-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Merlin,
On 6/8/20 10:17, Merlin Beedell wrote: > I am getting a lot of flack from some senior devs who insist that > Tomcat must be put behind a Proxy – HA Proxy or Nginx, which will > handle the SSL offloading etc. > > While this seems sensible for multi-server environments, they want > it for single server too. But Tomcat can do all the things that > are required: > > * Certificate handling. * TLS level and Cipher restrictions * CORS > handling (though this could be simpler!) > > But now with the requirement for LetsEncrypt certificates, we find > that Tomcat has to be restarted every 3 months. Indeed – any > changes to the above require tomcat restarts – and that is found to > be unacceptable. Nonsense. http://tomcat.apache.org/presentations.html#latest-lets-encrypt Updating CORS configuration may require a redeployment of your web application, but it does not require Tomcat to be shut-down. There are other reasons to use a reverse proxy in front of Tomcat, but none of the above are good reasons. > So what I really want to understand is if Tomcat has any plans to > include the ability to restart an https connector WITHOUT needing > to restart the whole of Tomcat. Better still, a hook that would > help refresh certificates – like LetsEncrypt. > > https://stackoverflow.com/questions/43571572/programmatically-update-c ertificates-in-tomcat-8-without-server-restart There > are no currently-correct answers to that question. I can fix that. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7em/oACgkQHPApP6U8 pFiuqw//SfBmQ4eMhXUw0WkiQ5Fe9dJIa724h0wv60ghJQK80n9cu7CdcB9om9R4 w4tbhvxkBCc/ENBQP2gfszRwT8Y7EleyDTY09OKaQ1aiqgnWaE4hj2Srmoi/kUFi LAbgNm/vpHzTS/ozp3+T/vD8GtLHc1UXDnsKY3zzMc8CFgRo10YDyAMJoC8S4SGe 1Ji4NF1uY2aqeY7LPBMDU1IrQTK4EW2SNFV9JSyEjsPBB8yKCzvGdCJRPvJih/mg ZsTI6w/X2cldSbVvpAUh5hOUglo8+5BqN2W1aOKttwxbds/KbckQg5vOHs4+sCPk M6ngE0sYggz2JsF/IZQ9PtMDtuZdKxmCWsXwbTw7G5qpjv6RWQW2GtMl52d1qabO Xna7npVd1kiGOvA/uuNPxI7Z3qOhYiCs78JCG6oaUQejqywgvKO4HyibNlFJD1F+ P3S/SLuxQB7uhC5CuY3wKXckJEbGbL7D04wkCY90N1q5PQO0oy5j/jyS3y6cDmHw SZNuH3Gvc7WUE8xbJNx5W8fP9m5mpwAJ0lwcCgqN8zqUEqbbE4imrMOrVxjmqPiT V/jySH8D0ckk+jyQ8gADmId8vGF5KrQCrfTwxjpLhxSuEZ+cB3d7tsOCCI6Xw9o1 ShMM500fXsMgHkrhyqg7gG6Pf7zVutqhgOBkUZUntFkuMEB38Ow= =O9u2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
