Discussion:
Redirecting to https URL when https port is accessed with http scheme
ettra lancelot
2018-10-05 18:57:09 UTC
Permalink
Hi,

I would like to know whether it's possible to configure tomcat to
automatically redirect to the https URL when https port is access using
http scheme instead of https*.*

For example, say I have configured an ssl connector on port 8443, if I
access the connector using http scheme (eg: http://localhost:8443) instead
of using https scheme, I'm receiving some meaningless characters (refer
[1]). Instead, is it possible to make an automatic redirection to the https
url (eg: https://localhost:8443) ?

Few details about the setup.

- Tomcat version - 7.0.85
- SSL connector is configure on port 8443

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/keystore" keystorePass="xxx"/>

- Added the following security-constrain to web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[1] - Loading Image...

Thank you,
Etcy.
Gillett, Phil
2018-10-05 19:23:50 UTC
Permalink
Hello:
Perfect timing!!
I've been assigned at my job to apply something similar with Tomcat and Footprints 12, and have had some issues.
I hope someone has a solution, and I thank you in advance!

Phil G.

-----Original Message-----
From: ettra lancelot <***@gmail.com>
Sent: Friday, October 5, 2018 1:57 PM
To: ***@tomcat.apache.org
Subject: Redirecting to https URL when https port is accessed with http scheme

Hi,

I would like to know whether it's possible to configure tomcat to automatically redirect to the https URL when https port is access using http scheme instead of https*.*

For example, say I have configured an ssl connector on port 8443, if I access the connector using http scheme (eg: http://localhost:8443) instead of using https scheme, I'm receiving some meaningless characters (refer [1]). Instead, is it possible to make an automatic redirection to the https url (eg: https://localhost:8443) ?

Few details about the setup.

- Tomcat version - 7.0.85
- SSL connector is configure on port 8443

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/keystore" keystorePass="xxx"/>

- Added the following security-constrain to web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

[1] - https://i.stack.imgur.com/1LVq7.png

Thank you,
Etcy.
B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[
Bill Harrelson
2018-10-05 19:49:30 UTC
Permalink
Well, not a configuration, you could write and register a filter that
sends a re-direct.

You have to do something similar to this (but in reverse):
https://stackoverflow.com/questions/9389211/using-filters-to-redirect-from-https-to-http
Post by Gillett, Phil
Perfect timing!!
I've been assigned at my job to apply something similar with Tomcat and Footprints 12, and have had some issues.
I hope someone has a solution, and I thank you in advance!
Phil G.
-----Original Message-----
Sent: Friday, October 5, 2018 1:57 PM
Subject: Redirecting to https URL when https port is accessed with http scheme
Hi,
I would like to know whether it's possible to configure tomcat to automatically redirect to the https URL when https port is access using http scheme instead of https*.*
For example, say I have configured an ssl connector on port 8443, if I access the connector using http scheme (eg: http://localhost:8443) instead of using https scheme, I'm receiving some meaningless characters (refer [1]). Instead, is it possible to make an automatic redirection to the https url (eg: https://localhost:8443) ?
Few details about the setup.
- Tomcat version - 7.0.85
- SSL connector is configure on port 8443
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/keystore" keystorePass="xxx"/>
- Added the following security-constrain to web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
[1] - https://i.stack.imgur.com/1LVq7.png
Thank you,
Etcy.
---------------------------------------------------------------------
Christopher Schultz
2018-10-05 21:11:40 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Etcy,
Post by ettra lancelot
I would like to know whether it's possible to configure tomcat to
automatically redirect to the https URL when https port is access
using http scheme instead of https*.*
There is no way to get Tomcat to do this for you right now.

There is, however, the possibility of adding such a feature to Tomcat.

If you make an HTTP request to Apache httpd on a TLS-enabled port,
you'll get a response that says "Looks like you made a mistake".

In the past, that would have been a huge pain in the neck for Tomcat,
since the TLS handshake was handled *entirely* by the underlying
crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been
re-written and Tomcat is buffering everything internally and probing
the handshake, etc.

It should therefore be possible to respond in the way you describe,
but I'm not sure how much appetite there is for issuing a redirect
rather than just an informational page such as the one httpd returns.

Unfortunately, Bill is incorrect when he says that you can write a
Filter for this. No application code will ever see a connection over a
connection which failed a TLS handshake.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8
pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F
aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus
RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM
29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV
fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf
FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy
8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w
QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP
ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0
GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798
QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as=
=wLba
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
ettra lancelot
2018-10-06 05:29:41 UTC
Permalink
Thank you for the detailed answer, Chris.

On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Etcy,
Post by ettra lancelot
I would like to know whether it's possible to configure tomcat to
automatically redirect to the https URL when https port is access
using http scheme instead of https*.*
There is no way to get Tomcat to do this for you right now.
There is, however, the possibility of adding such a feature to Tomcat.
If you make an HTTP request to Apache httpd on a TLS-enabled port,
you'll get a response that says "Looks like you made a mistake".
In the past, that would have been a huge pain in the neck for Tomcat,
since the TLS handshake was handled *entirely* by the underlying
crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been
re-written and Tomcat is buffering everything internally and probing
the handshake, etc.
It should therefore be possible to respond in the way you describe,
but I'm not sure how much appetite there is for issuing a redirect
rather than just an informational page such as the one httpd returns.
Unfortunately, Bill is incorrect when he says that you can write a
Filter for this. No application code will ever see a connection over a
connection which failed a TLS handshake.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8
pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F
aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus
RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM
29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV
fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf
FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy
8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w
QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP
ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0
GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798
QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as=
=wLba
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
Martynas Jusevičius
2018-10-06 10:31:47 UTC
Permalink
Ettra,

see also this thread:
https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%***@mail.gmail.com%3E

I did this with front nginx eventually.
Post by ettra lancelot
Thank you for the detailed answer, Chris.
On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Etcy,
Post by ettra lancelot
I would like to know whether it's possible to configure tomcat to
automatically redirect to the https URL when https port is access
using http scheme instead of https*.*
There is no way to get Tomcat to do this for you right now.
There is, however, the possibility of adding such a feature to Tomcat.
If you make an HTTP request to Apache httpd on a TLS-enabled port,
you'll get a response that says "Looks like you made a mistake".
In the past, that would have been a huge pain in the neck for Tomcat,
since the TLS handshake was handled *entirely* by the underlying
crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been
re-written and Tomcat is buffering everything internally and probing
the handshake, etc.
It should therefore be possible to respond in the way you describe,
but I'm not sure how much appetite there is for issuing a redirect
rather than just an informational page such as the one httpd returns.
Unfortunately, Bill is incorrect when he says that you can write a
Filter for this. No application code will ever see a connection over a
connection which failed a TLS handshake.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8
pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F
aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus
RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM
29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV
fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf
FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy
8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w
QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP
ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0
GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798
QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as=
=wLba
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Christopher Schultz
2018-10-10 14:53:18 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martynas,
Post by Martynas Jusevičius
https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3C
I did this with front nginx eventually.
In this case, Ettra is wanting to make an HTTP request to an HTTPS
service, which usually just fails to establish a TLS handshake.

Instead of failing, Ettra would prefer to have Tomcat respond with an
HTTP response with no encryption. This is how Apache httpd currently
behaves:

=== CUT ===

$ telnet localhost 443
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /
Host: localhost
HTTP/1.1 400 Bad Request
Date: Wed, 10 Oct 2018 14:52:08 GMT
Server: Apache/2
Content-Length: 432
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not
understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
Instead use the HTTPS scheme to access this URL, please.<br />
</p>
<hr>
<address>Apache/2 Server at phobos.chadis.com Port 443</address>
</body></html>
Connection closed by foreign host.

=== CUT ===

Tomcat will simply close the connection in its current implementation.

- -chris
Post by Martynas Jusevičius
Post by ettra lancelot
Thank you for the detailed answer, Chris.
On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz <
Etcy,
Post by ettra lancelot
Post by Gillett, Phil
Post by ettra lancelot
I would like to know whether it's possible to configure
tomcat to automatically redirect to the https URL when
https port is access using http scheme instead of https*.*
There is no way to get Tomcat to do this for you right now.
There is, however, the possibility of adding such a feature to
Tomcat.
If you make an HTTP request to Apache httpd on a TLS-enabled port,
you'll get a response that says "Looks like you made a mistake".
In the past, that would have been a huge pain in the neck for
Tomcat, since the TLS handshake was handled *entirely* by the
underlying crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that
code has been re-written and Tomcat is buffering everything
internally and probing the handshake, etc.
It should therefore be possible to respond in the way you
describe, but I'm not sure how much appetite there is for issuing a
redirect rather than just an informational page such as the one
httpd returns.
Unfortunately, Bill is incorrect when he says that you can write a
Filter for this. No application code will ever see a connection
over a connection which failed a TLS handshake.
-chris
Post by ettra lancelot
Post by Gillett, Phil
--------------------------------------------------------------------
- -
Post by Martynas Jusevičius
---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+El4ACgkQHPApP6U8
pFh7BA//WfMVYmUI97gCsgHuNIVwUbDnFYYJaiefGkexhW+ujQTqP+WeqPO4YJYW
FqZ2d2ZJ+e6VWfb9poB9c/couTh9shyIefPGE6CBXLD0AaWXdbT6s9fzQEq9803f
G3w9AnK20r4tCcE4bZkz5NWGcnvII8LVr78PR/QEuCkKMlabSMZ1hY12XrPXUO/3
IjGBdiuEqedLAOxrqp65ZXbZ5hKA5UXYSxIxrT+PN52TpncmIpVecJO29yjrTIAo
cBFOoOqYP0I1ylvSTRTPMsk+1pNE9V+KxIyqwxGC24gJvE/x0U+xvvehj5NUlsFz
IwHRolJ1iQYtE1OONEQ1jDtqGUjllme3JJ79cZFRDbhUgMum+4V91bK9Oou6Lrwq
85oIudC2kFc9CMoq7QocOaTJTMNVwLj2/xHZIO4tPXw7S1Tw3eHEyqe6vReWDlKf
B7qQTqgA2EKFp3BZOLV94IazMxK/Gf5lBFyL9f9j4OVKunEiJ9NSNjmwB23vhsNT
Kmz/RyvRHd0EF4127YwUqjVQqOeWfhnNivZRf4GQGX1AbrcrJBfVOgp60z+VI9lD
iO/5u+zeFflocbvDHxEfDfWZZYdB1XXdH16ug6n6BaoERs/gRRNFAuEqP4Qk5joI
CfDz3SDdaqI+Ve0PXMOINxm3EqtdgpCo5l6tl3U2h/ITxijYr4Q=
=ULFh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...