Discussion:
tomcat redirects to http instead of https
Dino Edwards
2018-11-16 16:24:40 UTC
Permalink
Hello,

I have an interesting issue with Tomcat. If I click/or paste a HTTPS link in the browser to an application served by Tomcat, it redirects to http instead of https. If I manually change the http:// to https:// in the browser the application comes up with no problems. Obviously it's not ideal, cause this application sends out emails with https addresses that end-users are supposed to simply click and get to the application.

My current setup, I have Apache proxying to Tomcat 7 like this:

<VirtualHost *:443>
ProxyRequests Off

SSLEngine on
SSLCertificateFile .........cer
SSLCertificateKeyFile .......key
SSLCertificateChainFile ......cer
SSLProtocol -all +TLSv1.2
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /app http://localhost:8080/app
ProxyPassReverse /app http://localhost:8080/app
ProxyTimeout 3600

.....

</VirtualHost>

This used to work with Tomcat 6, but obviously something has changed with Tomcat 7.

I would appreciate some assistance on this

Thanks
Christopher Schultz
2018-11-16 16:40:46 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dino,
Post by Dino Edwards
Hello,
I have an interesting issue with Tomcat. If I click/or paste a
HTTPS link in the browser to an application served by Tomcat, it
redirects to http instead of https. If I manually change the
http:// to https:// in the browser the application comes up with no
problems. Obviously it's not ideal, cause this application sends
out emails with https addresses that end-users are supposed to
simply click and get to the application.
<VirtualHost *:443> ProxyRequests Off
SSLEngine on SSLCertificateFile .........cer SSLCertificateKeyFile
.......key SSLCertificateChainFile ......cer SSLProtocol -all
+TLSv1.2 SetEnvIf User-Agent ".*MSIE.*" nokeepalive
ssl-unclean-shutdown <Proxy *> Order deny,allow Allow from all
</Proxy>
ProxyPass /app http://localhost:8080/app ProxyPassReverse /app
http://localhost:8080/app ProxyTimeout 3600
.....
</VirtualHost>
This looks like an old config. Are you using Apache 2.2?

1. I don't see ServerName to identify the VirtualHost for SNI
2. You are using "Order" instead of "Require"

Are you sure you don't have any other <VirtualHost> which is
performing any proxying?
Post by Dino Edwards
This used to work with Tomcat 6, but obviously something has
changed with Tomcat 7.
I would appreciate some assistance on this
Can you post your <Connector> configuration for your port 8080 connector
?

If this is a one-box-wonder, do you actually need httpd? Just checking..
.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvu8w4ACgkQHPApP6U8
pFhg6Q//Q7JjX40+lYhXuHiDLVKZu39rvtgUpdKOMms6/iidOG1pwtjDHhXdm8AO
yVbQ6nhKaTJZZZAJ8Npp5ojuA3eeNkHUMfFPBLDeWk4SqFdnIJOnmsSwHHocX4QX
RAHUdKoJ7PsuqAqMf5p7jOojy0IzUwbPG/KiDmgsr59BsiRIcOaVYbU1tbcuRVzW
KPeK/WNhP0E33AkuRIn9CfkE+4NCdOmPqFp5fpy4iImNrbXD9mkbJJg+qZ43vsUg
TrMMFssWj+pp2GlIq2UB6Ydvl6qcKtVDGGBfGcKZA6xULKnKMCW/SeQe2tl3TqLs
UjHlCOmEzB8hu6TJh59991ecgom7mUisAupkGn9tPOAVU2wDanbvcdqOX8KrPU4s
1qSjTe2Fa1tz494+/MvBxiyLL6/BKlO3zjtw+QhFW2IgAl1QILJqpvY2MFlpQRBR
RJY8zIof0u1Y+2dlgHGl8mD7siq6N/34acRSSQEYZtRAtJbn6n/xJR56icguDf6g
FlmKYu0CQNLBLReBUSG3eY4nOX4QcPUvsooHZxzqhdp3DxuQUhgLNccYU7Chz344
mdq9tXsFG8ulybh5lBo3DcAOoSuxhxxdIDBJXapLU+gWunD4+LQivrGBOGnTtYn+
vXDpV1Y9uj+eszyGouh7ib1hYoS3Jnkkauv6w3HbSgvEKBKGAtI=
=a4dq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Dino Edwards
2018-11-16 17:10:58 UTC
Permalink
Post by Christopher Schultz
This looks like an old config. Are you using Apache 2.2?
No I'm currently trying to use Apache 2.4, but you are right It is indeed a config from an older version of Apache 2.2
Post by Christopher Schultz
1. I don't see ServerName to identify the VirtualHost for SNI 2. You are using "Order" instead of "Require"
I'm not using Named-Based Virtual Hosts
Post by Christopher Schultz
Are you sure you don't have any other <VirtualHost> which is performing any proxying?
There are no other configs enabled in /etc/apache2/sites-enabled
Post by Christopher Schultz
Can you post your <Connector> configuration for your port 8080 connector ?
<Connector port="8888" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8444" />
Post by Christopher Schultz
If this is a one-box-wonder, do you actually need httpd? Just checking..
I do, there are two different applications in the box that use two different Tomcat instances running in different ports and I use Apache to proxy to each app while using one common SSL config


Dino

B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[
Christopher Schultz
2018-11-17 18:36:24 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dino,
Post by Dino Edwards
Post by Christopher Schultz
This looks like an old config. Are you using Apache 2.2?
No I'm currently trying to use Apache 2.4, but you are right It is
indeed a config from an older version of Apache 2.2
Post by Christopher Schultz
1. I don't see ServerName to identify the VirtualHost for SNI 2.
You are using "Order" instead of "Require"
I'm not using Named-Based Virtual Hosts
Yes, you are. :)
Post by Dino Edwards
Post by Christopher Schultz
Are you sure you don't have any other <VirtualHost> which is
performing any proxying?
There are no other configs enabled in /etc/apache2/sites-enabled
Good.
Post by Dino Edwards
Post by Christopher Schultz
Can you post your <Connector> configuration for your port 8080 connector ?
<Connector port="8888" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8444" />
ProxyPass /app http://localhost:8080/app ProxyPassReverse /app
http://localhost:8080/app
<Connector port="8888" protocol="HTTP/1.1"
That probably isn't going to work.
Post by Dino Edwards
Post by Christopher Schultz
If this is a one-box-wonder, do you actually need httpd? Just
checking..
I do, there are two different applications in the box that use two
different Tomcat instances running in different ports and I use
Apache to proxy to each app while using one common SSL config
Understood. If you have two different applications on two Tomcat
instances, is that why the port numbers don't match above?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvwX6gACgkQHPApP6U8
pFjCAhAAsvStB4OsuMaKbWAiIKQju351VNKIqX1iUqwRS0XoZbRqQZ8vHtPzwDtX
1nnLszsyOwG7PjTDf+70E1cx57TJy6OVVLYlG5Z3zcJocTwuX04pXY9afbsgOJag
x+U7oMbh6ZcHBbaif//iWJIhfNYqpxzf33EehuZp5zwSbvkx3eG4VRtgVIvQe218
o8ePeSLtSO395PWtJQ9dlTWFjIYfGAbQK83INZziYn240fHgSDsAHxMrdcT+ROjv
ahuGUaLucoK/gMgawUtfY45MNODAKZk7aGNzLOD/QfxQPz1NrtjoNvMnoez79C+a
9WDbXtQRLmoVLFkKXgt5Q7Zobu5NGeUTNq/7mK117l+Vedam6wf6ZDjXnXWiROkO
uUNNvCx/NixiPAe4voveJN+MEyW86OQPX2Bkh4lPllUXB7iT6xU8YlQlVFvx2CC4
o8CLWcidzGZii7ugaN2nvSW6U5mQsJUwaerXGvUTGEQ2XxsQ5NigAPV1NXk1RQbq
lAJ5gIvC9k5M5fjk9b9wym83WjoPih7EoXIMu39Zggn8RTq2qrZvvNrkVRnN49vv
jE6uYlg6wr0uBdgL3mnEExTjL0LfL8MxJCLShhnnF+dHq4eA4lDdFhuzAjNTe1L9
Rwz4gumyc57IjZJohDQLDXQMJv1ry2xa/eTfCEwmjN7mv8tFu6g=
=zjo9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Dino Edwards
2018-11-19 13:16:59 UTC
Permalink
Post by Dino Edwards
Post by Dino Edwards
I'm not using Named-Based Virtual Hosts
Yes, you are. :)
I didn't think I was. How do you figure?
Post by Dino Edwards
I do, there are two different applications in the box that use two
different Tomcat instances running in different ports and I use Apache
to proxy to each app while using one common SSL config
Post by Dino Edwards
Understood. If you have two different applications on two Tomcat instances, is that why the port numbers don't match above?
Yes, sorry I posted the wrong config. So, it looks like I figured it out. Apparently, Apache 2.4 has a problem using a combination of both AJP and HTTP proxy statements in the same config (Apache 2.2 worked fine), so I ended up setting the following:

Tomcat Instance 1 server.xml file:

<Server port="8006" shutdown="SHUTDOWN">

<Connector port="8888" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />


<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


Tomcat Instance 2 server.xml file:

<Server port="8005" shutdown="SHUTDOWN">

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8444" />

<Connector port="8010" protocol="AJP/1.3" redirectPort="8444" />

And in Apache config file I set the following:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ProxyRequests Off

SSLEngine on
SSLCertificateFile ......cer
SSLCertificateKeyFile ......key
SSLCertificateChainFile .........chain.cer
SSLProtocol -all +TLSv1.2

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

#Tomcat 1
ProxyPass /admin ajp://localhost:8009/app1
ProxyPassReverse /admin ajp://localhost:8009/app1

#Tomcat 2
ProxyPass /ciphermail ajp://localhost:8010/app2
ProxyPassReverse /ciphermail ajp://localhost:8010/app2


ProxyTimeout 3600
........
</VirtualHost>
</IfModule>

This seems to work. Do you see a problem with the above?

Thanks



---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Т���������������������������������������������������������������������ХF�V�7V'67&�&R�R���âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F����6����G2�R�
Shawn Heisey
2018-11-19 15:38:23 UTC
Permalink
Post by Dino Edwards
Post by Dino Edwards
I'm not using Named-Based Virtual Hosts
Yes, you are. :)
I didn't think I was. How do you figure?
The first line in the config you shared was "<VirtualHost *:443>".

Thanks,
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Dino Edwards
2018-11-19 16:29:27 UTC
Permalink
Post by Dino Edwards
I'm not using Named-Based Virtual Hosts Yes, you are. :)
I didn't think I was. How do you figure?
The first line in the config you shared was "<VirtualHost *:443>".
Got it thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m
Christopher Schultz
2018-11-19 22:48:38 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dino,
Post by Dino Edwards
Post by Dino Edwards
Post by Dino Edwards
I'm not using Named-Based Virtual Hosts
Yes, you are. :)
I didn't think I was. How do you figure?
https://httpd.apache.org/docs/2.4/mod/core.html#namevirtualhost
Post by Dino Edwards
Post by Dino Edwards
I do, there are two different applications in the box that use
two different Tomcat instances running in different ports and I
use Apache to proxy to each app while using one common SSL
config
Post by Dino Edwards
Understood. If you have two different applications on two
Tomcat instances, is that why the port numbers don't match
above?
Yes, sorry I posted the wrong config. So, it looks like I figured
it out. Apparently, Apache 2.4 has a problem using a combination of
both AJP and HTTP proxy statements in the same config (Apache 2.2
I don't believe Apache httpd has any problem with mixing mod_proxy_ajp
and mod_proxy_http directives in the same configuration. Do you have a
reference for such a claim?
Post by Dino Edwards
<Server port="8006" shutdown="SHUTDOWN">
<Connector port="8888" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Server port="8005" shutdown="SHUTDOWN">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8444"
/>
<Connector port="8010" protocol="AJP/1.3" redirectPort="8444" />
Looks good so far. How is this different than what you had before?
Post by Dino Edwards
<IfModule mod_ssl.c> <VirtualHost _default_:443> ProxyRequests Off
SSLEngine on SSLCertificateFile ......cer SSLCertificateKeyFile
......key SSLCertificateChainFile .........chain.cer SSLProtocol
-all +TLSv1.2
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Proxy *> Order deny,allow Allow from all </Proxy>
#Tomcat 1 ProxyPass /admin ajp://localhost:8009/app1
ProxyPassReverse /admin ajp://localhost:8009/app1
#Tomcat 2 ProxyPass /ciphermail ajp://localhost:8010/app2
ProxyPassReverse /ciphermail ajp://localhost:8010/app2
If you want to be *really* explicit, you might want to add:

SSLProxyProtocol TLSv1.2

... if you want "TLSv1.2 everywhere".
Post by Dino Edwards
ProxyTimeout 3600 ........ </VirtualHost> </IfModule>
This seems to work. Do you see a problem with the above?
What did you actually end up changing? That all looks like a fairly
standard reverse-proxy setup.

Note that re-naming a context path with mod_proxy (e.g. /admin ->
app1) is likely to cause a lot of problem. If that's not a typo or
copy/paste error, you probably want to map /admin -> /admin and
/ciphermail -> /ciphermail.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvzPcYACgkQHPApP6U8
pFiLmA//XIuLIMa7BWHTLvRB2gQ6+KQjR+uB03EoigHKVXJJPHMK+Dal47xkeOLG
lDvw5KCr32/QvewKUpEc2lvVDkidR6glF4T6O2NU3BWyU3x4rvaIV7V0fR89z9+h
/gDfEntQeVHCzJd0LqTYaG8g3crRj40OtjJa+Jy7vKg3vnL4koI/lxS2jfcrRRz+
cRigBMlybhYt+eBBRQl9oYULykwdN8DqqSu3tbFg1PoJxB2XBg1Lo8ZwHX7/sToJ
/xHwkrmoA2p/9DBmuQqvAnblsEzlISZ8AbD/KRtL3RDslOR4gjzSr2Y+AcA+4DUI
TzayNVwqbvCI9OzDVKN4fUyKvTouFPiRQkwEJXwgNTf31B55psyrPq9TBeEpK3ky
hCBMcoKja4YWkpnGhmyMtRx1VEqMowYvtr8+Y2L8lLT7XjMjxuAMt/T7fuO3LcXp
+Hjs8tPZkWsDNjoi3NOFQ6pW62d6unEXXAIxiCOR+Pr2RKEVeW1aCH7MqUPJko7T
7kP2R0mfLtZ2tNcbFnEguj/0k4taIFoQHOdheAdFE3JHUEwV+722RGG8vB+rQUXk
9OkYuhy147dhGdr1RJ5tMoKnp2/dG48k7ztwtHI50tb7aMb5PpaQGUjb46KtTUNb
AHdsfMHPO3zNZ/c6hg8K13phaidd2XuLwTCpt4QMt4Djup4unpo=
=vrEW
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...