Bind site to IP in Tomcat/Apache

[Brad Wood]

I'm trying to duplicate the IIS behavior I used to do with Adobe CF where a server with 5 sites would get 5 IPs assigned to it-- one for each site. Then in IIS I would bind each site to the IP I wanted, and I could also specify hostnames as well to keep people from trying to to screw with my site by using a fake hostname on the correct IP. For security, I would only allow CFIDE/administrator to be accessible on the default which was only bound to an internal IP on the box that wasn't NATed anywhere outside.  

I'm looking to replicate this same setup of enforcing a particular site to only respond on a specific IP, but it's a little trickier with Lucee running on Tomcat behind Apache.  I'm using a reverse proxy to an AJP listener.  I can bind my Apache virtualhosts easy enough, but by default they all proxy to the same AJP listener which uses the HTTP host header to match the correct Tomcat host.  My first issue is that Tomcat's server.xml <host name=""> requires an actual hostname.  I can't just specify the IP address there unless the user is actually typing the IP in their browser.  If I enter the host names in Tomcat that "works" but doesn't prevent someone from accessing the "local" secure site by just faking a host name on the wrong IP with a simple host file entry.

The workaround I've got right now is to have multiple <service> tags, each with a different AJP listener on a different port.  Then my apache virtual hosts proxy to a specific AJP listener to "lock" the Apache virtualhost and Tomcat host together.  

<Service name="Catalina">

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

<!-- Any host names on this IP will use the single host below -->

<Engine name="Catalina" defaultHost="192.168.50.25">

<Host name="192.168.50.25"  appBase="webapps" unpackWARs="true" autoDeploy="true">

<Context path="" docBase="/var/www/default" />

</Host>

</Engine>

</Service>

<Service name="Catalina">

<Connector port="8019" protocol="AJP/1.3" redirectPort="8443" />

<!-- defaultHost is technically invalid, so any HTTP requests with incorrect host header get blank page -->

<Engine name="Catalina" defaultHost="192.168.50.45">

<Host name="site1.com"  appBase="webapps" unpackWARs="true" autoDeploy="true">

<Context path="" docBase="/var/www/site1.com" />

</Host>

</Engine>

</Service>

So the questions are:

1. How are other people accomplishing this (or are they)?
2. Is there a simpler way?
3. Will something bad happen inside of Lucee like the engine being loaded twice due to two <service> tags?
4. Should I be using a different <service> "name" attribute or does that not actually get used anywhere?

Thanks!

~Brad

[Paul Klinkenberg]

Hi Brad,

I only have an answer to question 2: is there a simpler way.

I am currently busy on getting the new docs out for mod_cfml version 1.1, which adds support for what you are looking for.

It sends an extra header to the Tomcat valve, which contains a unique name for the httpd Virtualhost (the "ServerName" of the httpd VirtualHost / the context-id in IIS). On the Tomcat side, we only create one Host for each unique name, and add all hostnames as a host alias.

You're very welcome to try it out; the docs will be online in the coming weekend.

The only thing you need to take into consideration when using mod_cfml this way, is that you need to set an explicit ServerName in each httpd VirtualHost. If you don't, then httpd will resolve the ip address, and use that result as the ServerName. Which is probably the same result for all local ips, which would result in only one Host on the Tomcat side.

Kind regards,

Paul Klinkenberg

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/de672e28-10de-4187-b2d3-53637c1e39fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brad Wood]

Thanks for the reply Paul.  Honestly, I've been a little reticent to use mod_cfml since I've run into people having issues with it-- thread safety things when multiple sites start up at once, and delays before contexts are configured.  Since I have a smallish number of static sites on my server, I prefer to simply configure them manually. 

If I can't use an IP address, I don't think it will work anyway.  One site I'm setting up now has like 50 domain names that all resolve to the same IP.  That IP is bound to a single, generic redirect site.  Even if I could add all the possible hostnames, I don't want to.  In IIS, I always just bound my site to the generic "redirect" IP and was done with it.  Not putting any specific hostnames in Apache or Tomcat allowed me to add additional redirect domains at any time with no config changes.

Thanks!

~Brad

ColdBox Platform Evangelist

Ortus Solutions, Corp 

E-mail: br...@coldbox.org

ColdBox Platform: http://www.coldbox.org 

Blog: http://www.codersrevolution.com

--
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/IQW35p60fXQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/615C47E8-EA85-49D0-BE97-A39203667592%40ongevraagdadvies.nl.

[Paul Klinkenberg]

Hi Brad,

Thanks for your honesty here. The problems you heard about are over. Thread-safety indeed was a problem that was easily tackled. The delays are totally gone. And I mean *totally* :) 

You do not need to add _all_ hosts, but just 1 serverName in each VirtualHost. But, I actually tackled this as well today; when Jordan pulls in the last pull request, you don't even need to add a serverName directive.

Feel free to do whatever you want, but I actually think it makes a lot of sense to use it.

For the VirtualHost with 50 domain names, the old mod_cfml would have created 50 Hosts in Tomcat. Mod_cfml 1.1 creates only one host, and adds the domain names as host aliases, which has very little overhead in Tomcat. Adding such an alias, only on the first request, takes max. 300 msecs.

Kind regards,

Paul Klinkenberg

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CALbQ1omOOCfVwdVrh6tRT0Pg2MOOitR05xe5F38eaiku%3D21-5g%40mail.gmail.com.

[Brad Wood]

I'm excited about the Apache connector, it sounds like it will be a great improvement!   I'll probably give it a try just to help test and see how it works.

To confirm, on the site with many hosts, do all of them still need to be declared in Apache?  I'd like to just bind Apache to the IP and not have any hostnames at all.

Thanks!

~Brad

ColdBox Platform Evangelist

Ortus Solutions, Corp 

E-mail: br...@coldbox.org

ColdBox Platform: http://www.coldbox.org 

Blog: http://www.codersrevolution.com

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/64B04059-46E8-4B7C-AEC2-46AF620AC3FB%40ongevraagdadvies.nl.

[Paul Klinkenberg]

Hi Brad,

Only today, you still need to add one ServerName directive inside each <VirtualHost 1.2.3.4:80>. It can be totally bogus, like ServerName whatever1.com. As long as it is unique.

Reason is, that if there is no ServerName, httpd will resolve the ip address it is serving from, and use the result as the ServerName (eg. "localhost", or the local machine's name). If you now have multiple local IPs, which all resolve to the same name, then it will get sent to the Tomcat valve, which will only create one host: the ServerName is constant...

From tomorrow on, the new version does not need/do this anymore. I made the ServerName which is sent to the tomcat valve, unique. See https://github.com/utdream/mod_cfml/pull/4/files if you're interested :)

> To confirm, on the site with many hosts, do all of them still need to be declared in Apache?

Nope. 

Kind regards,

Paul Klinkenberg

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CALbQ1onvoKSnUDZ2JcLoYqo3eco1SyBrFGULDdiQf5Wc6vFKsg%40mail.gmail.com.

[Brad Wood]

Thanks for the update.  You had said something about adding the alias on the first run so I thought you mean it added them all on the first run.  I assume you mean the host alias is added the first time it is used?  That sounds great.

I'll actually be rebuilding Lucee on a personal server this weekend so give a holler when the code is ready to use.  

Thanks!

~Brad

[Brad Wood]

Does anyone want to take a stab at whether having more than one service tag in my Tomcat server.xml will have adverse effects?

3. Will something bad happen inside of Lucee like the engine being loaded twice due to two <service> tags?
4. Should I be using a different <service> "name" attribute or does that not actually get used anywhere?

Thanks!

~Brad 

[Pierre Larde]

Hi, I am looking for an example of server.xml to add new domains.

I tried to add these line :

<Host name="publicitemurale.com" appBase="D:\SitesPlarts">

  <Context path="" docBase="D:\SitesPlarts\ROOT\C020\www" />

        </Host> 

In the engine tag

And when brosint the domain :  publicitemurale.com

I have this message :

Generic Connector Communication Error:

---

Please check and adjust your setup:
Ensure that Tomcat is running on given host and port.
If this is a timeout error consider adjusting IIS timeout by changing executionTimeout attribute in web.config (see manual).

I do not find any where an example of code to add in this XML file.

I am working with IIS7.

I also tried the mod_cfml

But the valve stopped the Tomcat service.

Thanks for any help.

(It does work when browsing : http://myIP:8080/mydir )

[Jordan Michaels]

If you installed using the installer, the example host config is at the very bottom of the server.xml file. The installer should also setup the BonCode connector for IIS7 and mod_cfml to automatically configure new IIS hosts in Tomcat.

Judging by your 8080 port, I'm guessing you did a vanilla Tomcat install? Maybe give the installer a try on a fresh Windows install as it does a lot of the grunt work for you to get you up and running quicker.

--
Kind regards,
Jordan Michaels
Vivio Technologies

----- Original Message -----
From: "Pierre Larde" <pie...@pl-arts.com>
To: "Lucee" <lu...@googlegroups.com>
Sent: Friday, May 13, 2016 6:51:05 AM
Subject: Re: [Lucee] Bind site to IP in Tomcat/Apache

Hi, I am looking for an example of server.xml to add new domains.
I tried to add these line :
<Host name="publicitemurale.com" appBase="D:\SitesPlarts">
<Context path="" docBase="D:\SitesPlarts\ROOT\C020\www" />
</Host>
In the engine tag
And when brosint the domain : publicitemurale.com
I have this message :
Generic Connector Communication Error:

------------------------------

Please check and adjust your setup:
Ensure that Tomcat is running on given host and port.
If this is a timeout error consider adjusting IIS timeout by changing
executionTimeout attribute in web.config (see manual).

I do not find any where an example of code to add in this XML file.
I am working with IIS7.
I also tried the mod_cfml
But the valve stopped the Tomcat service.

Thanks for any help.
(It does work when browsing : http://myIP:8080/mydir )


Le vendredi 29 mai 2015 22:10:26 UTC+2, Brad Wood a écrit :

> Does anyone want to take a stab at whether having more than one service
> tag in my Tomcat server.xml will have adverse effects?
>
> 3. Will something bad happen inside of Lucee like the engine being loaded
>> twice due to two <service> tags?
>> 4. Should I be using a different <service> "name" attribute or does that
>> not actually get used anywhere?
>
>
> Thanks!
>
> ~Brad
>

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/9814997e-b0a1-412b-aef3-a62a3f9235fa%40googlegroups.com.

[Pierre Larde]

Thanks for your answer,

I succeeded to get the domain working : I had to install .NET Framework.

That have solved the access from domain name , as :  http://mysite.com

But the Tomcat lines were added manually in "server.xml"

This because, when adding the "valve" code in server.xml, stopped the Tomcat service.

Do you mean, I shoud try a new install with the installer ?

And do you mean the port 8080 is not used with the installer ?

Thanks for clarification,

Pierre.

[Pierre Larde]

Hi Michaels,

back on my last answer,

I did remove the old installation of Tomcat/Lucee

And I used the installer : that's Great ...

Very fast, very well organized (directories), very much better than the manual installation (Java, Tomcat, Lucee)

And working immediatly.

So now the port 8888 is used (instead of 8080)

Still 2 questions :

- Is it possible to modify the sites ROOT directory (lucee/tomcat/webapps/ROOT)

Le vendredi 13 mai 2016 21:58:59 UTC+2, Jordan Michaels a écrit :

[Pierre Larde]

I hit a key, and the answer has been published without my willing !!! (very bad Google)

I continue last answer :

In last (manual) installation, I modified the site root directory in the server.xml of Tomcat.

This does not work with this new installation.

Any idea , where to modify this ?

- Also when creating a site in IIS7 , I do not see any change in server.xml

  (the  <host  code lines)

Thanks for all help/Indormation.

Lucee is Great.

[Jordan Michaels]

Hi Pierre,

Glad to hear the installer helped. =)

All the default context configs (including ROOT) are still configured in the Tomcat server.xml file - however, the idea of mod_cfml is to make it so that modifying your server.xml file is not necessary. Put simply, any hosts you configure manually in the Tomcat server.xml are added to Tomcat at startup. Any additional hosts that mod_cfml creates the first time a site is hit are added *in memory* and do not alter the server.xml file.

The mod_cfml source is wide open, so you can see exactly what it does here:
https://github.com/utdream/mod_cfml/blob/master/java/mod_cfml-valve/src/mod_cfml/core.java

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/31df899e-2a61-4455-a7ba-16a78b1b52b5%40googlegroups.com.

[Pierre Larde]

I have created a site in IIS7, ( publicitemurale.com )

when browsing the site, I get the Lucee page, not the site.

(Welcome to your Lucee Installation!

You are now successfully running Lucee 4.5.2.018 on your system!)

If I edit the server.xml and add the <host lines for the site :

<Host name="publicitemurale.com" appBase="">

   <Context path="" docBase="D:\luceePie\tomcat\webapps\ROOT\C020\www" />
   <Alias>www.publicitemurale.com</Alias>

</Host>

Then I access the site.

The Boncode is installed,

The valve lines are in the server.xml  (from the automatic install)

Any idea ?

Thanks again for help.

Pierre.

Le vendredi 13 mai 2016 21:58:59 UTC+2, Jordan Michaels a écrit :

[Jordan Michaels]

Could be a number of things. Check your Tomcat catalina logs to see if there was an error when deploying the new context.

The user Lucee runs under needs permissions to create a WEB-INF directory in the new context, so if I had to guess there are probably problems with you hosting the site off a shared drive. If you can't allow Lucee permissions to create the WEB-INF on the shared drive, then you'll have to configure Lucee to create the WEB-INF folder somewhere else, like a standardized folder in your Lucee directory.

> email to lucee+un...@googlegroups.com <javascript:>.
> To post to this group, send email to lu...@googlegroups.com <javascript:>.

>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/lucee/9814997e-b0a1-412b-aef3-a62a3f9235fa%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>

--
Love Lucee? Become a supporter and be part of the Lucee project today! - http://lucee.org/supporters/become-a-supporter.html
---
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/f711f917-6739-4fd0-bed5-9c575117c43a%40googlegroups.com.

[Pierre Larde]

I need an understanding,

Why a WEB-INF (with lucee Inside)  is created in every site ?

When is it Created ?

What is the role of this directory ?

If I delete this directory, the browser is looking at : [C:\inetpub\wwwroot\C009\www\index.cfm]

( I have copied old WEB-INF dir from other places, should I have to delete them ?)

Or where can I have information about WEB-INF role (the way it works)  ?

(is this the working principle of Lucee ? It seems a lot of files are duplicated a lot of time)

Thanks for help,

Pierre.

[Brad Wood]

Web-inf is part of the j2ee servlet spec for deploying web applications.  It is created by Lucee the first time that web context is deployed. It does not usually contain the entire Lucee engine, just configuration files.  You can also control where the web context folder is created in your web.xml.  Is the folder creating some sort of issue for you?

You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/IQW35p60fXQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/fa2483ef-822c-461b-b05c-435bcd60c8f8%40googlegroups.com.

[Pierre Larde]

Thanks for infos,

I am wondering if they are all the same at all sites directories ?

Because I have copied a full webroot (all sites)  to another place,

I am just wondering if the WEB-INF coming with are still valid ?

And , has the WEB-INF something to see with the boncode/mod_cfml function ?

Because I have the WEB-INF but I do not have the mod_cfml working

(I have to edit the server.xml file to add new sites which are set in IIS7)

Thanks for any support for mod_cfml.

Pierre.

[Aaron Terry]

Brad,

We have a multi-tenant SAAS application that uses the host header to identify the client sites in our onSessionStart. Client sites are required to have distinct hostnames so that we can map hostnames to clients.

We have a handful of virtual hosts defined in apache for different components of our product.

For years, we've bound each Apache virtualhosts to a different port number and it worked just fine for us.

When we added our first Railo service a couple of years ago, we were fine with a single Tomcat engine, service, and host. 

However, we ran into problems when we tried to setup a 2nd Tomcat host within that same service for a repo that we were transitioning from ACF -> Lucee.

We couldn't use the host header to distinguish, since our app uses it to distinguish clients.

So we ended up having two Tomcat services, each with it's own engine and host. 

Just recently, we've started using Apache mod_headers to copy the host header to a new header named something like "X-Real-Hostname" and then overwriting the hostheader to something like thisRepo.local. 

Then we can use multiple Tomcat hosts within one engine and let Tomcat use the hostname to know which app.

Simplified example conf:

<Engine name="Catalina" defaultHost="repo1.local">

  <Host name="repo1.local" appBase="webapps" unpackWARs="false" autoDeploy="false">

<Context path="" docBase="C:/repo1.local " />

  </Host>

  <Host name="repo2.local" appBase="webapps" unpackWARs="false" autoDeploy="false">

<Context path="" docBase="C:/repo2.local " />

  </Host>

 </Engine>

In our app, we now have retired the use of cgi variables to identify the hostname and now use a application scoped function to retrieve it from our custom header:

<cffunction name="getCurrentHostname" access="public" returntype="string" output="no">

<cfset local.httpRequestHeaders = GetHttpRequestData().headers>

<cfif structKeyExists(local.httpRequestHeaders,"X-Real-Hostname")>

<cfreturn local.httpRequestHeaders["X-Real-Hostname"]>

<cfelse>

<cfreturn cgi.server_name>

</cfif>

</cffunction>

Paul,

The new mod_cfml feature to use servername sounds nice. We couldn't use the previous version to solve our problems since it's strips the port number from host

Log file entry:
[mod_cfml] host [mysite.com:81] contains ':'. New value => mysite.com

--

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/b3610d0f-7556-4702-8d81-56066f34a871%40googlegroups.com.