Linode Forum
https://forum.linode.com/

Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Request
https://forum.linode.com/viewtopic.php?f=19&t=8991		 Page 1 of 1
Author:  aurieli [ Wed Jun 13, 2012 7:08 am ]
Post subject:  Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Request
Hi all,

I'm trying to setup two different websites with two different certificates on my Linode (Ubuntu 10.04LTS).
To do this on Tomcat, I need two different IP addresses.
However, currently, all HTTP requests are going to the same IP address, even if you enter a different IP address in the browser:
http://178.79.152.69/test.jsp
http://176.58.107.88/test.jsp

The code for test.jsp:
Code:
<p>Java Version:<%= System.getProperty( "java.version" ) %>
<p>Local name:<%= request.getLocalName() %>
<p>Server name:<%= request.getServerName() %>
<p>Local IP:<%= request.getLocalAddr() %>


Any idea how to troubleshoot? I'm a networking newbie, so don't even know at what point the HTTP request header would get the target IP address and name added to it, + have no idea where to start in trying to figure this out.

I've setup the two IP addresses in /etc/network/interfaces:

Code:
# The loopback interface
auto lo
iface lo inet loopback

# Configuration for eth0 and aliases

# This line ensures that the interface will be brought up during boot.
auto eth0 eth0:0
#iface eth0 inet dhcp

# eth0 - This is the main IP address that will be used for most outbound connections.
# The address, netmask and gateway are all necessary
iface eth0 inet static
 address 178.79.152.69
 netmask 255.255.255.0
 gateway 178.79.152.1
        pre-up iptables-restore < /etc/iptables.conf

# eth0:0
# This is a second public IP address.
iface eth0:0 inet static
 address 176.58.107.88
 netmask 255.255.255.0
        pre-up iptables-restore < /etc/iptables.conf


I've also setup the hosts file to point each IP at the correct domain:
Code:
127.0.0.1        localhost.localdomain  localhost
178.79.152.69    www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com www.aplikaterm.com joli-ciel.com  bilbo
176.58.107.88    www.moyshele.com www.flyingpencil.com moyshele.com flyingpencil.com moyshele

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


ifconfig gives the following:
Code:
eth0      Link encap:Ethernet  HWaddr fe:fd:b0:3a:6b:58
          inet addr:178.79.152.69  Bcast:178.79.152.255  Mask:255.255.255.0
          inet6 addr: fe80::fcfd:b0ff:fe3a:6b58/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:459 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54167 (54.1 KB)  TX bytes:298402 (298.4 KB)
          Interrupt:44

eth0:0    Link encap:Ethernet  HWaddr fe:fd:b0:3a:6b:58
          inet addr:176.58.107.88  Bcast:176.58.107.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:44

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1089074 (1.0 MB)  TX bytes:1089074 (1.0 MB)


Rgds,
Assaf
Author:  hoopycat [ Wed Jun 13, 2012 7:02 pm ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
Looks fine to me:

Code:
rtucker@witte:~$ curl http://176.58.107.88/test.jsp
<html>
<head>
</head>
<body>
<p>Java Version:1.6.0_22
<p>Local name:www.joli-ciel.com
<p>Server name:176.58.107.88
<p>Local IP:178.79.152.69


</body>
</html>
rtucker@witte:~$ curl http://178.79.152.69/test.jsp
<html>
<head>
</head>
<body>
<p>Java Version:1.6.0_22
<p>Local name:www.joli-ciel.com
<p>Server name:178.79.152.69
<p>Local IP:178.79.152.69


</body>
</html>
Author:  aurieli [ Thu Jun 14, 2012 8:00 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
No - that's precisely the problem.
You get the same Local IP and Local Name in both cases:
Local IP:178.79.152.69
Local name:www.joli-ciel.com
Only the server name is different.

What should appear is for 176.58.107.88 is:
<p>Java Version:1.6.0_22
<p>Local name:www.moyshele.com
<p>Server name:176.58.107.88
<p>Local IP:176.58.107.88

What does appear (exactly the same as for http://www.joli-ciel.com except for the Server Name):
<p>Java Version:1.6.0_22
<p>Local name:www.joli-ciel.com
<p>Server name:176.58.107.88
<p>Local IP:178.79.152.69
Author:  glg [ Thu Jun 14, 2012 9:43 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
edit: I'm wrong, sorry
Author:  aurieli [ Thu Jun 14, 2012 11:41 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
glg wrote:
getLocalName and getLocalAddr do not do what you think they do. they look at the local machine, not where the request came to

That's unfortunate, because that's what Tomcat uses to resolve the IP address when you tell the connector to do so.
From v6.0.35 source code, org/apache/catalina/connector/CoyoteAdapter.java, line 489:
Code:
        if (connector.getUseIPVHosts()) {
            serverName = req.localName();


However, when I dig deeper into the source code to where the request's local name is getting set in the first place, it's being set from socket.getLocalAddress(), on org/apache/catalina/http11/Http11Processor.java, line 1063.

Now, according to the java 6.0 javadoc at http://docs.oracle.com/javase/6/docs/ap ... ress%28%29, Socket.getLocalAddress() "Gets the local address to which the socket is bound."

So, my interpretation of this is that this is where the request came to, not just some check as to the local machine's IP and name.
Otherwise, nobody would be able to get this solution working, which is, however, what is recommended by the Tomcat documentation.
http://tomcat.apache.org/tomcat-6.0-doc ... unning_SSL
"Finally, using name-based virtual hosts on a secured connection can be problematic."
Author:  hoopycat [ Thu Jun 14, 2012 6:55 pm ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
If you do 'netstat -ntlp', what is the actual address to which it is bound?
Author:  aurieli [ Fri Jun 15, 2012 6:04 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
hoopycat wrote:
If you do 'netstat -ntlp', what is the actual address to which it is bound?

Code:
sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1967/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2082/postgres
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      16815/java
tcp6       0      0 :::8080                 :::*                    LISTEN      16815/java
tcp6       0      0 :::22                   :::*                    LISTEN      1967/sshd
tcp6       0      0 176.58.107.88:8443      :::*                    LISTEN      16815/java
tcp6       0      0 178.79.152.69:8443      :::*                    LISTEN      16815/java
Author:  hoopycat [ Fri Jun 15, 2012 6:18 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
You don't seem to have anything bound to port 80...?! It shouldn't be working at all, that much is certain.
Author:  aurieli [ Fri Jun 15, 2012 6:42 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
hoopycat wrote:
You don't seem to have anything bound to port 80...?! It shouldn't be working at all, that much is certain.


Sorry, that's because I have an IPTables rule mapping 8080 to 80 and 8443 to 443, since the tomcat6 account doesn't have access to ports below 1024. Here's the relevent portion:
Code:
*nat
:PREROUTING ACCEPT [11:3512]
:POSTROUTING ACCEPT [13:844]
:OUTPUT ACCEPT [13:844]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443 
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 
COMMIT


This is called within /etc/network/interfaces via the pre-up command as follows:
Code:
auto lo
iface lo inet loopback

auto eth0 eth0:0

iface eth0 inet static
 address 178.79.152.69
 netmask 255.255.255.0
 gateway 178.79.152.1
        pre-up iptables-restore < /etc/iptables.conf

iface eth0:0 inet static
 address 176.58.107.88
 netmask 255.255.255.0
        pre-up iptables-restore < /etc/iptables.conf
Author:  hoopycat [ Fri Jun 15, 2012 7:40 pm ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?
Author:  glg [ Sun Jun 17, 2012 10:44 pm ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
hoopycat wrote:
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?


Using his links from the first post, yes. That means that the mapping ports via iptables is the culprit.

You're really not "supposed" to do it that way. You're "supposed" to use a "real" web server like apache with mod_jk or nginx in front of tomcat. and yes, that's all in quotes for a reason, tomcat will work just fine by itself, but occasionally you end up with a scenario like this.

You might be able to get the iptables to work by having multiple rules for each IP (ie instead of routing all 443 traffic to 8443, separately route ip1.443 to ip1.8443 and ip2.443 to ip2.8443)

Sorry about my previous post, I was off on how those functions work in the context.
Author:  aurieli [ Mon Jun 18, 2012 4:32 am ]
Post subject:  Re: Multiple IPs on Ubuntu10.04LTS not reflected in HTTP Req
glg wrote:
hoopycat wrote:
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?


Using his links from the first post, yes. That means that the mapping ports via iptables is the culprit.
...

You might be able to get the iptables to work by having multiple rules for each IP (ie instead of routing all 443 traffic to 8443, separately route ip1.443 to ip1.8443 and ip2.443 to ip2.8443)

Thanks hoopycat and glg! That solved it.
My iptables.conf file now looks like this:
Code:
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 443 -j DNAT --to-destination 178.79.152.69:8443
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 443 -j DNAT --to-destination 176.58.107.88:8443
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 80 -j DNAT --to-destination 178.79.152.69:8080
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 80 -j DNAT --to-destination 176.58.107.88:8080
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 443 -j REDIRECT --to-ports 8443 
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 443 -j REDIRECT --to-ports 8443 
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 80 -j REDIRECT --to-ports 8080 
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 80 -j REDIRECT --to-ports 8080


That being said, I don't quite understand the IPTables OUTPUT rows.
I would expect tomcat to be outputting on port 8443, and to be redirected to port 443, but the opposite is written above.
But that's a question for another thread!

Thanks again!
Assaf
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/