I installed tomcat on my virtual machine (on Azure) but failed to access it from an external IP address. I tried some methods I found on stack overflow, but they did not seem to work. The port forwarding tester also says Port 8080 is closed on [my_ip_address]. I did manage to access it from localhost:8080 or 127.0.0.1:8080. I run curl 127.0.0.1:8080 and it returns the correct webpage. In addition, nginx is also able to access the website through the port.
The firewall is not running.
> sudo firewall-cmd --list-all
FirewallD is not running
Tomcat configuration file
I added address="0.0.0.0", but it does not work in my case.
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080"
address="0.0.0.0"
useIPVHosts="true"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
resolveHosts="true" prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Active Internet Connections
I managed to bind Apache Tomcat to IPv4 as suggested by confused genius, but it still did not work.
> netstat -ant
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN
tcp 0 36 10.0.0.4:22 75.84.33.143:59788 ESTABLISHED
tcp 0 0 127.0.0.1:8080 127.0.0.1:57604 TIME_WAIT
tcp 0 0 127.0.0.1:59724 127.0.0.1:8005 TIME_WAIT
tcp 0 0 127.0.0.1:8080 127.0.0.1:57584 TIME_WAIT
tcp 0 0 127.0.0.1:8080 127.0.0.1:57518 TIME_WAIT
tcp 0 0 127.0.0.1:8080 127.0.0.1:57520 TIME_WAIT
tcp 0 0 10.0.0.4:80 75.84.33.143:59952 ESTABLISHED
tcp 0 0 10.0.0.4:80 75.84.33.143:59953 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5355 :::* LISTEN
From netstat -ant output , port 8080 is listenting only on tcp6 (ipv6) but not on tcp(ipv4).
tcp6 0 0 :::8080 :::* LISTEN
so it needs to be enabled for ipv4 as well in order to access it the host ip address
check this link it might help
I found the solution. It actually has nothing to do with Tomcat. The problem lies in Azure: you need to explicitly allow the port to be accessible in Azure. Adding it to the firewall does not solve the problems. (You can add inbound port rule in Home/[VM]/Networking)
Related
With IE dying off, I need to get Tomcat9 to use TLS1.2 only. I cant have TLS1.3 or any other protocol working. I have tried different connectors and the site becomes unreachable. I feel I am close with this config below, but with this Edge gives me unsupported protocol.
<Connector port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" SSLProtocol = "TLSv1.2"
SSLEngine="on"
connectionTimeout="20000"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256"
I have a single instance deployment of WSO2 and now I want to be able to access the carbon management services like publisher/store etc through http. I have tried the following configurations in catalina-server.xml. I also want to use nginx as reverse proxy through http port for carbon consoles. Please help. I have also tried editing the axis2.xml to add port mappings for nginx 80 and 443 port. Currently when i run carbon console through 9763 it gets redirected to 9443 and after adding mappings in axis2.xml it responds as requested url not found for /publisher/..../login.jag
<Server port="8005" shutdown="SHUTDOWN">
<Service className="org.wso2.carbon.tomcat.ext.service.ExtendedStandardService" name="Catalina">
<!--
optional attributes:
proxyPort="80"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<!--
optional attributes:
proxyPort="443"
Added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" for poodle vulnerability fix
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
keystorePass="wso2carbon"
URIEncoding="UTF-8"/>
<Engine name="Catalina" defaultHost="localhost">
<!--Realm className="org.apache.catalina.realm.MemoryRealm" pathname="${carbon.home}/repository/conf/tomcat/tomcat-users.xml"/-->
<Realm className="org.wso2.carbon.tomcat.ext.realms.CarbonTomcatRealm"/>
<Host name="localhost" unpackWARs="true" deployOnStartup="false" autoDeploy="false"
appBase="${carbon.home}/repository/deployment/server/webapps/">
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
prefix="http_access_" suffix=".log"
pattern="combined"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve" threshold="600"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CompositeValve"/>
</Host>
</Engine>
</Service>
Uncomment the following line in carbon.xml.
<EnableHTTPAdminConsole>true</EnableHTTPAdminConsole>
Please note this is not recommended in production environments.
I'm setting up a Service Fabric application which contains:
an Nginx instance as frontend (single instance, port 80)
some applications written with Asp.net core (1 website, some API services) (multiple instances, dynamic port)
a Gateway service for address resolution (single instance, port 8081)
For nginx, I'm using a solution available as Nuget package.
The gateway and, in general, the example to run .NET core app have been taken here
It is suggested by the .NET core team itself to host applications behind a real web server liken nginx.
Therefore I'd like to deploy my Service Fabric application with an instance of nginx as entry point, which redirects to the Gateway service, which will do the service resolution for the replicated stateless services.
My question is about the address that I need to use in the nginx.conf to point to the Gateway address. While trying locally, I can use the local address 127.0.0.1 and it works as expected, but what happens if on a real cluster my Nginx and Gateway instances are deployed to different machines?
This is my application manifest:
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="SFApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<Parameters>
<Parameter Name="NginxPoC_InstanceCount" DefaultValue="1" />
<Parameter Name="Gateway_InstanceCount" DefaultValue="1" />
</Parameters>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="NginxPoCPkg" ServiceManifestVersion="1.0.0" />
<Policies>
<RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
</Policies>
</ServiceManifestImport>
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="Gateway" ServiceManifestVersion="1.0.0" />
</ServiceManifestImport>
<DefaultServices>
<Service Name="NginxPoC">
<StatelessService ServiceTypeName="NginxPoCType" InstanceCount="[NginxPoC_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
<Service Name="Gateway">
<StatelessService ServiceTypeName="GatewayType" InstanceCount="[Gateway_InstanceCount]">
<SingletonPartition />
</StatelessService>
</Service>
</DefaultServices>
<Principals>
<Users>
<User Name="Admin">
<MemberOf>
<SystemGroup Name="Administrators" />
</MemberOf>
</User>
</Users>
</Principals>
</ApplicationManifest>
and this is my current nginx.conf file:
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://127.0.0.1:8081;
}
}
Update 2016-10-09
As requested in the discussion, I've created a test project here. Every contribute to the project is welcome.
f you deploy the nginx and gateway service to all nodes (InstanceCount = -1) you should be good. If the gateway service is down on one node, you would of course not be able to forward the request from nginx to a gateway service on another node. For this, you need the nginx service to look-up the gateway service.
You can get the service endpoint address for the gateway using a REST call: https://msdn.microsoft.com/en-us/library/azure/dn707638.aspx
I am using tomcat version 6. I want to configure ssl by specifying some ciphers in HTTP connector . I am following below link which describes how to configure HTTP connector to prevent logjam vulnerability.
https://weakdh.org/sysadmin.html
Before changes my connector configuration was like this
<Connector sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver"
keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme"
maxKeepAliveRequests="15" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
redirectPort="8443" scheme="https" secure="true"/>
After changes my connector configuration is like this.I just added ciphers to it.
<Connector ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WIT_RC4_128_SHA"
sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver" keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme" maxKeepAliveRequests="15"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443"
scheme="https" secure="true"/>
But its not working.To make it work i had to change from
protocol="org.apache.coyote.http11.Http11NioProtocol" to protocol="HTTP/1.1".
But i want to use org.apache.coyote.http11.Http11NioProtocol as it is non-blocking and more efficient.
Please tell me how to do this.
I just checked the logs of tomcat and i was getting illegal argument exception whenever i tried to hit my ssl enabled web page.
The issue was with ciphers. In Tomcat 6 some of ciphers won't work if i use org.apache.coyote.http11.Http11NioProtocol. I don't know the particular reason of it.But the name of the ciphers i removed from my connector are given below. Now, i can open my ssl enabled webpages.If anybody know the answer please post.
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
I have a program running on a remote host that I need to connect to, handshake, then listen for messages. I have setup the following camel route:
<route>
<from uri="netty:tcp://localhost:50001?decoders=#decoders&sync=false" />
<bean ref="TransformMessage" method="inboundDecoder" />
<to uri="eventadmin:messages/aacus/inbound" />
</route>
<route>
<from uri="eventadmin:messages/aacus/outbound" />
<bean ref="TransformMessage" method="outboundEncoder" />
<to uri="netty:tcp://192.168.0.111:50001?allowDefaultCodec=false&sync=false" />
</route>
My question is how do I make this work? If I establish the route using
<from uri="netty:tcp://192.168.0.111:50001?decoders=#decoders&sync=false" />
it fails with a binding error.
How can I setup the connection to respond on a specific port without modifying the server?
This is not possible with either camel-mina nor camel-netty at this time of writing. A consumer can only bind to a local server. There is a JIRA ticket at Apache to implement such a new feature for the future. https://issues.apache.org/jira/browse/CAMEL-1077
Use the following workaround:
Instead ob 192.168.0.111 use localhost.
Then install "socat" and start it as follows
socat -s -u tcp4:192.168.0.111:50001 tcp4:localhost:50001
This will Tunnel your remote connection to the local service you created with camel/netty.