Please look into my server.xml;
I am not able to redirect port 8019 to https (port 443). I tried various examples on the web but I still cannot get it working. Could anyone help me with what is wrong with my server.xml?
<Connector port="8019" protocol="HTTP/1.1"
connectionTimeout="100000"
redirectPort="443" />
<Connector port="443" maxHttpHeaderSize="8192" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\zenfortecertificate\3_zensar_com.pfx" keystorePass="[my password]" keystoreType="PKCS12"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"/>
<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />
<Engine name="Catalina" defaultHost="zenforte-stg.zensar.com">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
[...]
</Host>
<Host name="zenforte-stg.zensar.com" appBase="zen_webapps"
unpackWARs="true" autoDeploy="true"/>
</Engine>
There are a few problems with your server.xml. Some of them have to do with your actual question, others are just things you might want to think about.
First, you have two <Connector> elements on the same port (8019):
<Connector port="8019" protocol="HTTP/1.1" connectionTimeout="100000" redirectPort="443" />
and
<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />
So the first thing to do is to pick a connector and remove the other one. If you want to use the AJP protocol with your reverse-proxy or load balancer, then keep the AJP one. Otherwise, use the HTTP one.
The key to redirecting HTTP -> HTTPS is the redirectPort in your non-secure <Connector> (on port 8019, whichever one AJP/HTTP you choose). But the redirect doesn't happen unless your application asks for it. In order to do that, you need this in your application's WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This tells the container (Tomcat) that the application expects "confidential" communication and it will automatically redirect any non-confidential (i.e. insecure) requests to the confidential (i.e. encrypted) protocol on the other port (https/443).
Some other considerations:
Your connectionTimeout of 100 seconds is a long time. You probably want that to be much lower otherwise clients can tie-up your server without accomplishing any work.
Your <Connector> contains all of your secure configuration. Modern Tomcats use a <SSLHostConfig> for all that configuration. This suggests an old configuration with a new server or, worse, an old server. You should try to upgrade to the latest server and use the latest configuration style. The newer configuration style gives you greater control over the configuration and makes it clearer what is happening. (For example, if you want to use RSA + ECDSA, the configuration is more explicit using <SSLHostConfig> + <Certificate> than just specifying the keystore and hoping for the best.
If you aren't using the "localhost" <Host> in your configuration, remove it. Even better, if you don't have any other <Host>s defined, just allow the "localhost" one to cover everything. This makes your configuration less customized from the default, and therefore you have fewer changes to maintain from the stock server.xml.
Specifying disableUploadTimeout="true" doesn't have any effect unless you also specify connectionUploadTimeout
Related
When I open my site www.example.com Tomcat redirect and show www.example.com:8443.
I want when someone open site not to show port 8443. How to solve that problem?
I use tomcat 9.0.68. I installed application on tomcat and set to use SSL on port 8443.
server.xml now look like this:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
And in web.xml I added:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
What I need to configure more to open site without showing port 8443?
There are multiple ways to accomplish this.
The best way, in my opinion, is using authbind: https://serverfault.com/questions/889122/how-to-get-tomcat-9-to-work-with-authbind-to-bind-to-port-80
It's my opinion this is the best way as the port is allocated directly to the process and follows the unix convention of doing things.
There are other options:
Use haproxy to splice the TCP connections
Use iptables to redirect the port
Use Apache/nginx to proxy the request
I'm trying to set GZIP in Tomcat, I've shown a lot of examples but anyone works for me. Below you can see my server.xml configuration and an example of request:
server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
useSendfile="false"
compression="force" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,text/css,application/javascript"/>
request:
Thanks!
I've found the answer, I've disabled my antivirus and compression works fine.
We want to redirect all traffic that comes to the http url of our application to https, in order to do that we set the following values in the web.xml in the deploy/jboss-web.deployer/conf directory.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This does successfully redirect the user to the https location HOWEVER they use a different port as to what was configured in the server.xml in the deploy/jboss-web.deployer path
<Connector port="8381" address="${jboss.bind.address}"
maxThreads="350" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8543" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="on" />
<!-- Define a SSL HTTP/1.1 Connector on port 8643
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!---->
<Connector port="8543" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="${jboss.bind.address}" protocol="AJP/1.3"
emptySessionPath="true" enableLookups="false" redirectPort="8543" />
<Engine name="jboss.web" defaultHost="localhost" jvmRoute="data1">
We had the https port set to 8543 which did then work however the https port that did redirect the user to when the user went to the http url was 8744 (when we set 8744 in the server.xml it worked successfully), however we could not find where the 8744 port was taken, does anyone know how to configure which port the first mentioned code placed in the web.xml redirects to
Another query is that when we put this configuration in to production the https port will be "443", we need to know where to set 443 for the "security-constraint" entry to redirect to. Accessing http://www.data.com will have to redirect to https://www.data.com then
Regards,
Milinda
Well, the good news is that in production it will work fine. The security constraint is doing its job, but it is designed to work only between http (80) and https(443).
Pay attention that 8744 - 8381 = 363 = 443 - 80
I am using JBoss-4.2.3.GA and have observed the same behavior, not sure if it is still doing this on Wildfly.
I am having an issue with URL encoding. When I am executing URL on browser, server is encoding it again and again, however the url is already encoded to UTF-8.
eg. http://test.com:80/?gotoUrl=http%3A%2F%2Fclosewindow.xyz.com&modal=true
I am getting - https://test.com/?gotoUrl=http%253A%252F%252Fclosewindow.xyz.com&modal=true
I am running my application on HTTPS and redirecting any request on 80 to HTTPS secure port 443. This problem only occurs if I send request on port 80 and server is redirecting it to secure port 443. If I make request on secure port 443, this problem does not occur.
Following is my tomcat configuration,
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="5000"
compression="on"
compressionMinSize="128"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text /json,
application/x-javascript,application/javascript,application/json"
enableLookups="false"
maxPostSize="4096"
URIEncoding="UTF-8"
redirectPort="8443"
/>
<Connector port="8009"
protocol="AJP/1.3"
URIEncoding="UTF-8"
/>
<Connector
protocol="HTTP/1.1"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/path/keystore" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>
My environment is like Apache2.2 in on the front and tomcat7.x is connected via AJP with Apache server.
I dig into this issue and I found out that the issue is down to AJP that is using iso-8859-1, however tomcat & Apache are working fine and using UTF-8 encoding. Is there anyway to set encoding to UTF-8 in AJP? I am using mod_proxy_ajp.
Thanks in advance. I would appreciate any help on this.
I suggest the browser is doing it. It doesn't make sense for Tomcat to be doing it. Tomcat would be decoding, not encoding. Try it in the browser with no encoding at all.
I want to to deploy a tomcat server such that it listens on two ports simultaneously (both for http protocol).
Just to make sure that you understand this requirement correclty , We have only one server instance but want to listen on two ports for HTTP protocol. For example anybody can access applications deployed in my server using port numbers 7080 and 8080
Is it possible to do that? If possible how can we achive this?
It's very simple. You only need to take a look at the conf/server.xml configuration file to add a new connector for the port you want. For example, if you have a connector like this:
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
URIEncoding="UTF-8" />
Just add a new connector same as above in the configuration file, but altering the port parameter. That's all. Restart and you're done.
Yes, it is possible. Just edit server.xml (located in the folder named conf) like this:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8444" />
This will setup Tomcat to listen to both ports 8080 and 8081.
The documenation states:
port: The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address. If the special value of 0 (zero) is used, then Tomcat will select a free port at random to use for this connector. This is typically only useful in embedded and testing applications.
redirectPort: If this Connector is supporting non-SSL requests, and a request is received for which a matching <security-constraint> requires SSL transport, Catalina will automatically redirect the request to the port number specified here.
So, altering the redirectPort is optional, depending on how you want such a redirection to work.
You can define 2 different services in /conf/server.xml .
The example is as below,
<Service name="Catalina_2">
<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8444" />
<Connector port="8010" protocol="AJP/1.3" redirectPort="8444" />
<Engine name="Catalina_2" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps_2" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
Note : You may have required to increase the tomcat heap size.
you can specify the following code in your server.xml
<Service name="sample">
<Connector port="81" protocol="HTTP/1.1" maxThreads="100" connectionTimeout="2000"/>
<Engine name="sample" defaultHost="sample">
<Host name="myhostname" appBase="webapp2">
<Context docBase="C:\websites\sample\" />
</Host>
</Engine>
</Service>
Please, be sure on which user you are running Tomcat, since if you want to use it on any privileged port, you must use it under the root user.
Another thing you can do is to redirect port 80 to 8080 with iptables.
Something like this:
iptables -t nat -A PREROUTING -d 192.168.10.16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
Hope it helps
running tomcat in different port. We have to change four things inside service tag of server.xml file
we have to change port no. like 8080 to 80
we have to change redirectPort no like 8443 to 8444
we have to change Engine name like Catalina to Catalina_2
we have to change appBase name like webapps to webapps_1