Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin 

Post new topic Reply to topic
Author Message
PostPosted: Wed Jun 13, 2012 7:08 am 
Offline
Senior Newbie

Joined: Tue Feb 01, 2011 7:05 am
Posts: 6
Hi all,

I'm trying to setup two different websites with two different certificates on my Linode (Ubuntu 10.04LTS).
To do this on Tomcat, I need two different IP addresses.
However, currently, all HTTP requests are going to the same IP address, even if you enter a different IP address in the browser:
http://178.79.152.69/test.jsp
http://176.58.107.88/test.jsp

The code for test.jsp:
Code:
<p>Java Version:<%= System.getProperty( "java.version" ) %>
<p>Local name:<%= request.getLocalName() %>
<p>Server name:<%= request.getServerName() %>
<p>Local IP:<%= request.getLocalAddr() %>


Any idea how to troubleshoot? I'm a networking newbie, so don't even know at what point the HTTP request header would get the target IP address and name added to it, + have no idea where to start in trying to figure this out.

I've setup the two IP addresses in /etc/network/interfaces:

Code:
# The loopback interface
auto lo
iface lo inet loopback

# Configuration for eth0 and aliases

# This line ensures that the interface will be brought up during boot.
auto eth0 eth0:0
#iface eth0 inet dhcp

# eth0 - This is the main IP address that will be used for most outbound connections.
# The address, netmask and gateway are all necessary
iface eth0 inet static
 address 178.79.152.69
 netmask 255.255.255.0
 gateway 178.79.152.1
        pre-up iptables-restore < /etc/iptables.conf

# eth0:0
# This is a second public IP address.
iface eth0:0 inet static
 address 176.58.107.88
 netmask 255.255.255.0
        pre-up iptables-restore < /etc/iptables.conf


I've also setup the hosts file to point each IP at the correct domain:
Code:
127.0.0.1        localhost.localdomain  localhost
178.79.152.69    www.joli-ciel.com bilbo.joli-ciel.com bilbo.aplikaterm.com www.aplikaterm.com joli-ciel.com  bilbo
176.58.107.88    www.moyshele.com www.flyingpencil.com moyshele.com flyingpencil.com moyshele

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


ifconfig gives the following:
Code:
eth0      Link encap:Ethernet  HWaddr fe:fd:b0:3a:6b:58
          inet addr:178.79.152.69  Bcast:178.79.152.255  Mask:255.255.255.0
          inet6 addr: fe80::fcfd:b0ff:fe3a:6b58/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:492 errors:0 dropped:0 overruns:0 frame:0
          TX packets:459 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54167 (54.1 KB)  TX bytes:298402 (298.4 KB)
          Interrupt:44

eth0:0    Link encap:Ethernet  HWaddr fe:fd:b0:3a:6b:58
          inet addr:176.58.107.88  Bcast:176.58.107.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:44

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1089074 (1.0 MB)  TX bytes:1089074 (1.0 MB)


Rgds,
Assaf


Top
 Profile  
 
PostPosted: Wed Jun 13, 2012 7:02 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1652
Location: Rochester, New York
Looks fine to me:

Code:
rtucker@witte:~$ curl http://176.58.107.88/test.jsp
<html>
<head>
</head>
<body>
<p>Java Version:1.6.0_22
<p>Local name:www.joli-ciel.com
<p>Server name:176.58.107.88
<p>Local IP:178.79.152.69


</body>
</html>
rtucker@witte:~$ curl http://178.79.152.69/test.jsp
<html>
<head>
</head>
<body>
<p>Java Version:1.6.0_22
<p>Local name:www.joli-ciel.com
<p>Server name:178.79.152.69
<p>Local IP:178.79.152.69


</body>
</html>

_________________
Code:
Warning (10631): VHDL Process Statement warning at signature.vhd(1): inferring latch(es) for signal or variable "disclaimer", which holds its previous value in one or more paths through the process


Top
 Profile  
 
PostPosted: Thu Jun 14, 2012 8:00 am 
Offline
Senior Newbie

Joined: Tue Feb 01, 2011 7:05 am
Posts: 6
No - that's precisely the problem.
You get the same Local IP and Local Name in both cases:
Local IP:178.79.152.69
Local name:www.joli-ciel.com
Only the server name is different.

What should appear is for 176.58.107.88 is:
<p>Java Version:1.6.0_22
<p>Local name:www.moyshele.com
<p>Server name:176.58.107.88
<p>Local IP:176.58.107.88

What does appear (exactly the same as for http://www.joli-ciel.com except for the Server Name):
<p>Java Version:1.6.0_22
<p>Local name:www.joli-ciel.com
<p>Server name:176.58.107.88
<p>Local IP:178.79.152.69


Top
 Profile  
 
PostPosted: Thu Jun 14, 2012 9:43 am 
Offline
Senior Member

Joined: Fri Jan 09, 2009 5:32 pm
Posts: 592
edit: I'm wrong, sorry


Last edited by glg on Sun Jun 17, 2012 10:45 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Jun 14, 2012 11:41 am 
Offline
Senior Newbie

Joined: Tue Feb 01, 2011 7:05 am
Posts: 6
glg wrote:
getLocalName and getLocalAddr do not do what you think they do. they look at the local machine, not where the request came to

That's unfortunate, because that's what Tomcat uses to resolve the IP address when you tell the connector to do so.
From v6.0.35 source code, org/apache/catalina/connector/CoyoteAdapter.java, line 489:
Code:
        if (connector.getUseIPVHosts()) {
            serverName = req.localName();


However, when I dig deeper into the source code to where the request's local name is getting set in the first place, it's being set from socket.getLocalAddress(), on org/apache/catalina/http11/Http11Processor.java, line 1063.

Now, according to the java 6.0 javadoc at http://docs.oracle.com/javase/6/docs/ap ... ress%28%29, Socket.getLocalAddress() "Gets the local address to which the socket is bound."

So, my interpretation of this is that this is where the request came to, not just some check as to the local machine's IP and name.
Otherwise, nobody would be able to get this solution working, which is, however, what is recommended by the Tomcat documentation.
http://tomcat.apache.org/tomcat-6.0-doc ... unning_SSL
"Finally, using name-based virtual hosts on a secured connection can be problematic."


Top
 Profile  
 
PostPosted: Thu Jun 14, 2012 6:55 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1652
Location: Rochester, New York
If you do 'netstat -ntlp', what is the actual address to which it is bound?

_________________
Code:
Warning (10631): VHDL Process Statement warning at signature.vhd(1): inferring latch(es) for signal or variable "disclaimer", which holds its previous value in one or more paths through the process


Top
 Profile  
 
PostPosted: Fri Jun 15, 2012 6:04 am 
Offline
Senior Newbie

Joined: Tue Feb 01, 2011 7:05 am
Posts: 6
hoopycat wrote:
If you do 'netstat -ntlp', what is the actual address to which it is bound?

Code:
sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1967/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2082/postgres
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      16815/java
tcp6       0      0 :::8080                 :::*                    LISTEN      16815/java
tcp6       0      0 :::22                   :::*                    LISTEN      1967/sshd
tcp6       0      0 176.58.107.88:8443      :::*                    LISTEN      16815/java
tcp6       0      0 178.79.152.69:8443      :::*                    LISTEN      16815/java


Top
 Profile  
 
PostPosted: Fri Jun 15, 2012 6:18 am 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1652
Location: Rochester, New York
You don't seem to have anything bound to port 80...?! It shouldn't be working at all, that much is certain.

_________________
Code:
Warning (10631): VHDL Process Statement warning at signature.vhd(1): inferring latch(es) for signal or variable "disclaimer", which holds its previous value in one or more paths through the process


Top
 Profile  
 
PostPosted: Fri Jun 15, 2012 6:42 am 
Offline
Senior Newbie

Joined: Tue Feb 01, 2011 7:05 am
Posts: 6
hoopycat wrote:
You don't seem to have anything bound to port 80...?! It shouldn't be working at all, that much is certain.


Sorry, that's because I have an IPTables rule mapping 8080 to 80 and 8443 to 443, since the tomcat6 account doesn't have access to ports below 1024. Here's the relevent portion:
Code:
*nat
:PREROUTING ACCEPT [11:3512]
:POSTROUTING ACCEPT [13:844]
:OUTPUT ACCEPT [13:844]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT


This is called within /etc/network/interfaces via the pre-up command as follows:
Code:
auto lo
iface lo inet loopback

auto eth0 eth0:0

iface eth0 inet static
 address 178.79.152.69
 netmask 255.255.255.0
 gateway 178.79.152.1
        pre-up iptables-restore < /etc/iptables.conf

iface eth0:0 inet static
 address 176.58.107.88
 netmask 255.255.255.0
        pre-up iptables-restore < /etc/iptables.conf


Top
 Profile  
 
PostPosted: Fri Jun 15, 2012 7:40 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1652
Location: Rochester, New York
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?

_________________
Code:
Warning (10631): VHDL Process Statement warning at signature.vhd(1): inferring latch(es) for signal or variable "disclaimer", which holds its previous value in one or more paths through the process


Top
 Profile  
 
PostPosted: Sun Jun 17, 2012 10:44 pm 
Offline
Senior Member

Joined: Fri Jan 09, 2009 5:32 pm
Posts: 592
hoopycat wrote:
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?


Using his links from the first post, yes. That means that the mapping ports via iptables is the culprit.

You're really not "supposed" to do it that way. You're "supposed" to use a "real" web server like apache with mod_jk or nginx in front of tomcat. and yes, that's all in quotes for a reason, tomcat will work just fine by itself, but occasionally you end up with a scenario like this.

You might be able to get the iptables to work by having multiple rules for each IP (ie instead of routing all 443 traffic to 8443, separately route ip1.443 to ip1.8443 and ip2.443 to ip2.8443)

Sorry about my previous post, I was off on how those functions work in the context.


Top
 Profile  
 
PostPosted: Mon Jun 18, 2012 4:32 am 
Offline
Senior Newbie

Joined: Tue Feb 01, 2011 7:05 am
Posts: 6
glg wrote:
hoopycat wrote:
Hmm. If you connect straight to port 8080 instead of 80, does it work as expected?


Using his links from the first post, yes. That means that the mapping ports via iptables is the culprit.
...

You might be able to get the iptables to work by having multiple rules for each IP (ie instead of routing all 443 traffic to 8443, separately route ip1.443 to ip1.8443 and ip2.443 to ip2.8443)

Thanks hoopycat and glg! That solved it.
My iptables.conf file now looks like this:
Code:
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 443 -j DNAT --to-destination 178.79.152.69:8443
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 443 -j DNAT --to-destination 176.58.107.88:8443
-A PREROUTING -p tcp -m tcp --dst 178.79.152.69 --dport 80 -j DNAT --to-destination 178.79.152.69:8080
-A PREROUTING -p tcp -m tcp --dst 176.58.107.88 --dport 80 -j DNAT --to-destination 176.58.107.88:8080
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 443 -j REDIRECT --to-ports 8443
-A OUTPUT -p tcp -m tcp --src 178.79.152.69 --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --src 176.58.107.88 --dport 80 -j REDIRECT --to-ports 8080


That being said, I don't quite understand the IPTables OUTPUT rows.
I would expect tomcat to be outputting on port 8443, and to be redirected to port 443, but the opposite is written above.
But that's a question for another thread!

Thanks again!
Assaf


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS
Powered by phpBB® Forum Software © phpBB Group

Home | Manager | Contact Us | Jobs | Terms of Service | Privacy Policy | ™ © 2003-2012 Linode, LLC. All rights reserved.