tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harris, Jeffrey E." <Jeffrey.Har...@ManTech.com>
Subject RE: Better SSL connector setup
Date Sun, 07 Apr 2013 03:17:38 GMT


> -----Original Message-----
> From: Kevin Jenkins [mailto:rakkar@jenkinssoftware.com]
> Sent: Saturday, April 06, 2013 10:10 PM
> To: Tomcat Users List
> Subject: Better SSL connector setup
>
> I have a server that has two hosts:
> First:
> http://masterserver2.raknet.com/
>
> Second (using alias)
> https://lobby3.raknet.com <https://milestone.lobby3.raknet.com:444/>
> https://milestone.lobby3.raknet.com:444/
>
> I would like have access be on these specific URLS. Right now you can
> use untrusted URLs, such as https://masterserver2.raknet.com/
> https://milestone.lobby3.raknet.com/
>
> Additionally, I would like to access milestone.lobby3.raknet.com on
> port
> 443 rather than 444 (so that 443 does not display a warning like it
> does now).
>
> I setup two connectors because I did not know how else to specify there
> are two ssl certificate files <Connector port="443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="SSLv3"
>
>  SSLCertificateKeyFile="${catalina.base}\conf\lobby3\privatekey.txt"
>
>
> SSLCertificateFile="${catalina.base}\conf\lobby3\lobby3.raknet.com.txt"
> />
>
> <Connector port="444"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="SSLv3"
>
>
> SSLCertificateKeyFile="${catalina.base}\conf\milestone_lobby3\privateke
> y.txt"
>
>
> SSLCertificateFile="${catalina.base}\conf\milestone_lobby3\milestone.lo
> bby3.raknet.com.txt"
> />
>
> This is my host setup:
> <Host name="www.masterserver2.raknet.com"
> appBase="RakNet/masterserver2"
> unpackWARs="true" autoDeploy="true">
> <Alias>masterserver2.raknet.com</Alias>
> <Alias>milestone.masterserver2.raknet.com</Alias>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>    prefix="masterserver2.raknet.com_access_log." suffix=".txt"
>    pattern="%h %l %u %t &quot;%r&quot; %s %b" />
>   </Host>
> <Host name="www.lobby3.raknet.com" appBase="RakNet/lobby3"
> unpackWARs="true" autoDeploy="true">
> <Alias>lobby3.raknet.com</Alias>
> <Alias>milestone.lobby3.raknet.com</Alias>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>    prefix="lobby3.raknet.com_access_log." suffix=".txt"
>    pattern="%h %l %u %t &quot;%r&quot; %s %b" />
>   </Host>
>
> This is not a major issue, but just cleanup. Does anyone have
> suggestions?
> Thanks.

You probably do not want to share one IP address between two different hosts and
certificates when using SSL.  It is better to bind each host to a different IP
address, using the address attribute within each connector:

address="192.168.47.5"

If each host is bound to a different IP address, then each host can use 443.

The rule is that the IP address and port combination for each host must be different;
hosts can share either IP addresses or ports, but not both.  Again, though, with SSL,
it is better they do not share IP addresses.

I am not sure that I addressed your question of "untrusted URLs", but I will leave
that question for others on the mailing list to address if the change above does not resolve
it.

Jeffrey Harris

This e-mail and any attachments are intended only for the use of the addressee(s) named herein
and may contain proprietary information. If you are not the intended recipient of this e-mail
or believe that you received this email in error, please take immediate action to notify the
sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments
from your computer; and do not disseminate, distribute, use, or copy this message and any
attachments.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message