Tomcat/manager/ disable redirect from HTTPS to HTTP

Discussion:

Hans Schou

2018-10-12 11:18:45 UTC

Hi

I have a Tomcat 8.5 with Java 1.8 on Windows with Nginx reverse proxy.

When I access https://joe:***@example.org/manager/ the request goes to
Nginx, which proxy_pass it to http://srv321.local:8080/

Authentication appears right away but the first response from Tomcat is
Location: http://example.org/manager/html?....NONCE...
note the SSL has been cut off.

I can then manually go to the URL and change 'http' to 'https' and then it
works fine with SSL all the way around.

The location redirect has been seen on the network with "tcpdump -X", to
make sure it was not Nginx which was redirecting something.

In webapps/WEB-INF/web.xml I have tried add:
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
but that did not work either.

Is there a way to avoid being redirected from HTTPS to HTTP?

Thanks.

--

Venlig hilsen - best regards

Hans Schou

Mark Thomas

2018-10-12 12:12:36 UTC

Permalink

Post by Hans Schou
Hi
I have a Tomcat 8.5 with Java 1.8 on Windows with Nginx reverse proxy.
Nginx, which proxy_pass it to http://srv321.local:8080/
Authentication appears right away but the first response from Tomcat is
Location: http://example.org/manager/html?....NONCE...
note the SSL has been cut off.

Since Nginx is switching from HTTPS->HTTP on the way in, my initial
expectation would be that Nginx should switch from HTTP->HTTPS on the
way back out.

Note that it isn't quite as simple as 'just' switching the protocol.
Nginx also needs to take account of things like setting the secure
attribute on any cookies.

You can configure your way around this on Tomcat. To ensure a secure
configuration, you need to ensure that any traffic proxied via Nginx
received over HTTPS and any traffic proxied via Nginx received over HTTP
(if any) go to separate HTTP connectors on Tomcat.

For the HTTP connector processing proxied traffic originally received
over HTTPS you want:
SSLEnabled="false"
scheme="https"
secure="true"

For the HTTP connector processing proxied traffic originally received
over HTTP you want:
SSLEnabled="false"
scheme="http"
secure="false"

Mark

Post by Hans Schou
I can then manually go to the URL and change 'http' to 'https' and then it
works fine with SSL all the way around.
The location redirect has been seen on the network with "tcpdump -X", to
make sure it was not Nginx which was redirecting something.
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
but that did not work either.
Is there a way to avoid being redirected from HTTPS to HTTP?
Thanks.
--
Venlig hilsen - best regards
Hans Schou

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Hans Schou

2018-10-15 07:17:39 UTC

Permalink

Post by Mark Thomas
For the HTTP connector processing proxied traffic originally received
SSLEnabled="false"
scheme="https"
secure="true"

Thanks, this one is working exactly as expected:

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="false"
scheme="https"
secure="true"
/>

A bonus is that I now got forced use of SSL.

--
Venlig hilsen - best regards

Hans Schou

Christopher Schultz

2018-10-18 14:53:02 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hans,

Post by Hans Schou

Post by Mark Thomas
For the HTTP connector processing proxied traffic originally
received over HTTPS you want: SSLEnabled="false" scheme="https"
secure="true"

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" SSLEnabled="false" scheme="https"
secure="true" />
A bonus is that I now got forced use of SSL.

Note that port 8080 being TLS might be "surprising" to some clients.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvInk4ACgkQHPApP6U8
pFjJhQ/9Em7SIjQY1EYUHdQQJHJlDKpF6leMw9eRgTZBsQm6KpjN7mHPxWSjnM6/
mlagtyAkKbC43k+a5oqn/NIPsCSGoLCT3aHR/ZkAktxc8D4Fckl9nzBvjAyKq3+E
w2bfE6DrNeLefRNEyAYLoEXq4A/GlAP9MudZELtW9M+U1dzN9BdKfMVmE7qznESG
kxg3cvoMb/cmn4jRjHvPfd9wN6bDT02JUOrQzxqMyqQXvdDbrn7iWVYE9R5Q6Tc4
21ZtqIglwO8p1GUll2hz1amnMLSl1nWdwQ0Li1Iy5q3nSZ4at+Q5EYHlSagAtd0h
Vj4dAIDZZeONrHi3368cI2BFYtlo4SReczpAtubZ1CJaucHQ/evJ5AT1XPvXymav
KaoFSzl8k5a8b+rYjRC0YOgcZRWCm89aqPGeps6fABHfe+86CNGIXH4l4whSyOJm
+ObdbSiYDKmGeokuJYnh4RRrThZf7EbQTJya6dJE7za4JRZ6Qh7Ayah7X1MZzcZC
x/wxKkORjhBYxIJUIjX0DBv/MsSzzkS1OH76mZXSu91hVKnpr5QDBxMvEFuJ7Tv5
oJGk/Y1JWsLaQTQN9Jj6alQTTqxnusHoguVMcm1NqAwC3D+bO1XXBq+CURcbKx6x
Sfu/KOzHMedQiZOVBSDVNF1k0k5UsyVfM5+T9rZCR0lsHcRqCz4=
=8bbY
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org