Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Request
I'm trying to setup two different websites with two different certificates on my Linode (Ubuntu 10.04LTS).
To do this on Tomcat, I need two different IP addresses.
However, currently, all HTTP requests are going to the same IP address, even if you enter a different IP address in the browser:
The code for test.jsp:
`Java Version:<%= System.getProperty( "java.version" ) %>
Local name:<%= request.getLocalName() %>
Server name:<%= request.getServerName() %>`
`Local IP:<%= request.getLocalAddr() %>`
Any idea how to troubleshoot? I'm a networking newbie, so don't even know at what point the HTTP request header would get the target IP address and name added to it, + have no idea where to start in trying to figure this out.
I've setup the two IP addresses in /etc/network/interfaces:
# The loopback interface
auto lo
iface lo inet loopback
# Configuration for eth0 and aliases
# This line ensures that the interface will be brought up during boot.
auto eth0 eth0:0
#iface eth0 inet dhcp
# eth0 - This is the main IP address that will be used for most outbound connections.
# The address, netmask and gateway are all necessary
iface eth0 inet static
address 178.79.152.69
netmask 255.255.255.0
gateway 178.79.152.1
pre-up iptables-restore < /etc/iptables.conf
# eth0:0
# This is a second public IP address.
iface eth0:0 inet static
address 176.58.107.88
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.conf
I've also setup the hosts file to point each IP at the correct domain:
`
127.0.0.1 localhost.localdomain localhost
178.79.152.69 www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com www.aplikaterm.com joli-ciel.com bilbo
176.58.107.88 www.moyshele.com www.flyingpencil.com moyshele.com flyingpencil.com moyshele
The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
ifconfig gives the following:````
eth0 Link encap:Ethernet HWaddr fe:fd:b0:3a:6b:58
inet addr:178.79.152.69 Bcast:178.79.152.255 Mask:255.255.255.0
inet6 addr: fe80::fcfd:b0ff:fe3a:6b58/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:492 errors:0 dropped:0 overruns:0 frame:0
TX packets:459 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:54167 (54.1 KB) TX bytes:298402 (298.4 KB)
Interrupt:44
eth0:0 Link encap:Ethernet HWaddr fe:fd:b0:3a:6b:58
inet addr:176.58.107.88 Bcast:176.58.107.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:44
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6178 errors:0 dropped:0 overruns:0 frame:0
TX packets:6178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1089074 (1.0 MB) TX bytes:1089074 (1.0 MB)
Rgds,
Assaf
```
11 Replies
`rtucker@witte:~$ curl http://176.58.107.88/test.jsp
Java Version:1.6.0_22
Local name:www.joli-ciel.com
Server name:176.58.107.88
Local IP:178.79.152.69
rtucker@witte:~$ curl http://178.79.152.69/test.jsp
Java Version:1.6.0_22
Local name:www.joli-ciel.com
Server name:178.79.152.69`
`Local IP:178.79.152.69`
You get the same Local IP and Local Name in both cases:
Local IP:178.79.152.69
Local name:
Only the server name is different.
What should appear is for 176.58.107.88 is:
Java Version:1.6.0_22
Local name:
Server name:176.58.107.88
Local IP:176.58.107.88
What does appear (exactly the same as for
Java Version:1.6.0_22
Local name:
Server name:176.58.107.88
Local IP:178.79.152.69
@glg:
getLocalName and getLocalAddr do not do what you think they do. they look at the local machine, not where the request came to
That's unfortunate, because that's what Tomcat uses to resolve the IP address when you tell the connector to do so.
From v6.0.35 source code, org/apache/catalina/connector/CoyoteAdapter.java, line 489:
if (connector.getUseIPVHosts()) {
serverName = req.localName();
However, when I dig deeper into the source code to where the request's local name is getting set in the first place, it's being set from socket.getLocalAddress(), on org/apache/catalina/http11/Http11Processor.java, line 1063.
Now, according to the java 6.0 javadoc at
So, my interpretation of this is that this is where the request came to, not just some check as to the local machine's IP and name.
Otherwise, nobody would be able to get this solution working, which is, however, what is recommended by the Tomcat documentation.
"Finally, using name-based virtual hosts on a secured connection can be problematic."
@hoopycat:
If you do 'netstat -ntlp', what is the actual address to which it is bound?
sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1967/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2082/postgres
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 16815/java
tcp6 0 0 :::8080 :::* LISTEN 16815/java
tcp6 0 0 :::22 :::* LISTEN 1967/sshd
tcp6 0 0 176.58.107.88:8443 :::* LISTEN 16815/java
tcp6 0 0 178.79.152.69:8443 :::* LISTEN 16815/java
@hoopycat:
You don't seem to have anything bound to port 80…?! It shouldn't be working at all, that much is certain.
Sorry, that's because I have an IPTables rule mapping 8080 to 80 and 8443 to 443, since the tomcat6 account doesn't have access to ports below 1024. Here's the relevent portion:
*nat
:PREROUTING ACCEPT [11:3512]
:POSTROUTING ACCEPT [13:844]
:OUTPUT ACCEPT [13:844]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
This is called within /etc/network/interfaces via the pre-up command as follows:
auto lo
iface lo inet loopback
auto eth0 eth0:0
iface eth0 inet static
address 178.79.152.69
netmask 255.255.255.0
gateway 178.79.152.1
pre-up iptables-restore < /etc/iptables.conf
iface eth0:0 inet static
address 176.58.107.88
netmask 255.255.255.0
pre-up iptables-restore < /etc/iptables.conf
@hoopycat:
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?
Using his links from the first post, yes. That means that the mapping ports via iptables is the culprit.
You're really not "supposed" to do it that way. You're "supposed" to use a "real" web server like apache with mod_jk or nginx in front of tomcat. and yes, that's all in quotes for a reason, tomcat will work just fine by itself, but occasionally you end up with a scenario like this.
You might be able to get the iptables to work by having multiple rules for each IP (ie instead of routing all 443 traffic to 8443, separately route ip1.443 to ip1.8443 and ip2.443 to ip2.8443)
Sorry about my previous post, I was off on how those functions work in the context.
@glg:
@hoopycat:Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?
Using his links from the first post, yes. That means that the mapping ports via iptables is the culprit.
…
You might be able to get the iptables to work by having multiple rules for each IP (ie instead of routing all 443 traffic to 8443, separately route ip1.443 to ip1.8443 and ip2.443 to ip2.8443)
Thanks hoopycat and glg! That solved it.
My iptables.conf file now looks like this:
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 443 -j DNAT --to-destination 178.79.152.69:8443
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 443 -j DNAT --to-destination 176.58.107.88:8443
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 80 -j DNAT --to-destination 178.79.152.69:8080
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 80 -j DNAT --to-destination 176.58.107.88:8080
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 80 -j REDIRECT --to-ports 8080
That being said, I don't quite understand the IPTables OUTPUT rows.
I would expect tomcat to be outputting on port 8443, and to be redirected to port 443, but the opposite is written above.
But that's a question for another thread!
Thanks again!
Assaf