Let's say my app is www.example.com.
When I put mydomin.com in the browser, it should redirect to https://www.example.com.
I have configured SSL already on my server.
If I put https://www.example.com, it always opens, but it does not redirect if I entered example.com.
Here is my connector:
<Connector port="8080" connectionTimeout="20000" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="file.jks" keystorePass="pass" />
My server is Tomcat 7 and Linux box.
your http port is 8080 instead of the default 80. A url without the port number will default to port 80 hence http://www.example.com. would go to http://www.example.com:80/.
Related
I am trying to implement SSL for my application using jboss. Below is the implementation in server.xml file.
<Service name="jboss.web"
className="org.jboss.web.tomcat.tc5.StandardService">
<!-- A HTTP/1.1 Connector on port 80
<Connector port="80" address="${jboss.bind.address}"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"/> -->
<!-- A AJP 1.3 Connector on port 8009 -->
<Connector port="8809" address="${jboss.bind.address}"
enableLookups="false" redirectPort="8443" debug="0"
protocol="AJP/1.3"/>
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
This configuration is working for 'https://localhost:8443' on server but not using my domain eg.'https://test-example.com:8443'.
Please test using this configuration as i have added the SSLEnabled = "true".As it is mandatory
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
If localhost works but not the domain name, then it's probably because the ${jboss.bind.address} is 127.0.0.1. Verify that you're binding the server's IP and not the loopback.
I tried to configure SSL certificate for Tomcat 7(7.0.61) which I installed on Azure Windows VM.
Https does not work and there are no errors in Tomcat logs. I use Digicert certificate which gave me .jks keystore file. VM has its own DNS: myVm.cloudapp.net I registered my own domain NNN.today at one.com and make redirection from NNN.today to myVm.cloudapp.net.
When created certificate I used NNN.today. I configured endpoints for my VM (http for port 80 and SSL for port 443). APR listener is commented out in server.xml.
Here is my server.xml config:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="${catalina.base}/conf/app_farewell_today.jks" keystorePass="my_password" keystoreType="JKS"
truststoreFile="${catalina.base}/conf/app_farewell_today.jks" truststorePass="my_password" truststoreType="JKS"/>
What am I doing wrong? Any help appreciated!
The VM's firewall should be configured to listen to this ports as well and the public endpoint configuration should map to the proper internal ports as well.
I have got two DNS entries for the same IP address. And I have two ssl keystores for each one of them.
Can I mention both the keystores in server.xml as shown below ?
<Connector address="my_IP_Addres" port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
enableLookups="true" disableUploadTimeout="true"
keystoreFile="1st_keystore_file" keystorePass="1st_key_pass"
clientAuth="false" sslProtocol="SSL" />
<Connector address="my_IP_Addres" port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
enableLookups="true" disableUploadTimeout="true"
keystoreFile="2nd_keystore_file" keystorePass="2nd_key_pass"
clientAuth="false" sslProtocol="SSL" />
No, you cannot use several connectors to single endpoint with Tomcat. HTTPS is HTTP over SSL. It means
client and server establish SSL connection, using only IP:port pairs during handshake procedure
client and server exchange HTTP messages over established SSL connection
DNS entries (host->IP) in your case allows client to resolve server IP before SSL handshake. But during handshake hostnames are not used. This is why server cannot resolve which key/cert pair to use on this phase. And this is the cause, why the only key/cert pair can be provided.
See HTTPS limitations for more details.
I am having an issue with URL encoding. When I am executing URL on browser, server is encoding it again and again, however the url is already encoded to UTF-8.
eg. http://test.com:80/?gotoUrl=http%3A%2F%2Fclosewindow.xyz.com&modal=true
I am getting - https://test.com/?gotoUrl=http%253A%252F%252Fclosewindow.xyz.com&modal=true
I am running my application on HTTPS and redirecting any request on 80 to HTTPS secure port 443. This problem only occurs if I send request on port 80 and server is redirecting it to secure port 443. If I make request on secure port 443, this problem does not occur.
Following is my tomcat configuration,
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="5000"
compression="on"
compressionMinSize="128"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text /json,
application/x-javascript,application/javascript,application/json"
enableLookups="false"
maxPostSize="4096"
URIEncoding="UTF-8"
redirectPort="8443"
/>
<Connector port="8009"
protocol="AJP/1.3"
URIEncoding="UTF-8"
/>
<Connector
protocol="HTTP/1.1"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/path/keystore" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>
My environment is like Apache2.2 in on the front and tomcat7.x is connected via AJP with Apache server.
I dig into this issue and I found out that the issue is down to AJP that is using iso-8859-1, however tomcat & Apache are working fine and using UTF-8 encoding. Is there anyway to set encoding to UTF-8 in AJP? I am using mod_proxy_ajp.
Thanks in advance. I would appreciate any help on this.
I suggest the browser is doing it. It doesn't make sense for Tomcat to be doing it. Tomcat would be decoding, not encoding. Try it in the browser with no encoding at all.
I have problem where google chrome is showing:
The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate. Don’t enter sensitive information on this page. Invalid certificate or other serious https issues could indicate that someone is attempting to tamper with your connection to the site.
message which shows up as crossed with red https sign.
How should I configure tomcat to get rid of the message shown in detail on the below picture?
I found this link but can't make out from it how to fix this:
http://code.google.com/p/chromium/issues/detail?id=72716
Also there is mention of OpenSSL problem with APR (what would be the OpenSSL alternative?):
http://tomcat.apache.org/security-native.html
I have GeoTrust Business ID certificate which is more than adequate for the site and should be secure enough. So I believe this some issue with either Tomcat or Java.
Working configuration in server.xml:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="16384"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
scheme="https"
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
clientAuth="false"
keystoreFile="/usr/share/tomcat6/conf/tomcat.keystore" keystorePass="somepass"
/>
is giving me the error on the picture:
UPDATE - Going native
`<Connector port="443"`
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxHttpHeaderSize="16384"
maxThreads="150"
enableLookups="false"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
scheme="https"
secure="true"
SSLEnabled="true"
SSLCertificateFile="/tomcat/conf/cert.crt"
SSLCertificateKeyFile="/tomcat/conf/key.pem"
SSLCACertificateFile="/tomcat/conf/rootandintermidiate.crt"
clientAuth="optional"
/>
This seemed to do the trick!
According to:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
"The APR connector uses different
attributes for SSL keys and
certificates."
The examples they give is (JSSE):
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
For JSSE and then APR:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
The first thing I noticed was SSLProtocol is different (attribute and its value) and it doesn't use keystoreFile. This appears to be because:
"If the installation uses APR - i.e.
you have installed the Tomcat native
library - then it will use the APR SSL
implementation."
The attributes in your example relate to the JSSE implementation, so I'm assuming the issue relates to the use of the NIO protocol and / or APR. Change your Connector to use the attributes designed solely for APR and remove the JSSE ones (or vice versa).