Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Redirect HTTP to HTTPS:PORT in Tomcat

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:

<Connector executor="tomcatThreadPool"
           port="80"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?

like image 656
iddqd Avatar asked Oct 19 '15 07:10

iddqd


People also ask

Can Tomcat run on port 443?

Tomcat can be configured to listen on SSL Port 443. Then you could turn off the SSL listener in the Apache Web server and use only Tomcat to handle your SSL connections. You can modify the Tomcat configuration by editing the file named "server. xml" in the Tomcat conf directory.

What is the use of redirect port in Tomcat?

The only thing that the connector needs for the redirect to work is the “redirectPort” property, which should specify the secure (HTTPS) port on the proxy (not Tomcat). This connector can be used for both the non-secure and secure reverse proxy connections.


2 Answers

The connector configuration you shown does not redirect a specific URL in the way you suppose.

That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.

I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    ...

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

</security-constraint>

Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.

So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.

Edit

As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.

To configure this HTTPS connector, you can use a configuration as following:

<Connector connectionTimeout="20000"
    acceptCount="100" scheme="https" secure="true"
    port="443" clientAuth="false" sslProtocol="TLS"  
    keystoreFile="PATH_TO_KEY_STORE"  
    keystorePass="KEY_STORE_PASS"  
    keyAlias="KEY_STORE_ALIAS"/>

This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.

The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.

like image 134
malaguna Avatar answered Oct 17 '22 17:10

malaguna


You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- auth-constraint goes here if you requre authentication -->
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

So you don't have to change it on the web.xml of your webapp.

That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:

<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
    <SSLHostConfig>
        <Certificate certificateKeyFile="/your/own/privkey.pem"
            certificateFile="/eyour/own/cert.pem"
            certificateChainFile="/your/own/chain.pem"
            type="RSA" />
    </SSLHostConfig>
</Connector>
like image 30
Mateus Viccari Avatar answered Oct 17 '22 18:10

Mateus Viccari