0

I installed Tomcat 8 on a Linux machine, and enabled the https connector on port 443.

<Connector port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    URIEncoding="UTF-8"
    keystoreFile="${catalina.base}/conf/ssl/keystore.jks"
    keystorePass="*********"
    SSLVerifyClient="optional"
    SSLProtocol="TLSv1">

I also enable the Tomcat AccessLogValve in order to see all the requests.

I start the server and I see that the https connector is instantiated correctly in the catalina log. Now if I make https requests from another server, I don't see anything in the tomcat logs and access log.

If I run the linux command tcpdump on the port 443 I can see that the requests are arriving in the machine.

If I use curl in the machine where Tomcat is installed, it works perfectly. I can also add that I have to start tomcat as root (temporarily, I know it's a bad practice)

Any clue?

Thanks!

Anna Setiva
  • 5
  • 3

2 Answers2

0

The problem was related to the ip of the machine where Tomcat is installed. The machine had 2 ips, one for eth0 and another one for eth1.

I was calling tomcat like https://serverName:443 but the dns is redirecting to the ip set in the eth0.

If I call the https://ipForEth01:443 it's working fine.

Not sure it's a valid solution though, my customer will decide it to fix the server network configuration or not.

Anna Setiva
  • 5
  • 3
0

In Linux, and other UNIX-like systems, we need to have to be root (have superuser privileges) in order to listen to TCP or UDP ports below 1024 (the well-known ports).

This is restricted for security reasons

For Tomcat or Jboss or any application server to use the default http 80 or SSL port 443.

There are different solutions

1) Most common put a reverse proxy server to route the request hitting 80 or 443 to 8080 or 8443. Nginx , apache are most common . If you r organisation has BigIP F5 . You can use that as well

2) With out external apps Linux itself can hep here. Using Port Forwarding.

Either Iptables or Firewalld can be used .

system firewalld can be set as follows

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=

sudo firewall-cmd --zone=public --add-masquerade

Then you view the settings by

sudo firewall-cmd --list --all