tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Better SSL connector setup
Date Sun, 07 Apr 2013 15:47:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Kevin,

On 4/6/13 10:10 PM, Kevin Jenkins wrote:
> I have a server that has two hosts: First: 
> http://masterserver2.raknet.com/
> 
> Second (using alias) https://lobby3.raknet.com
> <https://milestone.lobby3.raknet.com:444/> 
> https://milestone.lobby3.raknet.com:444/
> 
> I would like have access be on these specific URLS. Right now you
> can use untrusted URLs, such as https://masterserver2.raknet.com/ 
> https://milestone.lobby3.raknet.com/
> 
> Additionally, I would like to access milestone.lobby3.raknet.com on
> port 443 rather than 444 (so that 443 does not display a warning
> like it does now).
> 
> I setup two connectors because I did not know how else to specify
> there are two ssl certificate files

If you want two separate hostnames served under HTTPS and you:

a. Don't have a wildcard or other special type of certificate
or
b. Don't have Server Name Indication capabilities

...then you will need to configure a <Connector> for each hostname on
a separate interface/port combination with separate certificates.

The easiest way to do this is to set up a second interface with a
separate IP address. This is usually trivial to do, and it doesn't
really interfere with networking on the server. Just create a second
interface with a second IP address, map DNS properly, and then set up
your web server to bind specifically to the second IP address for the
second hostname's SSL virtual host.

Your <Connectors> look just fine (other than the use of port 444, of
course). Once you have a second interface/IP, you'll want to use the
"address" attribute of the <Connector> to choose the interface to
listen on. I would choose one <Connector> to listen on *all*
interfaces to be a catch-all in case your IP address(es) change(s) and
you forget to re-configure everything: a security warning due to a
mismatched-host is better for users than an unreachable host.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRYZUIAAoJEBzwKT+lPKRYj44P/iYRzgb3O2rjHU6fnH4xjdDf
EdtuWrMIDyesjxI5DgFmkk++0R5CeIZKfD5BDlIB5wAZtM2kEMQAud/uJ/8+spkT
mMAAR4LmenPB5kmXbHGznBH+DE0ih2ILt/Zq0HuYzGrDiVFDfEf/55F6R8OEYF7Z
ok5ygMDPXOwrmq6lyvm8zGelcQ6yCFK8/zJkaH2+EHXHQBMmy5oVoz0OfmqN1RxN
EqxpsFK9qbZVWdP5lePH4uAzjHp17W19BThxO16LOJy2teEvKDex+pHP2RLR3Pk4
nHjybAQLoM18dYtkpabOQ13537eBUbcOhvxq0BPAb1l1UJ9d22a4J8RjoPF1uUK9
hkAWDtKdqVltrSLCkowbfoVyGEPltyzqEUcP2zIg5Kn5C4cpITt4nH9OoVmrmbG0
AOMDUdJEfRurSqBGLirXxhzDnEpqFipvy1cRHrB400tnFziOLOIJtojrzmJQp+3a
Z798cHthQ/2jiK7U8M5eVfsS5BzzECVI6ss8pJViWgVExoC4GNToimWoNOO0J4UZ
x6bLNaf7O5fbzBS/U8tgeYjmGsnOLTOiEV/ddmPYqu1FHio4TLrk9k2k/lX5TyZF
TSR0pBKggqMDeFr8dcxuXnEJTjQNT+9YyJapXfcjy3jlmzP8nVbgRb+zWM9ycuXd
9ls4z5Rw7/KsYPoEFeEp
=2flM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message