We want to redirect all traffic that comes to the http url of our application to https, in order to do that we set the following values in the web.xml in the deploy/jboss-web.deployer/conf directory.
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This does successfully redirect the user to the https location HOWEVER they use a different port as to what was configured in the server.xml in the deploy/jboss-web.deployer path
<Connector port="8381" address="${jboss.bind.address}"
maxThreads="350" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8543" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" compression="on" />
<!-- Define a SSL HTTP/1.1 Connector on port 8643
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!---->
<Connector port="8543" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="${jboss.server.home.dir}/conf/localhost.keystore"
keystorePass="changeit"
/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" address="${jboss.bind.address}" protocol="AJP/1.3"
emptySessionPath="true" enableLookups="false" redirectPort="8543" />
<Engine name="jboss.web" defaultHost="localhost" jvmRoute="data1">
We had the https port set to 8543 which did then work however the https port that did redirect the user to when the user went to the http url was 8744 (when we set 8744 in the server.xml it worked successfully), however we could not find where the 8744 port was taken, does anyone know how to configure which port the first mentioned code placed in the web.xml redirects to
Another query is that when we put this configuration in to production the https port will be "443", we need to know where to set 443 for the "security-constraint" entry to redirect to. Accessing http://www.data.com will have to redirect to https://www.data.com then
Regards,
Milinda
Well, the good news is that in production it will work fine. The security constraint is doing its job, but it is designed to work only between http (80) and https(443).
Pay attention that 8744 - 8381 = 363 = 443 - 80
I am using JBoss-4.2.3.GA and have observed the same behavior, not sure if it is still doing this on Wildfly.
Related
When I open my site www.example.com Tomcat redirect and show www.example.com:8443.
I want when someone open site not to show port 8443. How to solve that problem?
I use tomcat 9.0.68. I installed application on tomcat and set to use SSL on port 8443.
server.xml now look like this:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
And in web.xml I added:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
What I need to configure more to open site without showing port 8443?
There are multiple ways to accomplish this.
The best way, in my opinion, is using authbind: https://serverfault.com/questions/889122/how-to-get-tomcat-9-to-work-with-authbind-to-bind-to-port-80
It's my opinion this is the best way as the port is allocated directly to the process and follows the unix convention of doing things.
There are other options:
Use haproxy to splice the TCP connections
Use iptables to redirect the port
Use Apache/nginx to proxy the request
Please look into my server.xml;
I am not able to redirect port 8019 to https (port 443). I tried various examples on the web but I still cannot get it working. Could anyone help me with what is wrong with my server.xml?
<Connector port="8019" protocol="HTTP/1.1"
connectionTimeout="100000"
redirectPort="443" />
<Connector port="443" maxHttpHeaderSize="8192" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" clientAuth="false"
keystoreFile="C:\zenfortecertificate\3_zensar_com.pfx" keystorePass="[my password]" keystoreType="PKCS12"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"/>
<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />
<Engine name="Catalina" defaultHost="zenforte-stg.zensar.com">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
[...]
</Host>
<Host name="zenforte-stg.zensar.com" appBase="zen_webapps"
unpackWARs="true" autoDeploy="true"/>
</Engine>
There are a few problems with your server.xml. Some of them have to do with your actual question, others are just things you might want to think about.
First, you have two <Connector> elements on the same port (8019):
<Connector port="8019" protocol="HTTP/1.1" connectionTimeout="100000" redirectPort="443" />
and
<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />
So the first thing to do is to pick a connector and remove the other one. If you want to use the AJP protocol with your reverse-proxy or load balancer, then keep the AJP one. Otherwise, use the HTTP one.
The key to redirecting HTTP -> HTTPS is the redirectPort in your non-secure <Connector> (on port 8019, whichever one AJP/HTTP you choose). But the redirect doesn't happen unless your application asks for it. In order to do that, you need this in your application's WEB-INF/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This tells the container (Tomcat) that the application expects "confidential" communication and it will automatically redirect any non-confidential (i.e. insecure) requests to the confidential (i.e. encrypted) protocol on the other port (https/443).
Some other considerations:
Your connectionTimeout of 100 seconds is a long time. You probably want that to be much lower otherwise clients can tie-up your server without accomplishing any work.
Your <Connector> contains all of your secure configuration. Modern Tomcats use a <SSLHostConfig> for all that configuration. This suggests an old configuration with a new server or, worse, an old server. You should try to upgrade to the latest server and use the latest configuration style. The newer configuration style gives you greater control over the configuration and makes it clearer what is happening. (For example, if you want to use RSA + ECDSA, the configuration is more explicit using <SSLHostConfig> + <Certificate> than just specifying the keystore and hoping for the best.
If you aren't using the "localhost" <Host> in your configuration, remove it. Even better, if you don't have any other <Host>s defined, just allow the "localhost" one to cover everything. This makes your configuration less customized from the default, and therefore you have fewer changes to maintain from the stock server.xml.
Specifying disableUploadTimeout="true" doesn't have any effect unless you also specify connectionUploadTimeout
Let's say my app is www.example.com.
When I put mydomin.com in the browser, it should redirect to https://www.example.com.
I have configured SSL already on my server.
If I put https://www.example.com, it always opens, but it does not redirect if I entered example.com.
Here is my connector:
<Connector port="8080" connectionTimeout="20000" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="file.jks" keystorePass="pass" />
My server is Tomcat 7 and Linux box.
your http port is 8080 instead of the default 80. A url without the port number will default to port 80 hence http://www.example.com. would go to http://www.example.com:80/.
I tried to configure SSL certificate for Tomcat 7(7.0.61) which I installed on Azure Windows VM.
Https does not work and there are no errors in Tomcat logs. I use Digicert certificate which gave me .jks keystore file. VM has its own DNS: myVm.cloudapp.net I registered my own domain NNN.today at one.com and make redirection from NNN.today to myVm.cloudapp.net.
When created certificate I used NNN.today. I configured endpoints for my VM (http for port 80 and SSL for port 443). APR listener is commented out in server.xml.
Here is my server.xml config:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="${catalina.base}/conf/app_farewell_today.jks" keystorePass="my_password" keystoreType="JKS"
truststoreFile="${catalina.base}/conf/app_farewell_today.jks" truststorePass="my_password" truststoreType="JKS"/>
What am I doing wrong? Any help appreciated!
The VM's firewall should be configured to listen to this ports as well and the public endpoint configuration should map to the proper internal ports as well.
I am having an issue with URL encoding. When I am executing URL on browser, server is encoding it again and again, however the url is already encoded to UTF-8.
eg. http://test.com:80/?gotoUrl=http%3A%2F%2Fclosewindow.xyz.com&modal=true
I am getting - https://test.com/?gotoUrl=http%253A%252F%252Fclosewindow.xyz.com&modal=true
I am running my application on HTTPS and redirecting any request on 80 to HTTPS secure port 443. This problem only occurs if I send request on port 80 and server is redirecting it to secure port 443. If I make request on secure port 443, this problem does not occur.
Following is my tomcat configuration,
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="5000"
compression="on"
compressionMinSize="128"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text /json,
application/x-javascript,application/javascript,application/json"
enableLookups="false"
maxPostSize="4096"
URIEncoding="UTF-8"
redirectPort="8443"
/>
<Connector port="8009"
protocol="AJP/1.3"
URIEncoding="UTF-8"
/>
<Connector
protocol="HTTP/1.1"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/path/keystore" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>
My environment is like Apache2.2 in on the front and tomcat7.x is connected via AJP with Apache server.
I dig into this issue and I found out that the issue is down to AJP that is using iso-8859-1, however tomcat & Apache are working fine and using UTF-8 encoding. Is there anyway to set encoding to UTF-8 in AJP? I am using mod_proxy_ajp.
Thanks in advance. I would appreciate any help on this.
I suggest the browser is doing it. It doesn't make sense for Tomcat to be doing it. Tomcat would be decoding, not encoding. Try it in the browser with no encoding at all.