Caffeine Coma's questions

If I have test.example.com and prod.example.com (two hostnames, but same domain name) can I use the same SSL cert on both machines?

In the past when I tried using a prod.example.com cert on test.example.com it resulted in browser warnings for host-mismatch, which led me to believe that I needed a wildcard (or else multiple distinct certs). (Perhaps my mistake was in generating the CSR for prod.example.com rather than simply example.com ?)

But the various SSL vendors' websites mention needing a wildcard cert for subdomains, which is not at all what I am using.

Is their language simply incorrect? (My cynical side wonders if this helps vendors sell more expensive certs...)

I'm trying to set up Apache + Glassfish so that I can access two different webapps on the same physical host, differentiated by the hostname in the URL.

So if I visit http://host1.com, I'll get app1. If I visit http://host2.com, I'll get app2. host1 and host2 both resolve to the same IP address.

I've been able to get this working in a basic way with mod_proxy and Glassfish virtualservers using this guide. But the user still needs to specify the context-root for one of the apps, i.e. http://host1.com/app1.

How can I set things up so that both apps appear as the "root" in their respective URLs?

Do I need two separate Glassfish domains?

Here's the apache config I'm using:

<VirtualHost *:80>
     ProxyPreserveHost On
     ProxyPass / http://localhost:8080/app1
     ProxyPassReverse / http://localhost:8080/app1
     ServerName host1.com
</VirtualHost>

<VirtualHost *:80>
     ProxyPreserveHost On
     ProxyPass / http://localhost:8080/
     ProxyPassReverse / http://localhost:8080/app2
     ServerName host2.com
</VirtualHost>

I'm using Wireshark on OSX, trying to sniff my home network over WiFi. While I can see packets that are sent to/from the host I'm sniffing on, I'm not seeing anything else that goes over the WiFi. It's like I'm not in promiscuous mode or something (the promiscuous mode box is in fact checked).

The router is an Apple Airport Extreme, protected by WPA2. I'm attached to the network I'm trying to sniff, so I'm confused about why I can't see other traffic.

Edit: I solved this by the following:

1. Plug Macbook directly into the Airport Extreme router
2. Enable "internet sharing" on Macbook, with no password.
3. Bind wireless device (the one I wanted to sniff) to the WiFi hotspot generated by Internet sharing in step 2.
4. Run Wireshark on the Macbook, bound to device en1.

Don't forget to disable sharing after you're done. :-)

How can I port-forward port 80 internally to port 8080?

My goal is to have a web app server (Glassfish) running on port 8080, but for the outside world to access it normally on port 80. This is being done so that I don't have to run Glassfish as root.

I tried adding the following rule to my /etc/sysconfig/iptables:

-A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

but this results in the following error:

Applying iptables firewall rules: iptables-restore v1.3.5: Line 21 seems to have a -t table option.

I'm primarily a Java developer, and I come to you with a question that straddles the divide between developers and sysadmins.

Years ago, when it was a novel thing to run Tomcat as an app server, it was customary to front it with Apache. As I understand it, this was done because:

1. Java was considered "slow", and it was helpful to have Apache serve static content directly.
2. Tomcat couldn't listen to ports 80/443 unless run as root, which was dangerous.

Java is no longer considered slow, and I doubt adding Apache to the mix will actually help speed things up.

As for the ports issue, there are probably simpler ways to connect app servers to ports 80/443 these days.

So my question is- is there really any benefit to fronting Java Webapps with Apache these days? If so, is Apache still the way to go? Should I look at Nginx? Instead of Tomcat I'm using Glassfish, if that matters.