your first problem. You need to specifically state NM_CONTROLLED=no.

Also, you need to add ONPARENT=yes to the eth0:0 interface file.

I've included copies of the interface files in a previous message

---- Comment ----


> Note (in case it's relevent) that /etc/iptables.conf is mapping port 8080
> to port 80 and port 8443 to port 443  - relevent portions below:
> ************************************************
> *nat
> :PREROUTING ACCEPT [11:3512]
> :POSTROUTING ACCEPT [13:844]
> :OUTPUT ACCEPT [13:844]
> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
> -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> COMMIT
> ************************************************
> 
> My /etc/hosts file:
> ************************************************
> 127.0.0.1        localhost.localdomain  localhost
> 178.79.152.69    www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com
> www.aplikaterm.com joli-ciel.com  bilbo
> 176.58.107.88    www.moyshele.com www.flyingpencil.com moyshele.com
> flyingpencil.com moyshele
> 
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
> ************************************************
> 
> The relevent portions of my server.xml file:
> ************************************************
>   <Service name="Catalina">
>     <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                URIEncoding="UTF-8"
>                redirectPort="8443" />
> 

---- Comment ----   

So you're listening everywhere on port 8080? I'm not sure how this will work. I suspect that
you have a default interface and everything will come through that. Given that you're having
problems, could you add two HTTP connectors, one listening on each interface? For example,
my portion of the server.xml file looks like this:

<Connector port="8080" protocol="HTTP/1.1"
           address="192.168.0.254"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" /> 

<Connector port="8080" protocol="HTTP/1.1"
           address="192.168.0.253"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" /> 

---- Comment ----

>     <Connector port="8443" protocol="HTTP/1.1" 
> SSLEnabled="true"
> address="178.79.152.69"
>            keystoreFile="/home/tomcat6/.keystore1" 
> keystorePass="********"
>            maxThreads="150" scheme="https" 
> secure="true"
>            clientAuth="false" sslProtocol="TLS" 
> URIEncoding="UTF-8" />
> 
>     <Connector port="8443" protocol="HTTP/1.1" 
> SSLEnabled="true"
> address="176.58.107.88"
>            keystoreFile="/home/tomcat6/.keystore2" 
> keystorePass="********"
>            maxThreads="150" scheme="https" 
> secure="true"
>            clientAuth="false" sslProtocol="TLS" 
> URIEncoding="UTF-8" />
> 
>     <Engine name="Catalina" defaultHost="localhost">
>       <Realm 
> className="org.apache.catalina.realm.UserDatabaseRealm"
>              resourceName="UserDatabase"/>
> 
>       <Host name="localhost"  appBase="webapps"
>             unpackWARs="true" autoDeploy="true"
>             xmlValidation="false" 
> xmlNamespaceAware="false">
>             <Alias>178.79.152.69</Alias>
>             <Alias>aplikaterm.com</Alias>
>             <Alias>www.aplikaterm.com</Alias>
>             <Alias>joli-ciel.com</Alias>
>             <Alias>www.joli-ciel.com</Alias>
> 
>         <Valve 
> className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/joliciel"
>                prefix="joliciel_access_log." suffix=".log" 
> pattern="%A %h
> %l %u %t '%r' %s %b" resolveHosts="false"/>
>       </Host>
>         <Host name="moyshele.com"  
> appBase="/usr/share/moyshele"
>             unpackWARs="true" autoDeploy="true"
>             xmlValidation="false" 
> xmlNamespaceAware="false">
>             <Alias>176.58.107.88</Alias>
>             <Alias>moyshele.com</Alias>
>             <Alias>www.moyshele.com</Alias>
>             <Context path="" docBase="."/>
>             <Valve 
> className="org.apache.catalina.valves.AccessLogValve"
> directory="/home/tomcat6/logs/moyshele"
>                prefix="moyshele_access_log." suffix=".log" 
> pattern="%A %h
> %l %u %t '%r' %s %b" resolveHosts="false"/>
>         </Host>
>     </Engine>
>   </Service>
> ************************************************

---- Comment ----


My Host elements are a bit cleaner. I suggest that you make yours a bit cleaner until you
get things worked out. Here are mine:

      <Host name="localhost" appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
            <Alias>phoenix.mdeggers.org</Alias>
            <Alias>192.168.0.254</Alias>
            <Valve className="org.apache.catalina.valves.AccessLogValve"
                   directory="logs"  

                   prefix="phoenix_access."
                   suffix=".log"
                   pattern="common"
                   resolveHosts="false"/>
      </Host>

      <!-- not a good place for a virtual host webapps directory -->
      <Host name="phobos" appBase="phobos/webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
            <Alias>phobos.mdeggers.org</Alias>
            <Alias>192.168.0.253</Alias>
            <Valve className="org.apache.catalina.valves.AccessLogValve"
                   directory="logs"  
                   prefix="phobos_access."
                   suffix=".log"
                   pattern="common"
                   resolveHosts="false"/>
      </Host>

---- Comment ---- 

> 
> By the way, if I run netstat (with or without useIPVHosts=true), I get:
> ************************************************
> sudo netstat -ntlp
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address
> State       PID/Program name
> tcp        0      0 0.0.0.0:22              0.0.0.0:*
> LISTEN      1967/sshd
> tcp        0      0 127.0.0.1:5432          0.0.0.0:*
> LISTEN      2082/postgres
> tcp6       0      0 127.0.0.1:8005          :::*
> LISTEN      16815/java
> tcp6       0      0 :::8080                 :::*
> LISTEN      16815/java
> tcp6       0      0 :::22                   :::*
> LISTEN      1967/sshd
> tcp6       0      0 176.58.107.88:8443      :::*
> LISTEN      16815/java
> tcp6       0      0 178.79.152.69:8443      :::*
> LISTEN      16815/java
> ************************************************
> 

---- Comment ---- 


My netstat, grepping for 8080:

netstat -an | grep 8080
tcp    0      0 192.168.0.253:8080      0.0.0.0:*           LISTEN
tcp    0      0 192.168.0.254:8080      0.0.0.0:*           LISTEN

In short, this works as expected. I suspect that SSL would work the same way.

I didn't set up SSL, since I normally terminate SSL on a front end Apache HTTPD server. I
have multiple named virtual hosts (with a SAN certificate) as well as some IP virtual hosts
with virtual interfaces and separate certificates. From a configuration standpoint, it's a
bit ugly (although includes and directories help with the organization). From an operational
standpoint, it all works as expected.

---- Comment ----  


. . . . just my two cents.
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message