tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <its_toas...@yahoo.com>
Subject Re: Better SSL connector setup
Date Sun, 07 Apr 2013 18:40:24 GMT
Some notes from October 2011 referenced below:

On 4/7/2013 8:47 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Kevin,
>
> On 4/6/13 10:10 PM, Kevin Jenkins wrote:
>> I have a server that has two hosts: First:
>> http://masterserver2.raknet.com/
>>
>> Second (using alias) https://lobby3.raknet.com
>> <https://milestone.lobby3.raknet.com:444/>
>> https://milestone.lobby3.raknet.com:444/
>>
>> I would like have access be on these specific URLS. Right now you
>> can use untrusted URLs, such as https://masterserver2.raknet.com/
>> https://milestone.lobby3.raknet.com/
>>
>> Additionally, I would like to access milestone.lobby3.raknet.com on
>> port 443 rather than 444 (so that 443 does not display a warning
>> like it does now).
>>
>> I setup two connectors because I did not know how else to specify
>> there are two ssl certificate files
>
> If you want two separate hostnames served under HTTPS and you:
>
> a. Don't have a wildcard or other special type of certificate
> or
> b. Don't have Server Name Indication capabilities
>

 From the list archives:

http://mail-archives.apache.org/mod_mbox/tomcat-users/201110.mbox/%3C1318710394.66976.YahooMailNeo@web125511.mail.ne1.yahoo.com%3E

Wildcard certificates would work in this case because the hosts are part 
of the same domain.

SNI is apparently client-side only for Java.

> ...then you will need to configure a <Connector> for each hostname on
> a separate interface/port combination with separate certificates.
>
> The easiest way to do this is to set up a second interface with a
> separate IP address. This is usually trivial to do, and it doesn't
> really interfere with networking on the server. Just create a second
> interface with a second IP address, map DNS properly, and then set up
> your web server to bind specifically to the second IP address for the
> second hostname's SSL virtual host.
>

In a Tomcat-only setup this is the way to go. Secondary or virtual IP 
addresses are easy to set up.

> Your <Connectors> look just fine (other than the use of port 444, of
> course). Once you have a second interface/IP, you'll want to use the
> "address" attribute of the <Connector> to choose the interface to
> listen on. I would choose one <Connector> to listen on *all*
> interfaces to be a catch-all in case your IP address(es) change(s) and
> you forget to re-configure everything: a security warning due to a
> mismatched-host is better for users than an unreachable host.
>
> - -chris

The other solution is to front the Tomcat systems with an Apache HTTPD 
server and use named virtual hosts in SSL. Apparently the configuration 
checking routine throws a warning on startup, but the actual 
configuration works (on Apache HTTPD 2.2, I've not tried 2.4).

. . . . just my two cents.
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message