HTTPS Wildcard Subdomain: DNS + Apache + Tomcat Config

I recently had to configure HTTPS on a wildcard subdomain with Apache HTTP server as reverse proxy to a Tomcat backend. I had few more requirements:

  1. Redirect all http traffic to https and preserve the subdomain (hostname). For instance:
    • http://sub1.example.com/ -> redirect to -> https://sub1.example.com/
    • http://sub2.example.com/ -> redirect to -> https://sub2.example.com/
    • etc.
  2. I want to have a PHP wiki on the subdirectory /wiki and I want to send the rest of the traffic to Tomcat.
  3. Tomcat needs to know the subdomain (hostname) and will serve content accordingly.
  4. I don’t know the subdomains in advance because they are chosen by users, just like *.wordpress.com

Few parts were not trivial, so I will share my setup.

DNS Wildcard Subdomain Configuration

DNS is probably the easiest part. Nowadays, most domain registrar offer good DNS support for free with your domain. If that is not the case of your registrar, you may want to consider namecheap. Their DNS also support wildcard entries. Otherwise, you can use the popular Bind DNS server. Here is how to configure a wildcard entry in BIND. Change 55.55.55.55 with your IP address.

Apache Wildcard Subdomain Configuration

This was trickier. The Apache HTTP server configuration has 2 main parts.

1. HTTP (port 80): We use mod_rewrite to redirect all traffic for *.example.com to https (port 443) and we preserve the hostname with the %{HTTP_HOST} variable.

2. HTTPS (port 443): Except for the PHP subdirectory (/wiki), we reverse proxy all traffic to Tomcat, which listen on port 9090 of localhost.

Tomcat Wildcard Subdomain Configuration

Below you’ll find the configuration of Tomcat (in server.xml), which is quite standard. Actually, we do not need to define any “wildcard“, we just define a defaultHost in the Engine element. Then we deploy a ROOT.war in the webapps directory (/opt/example.com/tomcat7/webapps) to serve all content at the root context path.

How does Tomcat Know the Subdomain?

With this configuration, all content will be sent to Tomcat with “localhost” as the hostname. Fortunately, the Apache reverse proxy will send extra request headers to Tomcat, namely:

X-Forwarded-For: The IP address of the client.

X-Forwarded-Host: The original host requested by the client in the Host HTTP request header.

X-Forwarded-Server: The hostname of the proxy server.

So in Tomcat (or any other servlet container), just use the Java code below to get the value of that header “X-Forwarded-Host” and you’ll know the subdomain.

 

Alternatively, you may also use the ProxyPreserveHost On directive in Apache configuration and you should be able to get the hostname (subdomain) normally in Tomcat. NOTE: I haven’t tested that setup.

Bonus: Wildcard SSL Certificate

Of course you’ll need a wildcard SSL certificate. Those are usually very expensive, but Namecheap resells Comodo wildcard certificate at very good price. No, I do not have any interest in namecheap, they just happen to be very good at what they do :)

How to Add a Free “Client Login” to your Website

This 2 steps tutorial explains how you can add a professional and fully-functional Client Login form to any website at no cost. See below a screenshot of my website with this Client Login form (in the navbar, top-right corner):

Client Login

This “Client Login” will allow you to securely exchange any files (big and small) with your clients: invoices, statements, project plans, photo/video productions, etc.

Step 1. Get a free account at IO Road

IO Road is a professional file transfer service designed to transfer BIG files (few GB) securely. The good thing about it: no monthly fees. This means you can sign up (no credit card required), configure it (your brand), add users (clients) and it costs nothing $0. You even get free credits at sign-up.

NOTE: There will be a fee only when (and if) you transfer files, but the rates are very low anyway: $0.000122 per MegaByte.

Signing up to IO Road is straightforward, but if you need some help, refer to the wiki page Sign up to IO Road in 3 Steps. When this step is completed, you will own the new domain: MyDomain.ioroad.com

Step 2. Add the “Client Login” (HTML) to your website

Variant 1: Simple Link

On the top menu, you can add a simple link like this

In the code above, change mydomain to the domain you chose at IO Road.

Variant 2: Client Login Form

If you have more real-estate in your menu you can go with the html form with this code:

Here again, change mydomain to the domain you chose at IO Road.

Caution: Make sure to use https (not http) in the form “action” attribute, otherwise this will not work.

 

Ubuntu 14.04 Apache Reverse Proxy Rewrite HTML Links

I just wasted few hours on this, so I will share a few tips. If you want to setup a reverse proxy and rewrite links in html pages, you can use Apache module mod_proxy_html.

Step 1. Install and enable Apache mod_proxy

 

Step 2. Apache configuration

In Ubuntu 14.04 LTS, it does not work “out of the box”, because some standard config is missing when enabling mod_proxy_html. More specifically, the ProxyHTMLLinks directives are missing in Ubuntu 14.04. I say “missing”, because those directives are included by default in earlier releases and in other distros (in a file called proxy_html.conf). Also, pay particular attention to the directives ProxyHTMLEnable, ProxyHTMLExtended and SetOutputFilter.

So, let’s say you want to have your apache server at http://host1.example.com/path1 to serve (proxy) the content of the server at http://host2.example.com/path2 and rewrite HTML links. Here is the config that works for me on Ubuntu 14.04 LTS.

 

Retiring FTP: 10 Tips for a Replacement Technology

OpCode Solutions is the creator of ioroad.com, a professional file transfer service designed for businesses.

FTPIf your business still uses a FTP server to transfer big files, you may already be considering a replacement. Many businesses have already moved away from FTP, and for good reasons. FTP is an old protocol with many security vulnerabilities, is hard to implement and maintain in today’s networking environment, can be difficult to administer (create users, manage permissions, etc) and challenging for non-techie users. This post is not intended to list all issues related to FTP, but rather to offer a viable alternative for companies wanting to move away from the legacy File Transfer Protocol (FTP).

There are many things you have to consider when choosing a file transfer solution for your business. Here is a list of 10 characteristics to take into account.

1. Free vs Paid

There are many “free file transfer” solutions out there. Unfortunately, transferring files cost money in terms of bandwidth and servers. Those “free” service providers make their money by displaying advertisements to users. This is OK when you send a video of your child to your mom, but it is NOT OK when sending important files to your clients. A service with No Ads is essential to maintain your credibility with clients. Also, most “free” solutions impose severe limits (file size, bandwidth, speed) and lack business features like security, multi-user, delivery notifications, etc. A few dollars from your pocket can go a long way.

2. Security

This is the #1 reason why most companies moved away from FTP. Security is very important because most files you share with clients are confidential. You want to make sure only your recipient can access the files you share. File transfers must be encrypted (https, TLS) to prevent network sniffing by hackers. Also, you want a service offering password protection. If anyone can get the file by clicking a link (without password), your confidential data is at risk.

3. Receiving files

Unlike FTP, many file transfer services work only one way: sending files. This means you’ll be able to send large files to your client, but the service will not allow you to receive files from your client. This may or may not be an issue depending on your needs. To offer a first class experience to your clients, consider file transfer solutions that work both ways and allow you to receive large files from your client, just like FTP.

4. Limits

Check for the limits. Limits can be in terms of file size, storage, bandwidth, concurrent or total file transfers. Beware of “unlimited” offerings. As said earlier, transferring data costs money. Some providers claim to offer “unlimited” service, but will have very slow file transfer speeds, effectively limiting your ability to transfer files. Waiting 25 minutes to transfer a huge file is understandable, but waiting 25 hours for that same file is long, very frustrating and can Jeopardize your business. You also want a service that can adapt to your needs over time: easy upgrade and downgrade.

5. Ease of use

This was another complaint about FTP. You want a service that is intuitive so that your clients (and employees) can use it easily. Transferring files should be as simple as sending an email. You want a service that requires no software installation. People do not like to install yet another software they do not trust (malware?). A web-based service accessed from a browser (https) is preferable. Also, some nice additions to look for are drag-n-drop and progress bars for file transfers (uploads and downloads). Transferring large files can take a lot of time, the worst thing is “not knowing if my current upload/download is working”.

6. Multi-User

This is a must-have if you are working in teams. Each team member can have his own access to the service with his own permissions, just like FTP. Employees can get sick, take vacation and even leave the company. You may be tempted to work-around this by sharing the same user/password with all team members, but this is probably not allowed by the service provider. Also, doing this has several drawbacks: you cannot give each person different permissions and you’ll allow anybody in your team to  hijack your account by changing the unique password. Moreover, if the service has some sort of “audit logs“, you will loose the ability to know who did what, because everything is done under the same username. Multi-user should not be costly, because is does not cost much for the service provider to implement this feature.

7. Delivery notifications

That feature is just too nice to be missing. It is good to know that your client correctly received your file, or that a client just uploaded a new file for you. You should not have to install yet another app on your phone to get notifications, email notifications are universal. Also, you should be able to configure the system so that notifications are sent to many people.

8. Audit logs

Sometimes, you need to know what happened with a file: who uploaded it, who downloaded it, who deleted it and when. For audit purposes, you may also need to know what did a specific user do in the last 4 weeks. Audit logs are nice to have.

9. Branding (white label)

When transferring files with your client, take that opportunity to communicate your brand. For large file transfers, your client may be on that screen for longer than when he visited your website. Offer a good experience: show your colours, your company name and tagline.

10. Price

Last but not least, you want a reasonable and sustainable price. Money is hard to earn and your business already has a lot of recurring costs. There is no reason for a service provider to ask the payment of one full year in advance. And you should not have to pay anything when you don’t use the service. Use IO ROAD and pay only for what you use.

Conclusion

IO ROAD is packed with all those business features and has a unique pricing model in the industry: Pay As You Go. You can register and try the service for free, no credit card required.

Programmatically Configure Hibernate (JPA) with DBCP

I recently had deadlock issues with c3p0 and statement caching. Long story short, after investigating c3p0 code, I decided to switch to DBCP (maybe I’ll write a post with the long story).

I am not a big fan of Spring (here again, maybe I’ll write a post about that). If you are like me, here is how to programmatically configure Hibernate (JPA) to use DBCP, without Spring and without JNDI.

With DBCP, all my deadlock issues disappeared. Thank you ASF.

How to fix java.lang.OutOfMemoryError: Java heap space

If you get an OutOfMemoryError with the message “Java heap space” (not to be confused with message “PermGen space“), it simply means the JVM ran out of memory. When it occurs, you basically have 2 options:

Solution 1. Allow the JVM to use more memory

With the -Xmx JVM argument, you can set the heap size. For instance, you can allow the JVM to use 2 GB (2048 MB) of memory with the following command:

Solution 2. Improve or fix the application to reduce memory usage

In many cases, like in the case of a memory leak, that second option is the only good solution. A memory leak happens when the application creates more and more objects and never releases them. The garbage collector cannot collect those objects and the application will eventually run out of memory. At this point, the JVM will throw an OOM (OutOfMemoryError).

A memory leak can be very latent. For instance, the application might behave flawlessly during development and QA. However, it suddenly throws a OOM after several days in production at customer site. To solve that issue, you first need to find the root cause of it. The root cause can be very hard to find in development if the problem cannot be reproduced. Follow those steps to find the root cause of the OOM:

Step 1. Generate a heap dump on OutOfMemoryError

Start the application with the VM argument -XX:+HeapDumpOnOutOfMemoryError. This will tell the JVM to produce a heap dump when a OOM occurs:

Step 2. Reproduce the problem

Well, if you cannot reproduce the problem in dev, you may have to use the production environment. When you reproduce the problem and the application throws an OOM, it will generate a heap dump file.

Step 3. Investigate the issue using the heap dump file

Use VisualVM to read the heap dump file and diagnose the issue. VisualVM is a program located in JDK_HOME/bin/jvisualvm. The heap dump file has all information about the memory usage of the application. It allows you to navigate the heap and see which objects use the most memory and what references prevent the garbage collector from reclaiming the memory. Here is a screenshot of VisualVM with a heap dump loaded:

Heap Dump in VisualVM

This will give you very strong hints and you will (hopefully) be able to find the root cause of the problem. The problem could be a cache that grows indefinitely, a list that keeps collecting business-specific data in memory, a huge request that tries to load almost all data from database in memory, etc.

Once you know the root cause of the problem, you can elaborate solutions to fix it. In case of a cache that grows indefinitely, a good solution could be to set a reasonable limit to that cache. In case of a query that tries to load almost all data from database in memory, you may have to change the way you manipulate data; you could even have to change the behavior of some functionalities of the application.

Manually triggering heap dump

If you do not want to wait for an OOM or if you just want to see what is in memory now, you can manually generate heap dump. Here 2 options to manually trigger a heap dump.

Option 1. Use VisualVM

Open VisualVM (JDK_HOME/bin/jvisualvm), right-click on the process on the left pane and select Heap Dump. That’s it.

Option 2. Use command line tools

If you do not have a graphical environment and can’t use vnc (VisualVM needs a graphical environment), use jps and jmap to generate the heap dump file. Those programs are also located in JDK_HOME/bin/.

Finally copy the heap dump file (heap.bin) to your workstation and use VisualVM to read the heap dump: File -> Load…

Alternatively, you can also use jhat to read heap dump files.

Solution 3 (bonus). Call me

You can also contact my application development company and I can personally help you with those kind of issues :)

How to fix java.lang.OutOfMemoryError: PermGen space

When you get an OutOfMemoryError with the message “PermGen space” (not to be confused with message “Java heap space“), this means the memory used for class definition is exhausted. Fortunately, most of the time, this is easy to fix.

Solution 1 (your best bet). Increase the size of PermGen space

If you have a Java process that uses a lot of classes (lots of jars) or if you have many applications deployed to your application container (Tomcat), you can allocate more memory to that “PermGen space” using the -XX:MaxPermSize VM argument. For instance, to allocate 512 MB of RAM to PermGen space, use:

Solution 2. Restart your application container

You can get this error if you redeploy an application (webapp) several time without restarting your application container (like Tomcat). Most application containers support hot-redeployment, but class-loading is complex and sometimes old class definitions remain in memory. In that case, your best option is to get used to always restart your application container (Tomcat) after you deploy an application to it. This is easy and it fixes many problems.

Solution 3. Fix your class-loader leak

If none of the above works, you are in trouble :( Seriously, unless you hacked the class-loading of the JVM or application container, you should not have that problem. Or maybe it is a bug in a library you are using or in your application container. You can try to upgrade to latest versions. If you hacked the class-loaders yourself, you may want to reconsider it. Why did you do that? Unless you are developing a JVM or an application container, you should not have to do that.

New website for my software development company

My application development company just got a new website. It shows more relevant information and has a lean design powered by Bootstrap. It is now hosted on Amazon EC2. If you need a software for your business, call us. We will discuss your project and we’ll give you a free quote, see our pricing and application hosting packages. All the applications we develop run on desktop, tablet and smartphone out of the box.

Alright, enough bragging, back to work now!

VisualVM slow with heap dump files

One great feature of VisualVM is that it can read heap dump files. Heap dumps are useful to diagnose memory leaks. See this post for more details about memory leaks and how to solve them.

Why VisualVM is slow with heap dump

Another great feature of VisualVM is that you can read a huge heap dump file and VisualVm will consume a minimal amount of memory to do so. For instance, you will be able to read a 8 Gigabytes heap dump file with VisualVM running on a development workstation having only 2 Gigabytes of RAM. In order to achieve that, VisualVM will parse the heap dump file and will create a work file on disk in the default system temp folder (/tmp by default on Linux). In theory that’s great, but in practice, VisualVM becomes painfully slow because it constantly have to do disk I/O’s to process the information.

This behavior is even more frustrating if you happen to have a server with 12 Gigabytes of RAM available for you. A simple solution for that is to create a ramdisk and tell VisualVM to use that ramdisk as the tmp folder.

The solution: use a RAMDisk

First, create the RAMDisk (tmpfs). Here I am on a linux development server and I create a tmp folder in my home. Then I create (mount) the ramdisk in the tmp folder I just created:

Then I launch VisualVM and I modify the java.io.tmpdir VM arg that tells VisualVM where the system tmp folder is.

Now VisualVM is much much faster and I can investigate and find the root cause of that memory leak much faster.

Good Camel Games – Fun Multiplayer Games

We are pleased to announce the launch of another Web 2.0 application powered by OpCode Solutions: Good Camel Games – Fun Multiplayer Games. Good Camel Games provides real-time multiplayer games with public and private chat rooms. Games are free and are online; no need to pay or download anything. No registration is required, just enter the app and play with real people around the world, in real-time. On the client side, the app uses Google Web Toolkit (no flash, no plugin required). On the server side, we have Java back-end under Tomcat. What is fun about Good Camel Games it is that games are short and easy to play, so you can enjoy a game even if you only have 2 minutes.