AWS load balancer always routes 443 to 8443 - ssl

I am serving up content on an ec2 instance running tomcat 7. I have all traffic routing in the tomcat config to 8443 and a valid cert installed. When i explicitly put https://website.com:443 the site loads fine, but when i put in http://website.com it should route to the https with port 443, but it uses the port 8443 instead. Anyone have any idea why this would be happening? I have the exact same config working on another server but i have two new servers that dont want to behave.
in my tomcat server.xml i have:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
keystoreFile="conf/cert.p12"
keystorePass="password"
keystoreType="PKCS12" />
and in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Found an answer to this, turns out i had to route all traffic over TCP from 8443 to 8443. The client was requesting port 80, routing to 8080 per my load balancer config for tomcat to serve up content, tomcat was turning the request into requesting port 8443.
8443 wasnt being routed back to 8443 on the tomcat server so it just ended up in a dead end. hope this helps someone else someday.

Tomcat sends a redirect when using a transport-guarantee of CONFIDENTIAL
By default this is your connector port. Run a curl -vs http://website.com to confirm.
You could set the http/8080 connectors redirectPort to 443 but this means you are choosing ELB redirects to work. Local Tomcat redirects will then start failing as nothing listens locally on 443, just the ELB does.

Related

Tomcat SSL on port 8080

I have applied SSL on tomcat on port 443 but my manager asked me to apply it on port 8080 due to some constraints.
When I changed the port in connector to 8080 from 443, the server keeps on redirecting my request from https://domain_name:8080 to https://domain_name:8443.
Is there anything I can do to apply SSL on tomcat port 8080 without any redirection techniques?
Does it require any changes in "web.xml" as well?
Here is my Connector for 8080
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/my_user/SSL-Cert/sslKey.jks"
keystorePass="pass121" clientAuth="false"
keyAlias="ssl-Key" sslProtocol="TLS"
/>
When I change the port 8080 to 8082, it works fine without any redirection. Does that have to do anything with port 8080?

Redirect HTTP to HTTPS:PORT in Tomcat

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
<Connector executor="tomcatThreadPool"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?
You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So you don't have to change it on the web.xml of your webapp.
That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:
<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate certificateKeyFile="/your/own/privkey.pem"
certificateFile="/eyour/own/cert.pem"
certificateChainFile="/your/own/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
The connector configuration you shown does not redirect a specific URL in the way you suppose.
That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.
I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.
So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.
Edit
As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.
To configure this HTTPS connector, you can use a configuration as following:
<Connector connectionTimeout="20000"
acceptCount="100" scheme="https" secure="true"
port="443" clientAuth="false" sslProtocol="TLS"
keystoreFile="PATH_TO_KEY_STORE"
keystorePass="KEY_STORE_PASS"
keyAlias="KEY_STORE_ALIAS"/>
This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.
The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.
There is no way to overwrite that setting on per-application basis.
If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.
// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.
If you use tomcat with httpd, you can use RewriteEngine.
With port specified is like the followings in the http.conf:
NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
ServerName www.example.com
Redirect permanent / https://secure.example.com/
</VirtualHost>
See: RewriteHTTPToHTTPS and Redirect Request to SSL
Putting transport-guarantee CONFIDENTIAL in conf/web.xml is good, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
My solution is to put a valve in conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/
It's too late to answer, still I'm sharing my experience over the same, do the following changes in
Apache Software Foundation\Tomcat 8.5\conf\web.xml
Take a restart.
Pre-Req: configure https port and disable http port(optional[I did it])
<Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443"
SSLEnabled="true"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="550"
minSpareThreads="25"
scheme="https"
secure="true"
compression="on"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.2"
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
<Certificate type="RSA"
certificateKeystoreFile="/ssl/self-signed/your-keystore.jks"
certificateKeystorePassword="123456"
certificateKeyAlias="your-alias" />
</SSLHostConfig>
   </Connector>

Limiting Tomcat http connector to Apache server

I am using Apache 2.4 in front of Tomcat 7. I am trying to use web-sockets so I have configured http based connector in tomcat as below
<Connector port="8009"
protocol="HTTP/1.1"
proxyPort="80"
maxPostSize="10485760"
redirectPort="8443"
URIEncoding="UTF-8"/>
I have configured mod_proxy and mod_proxy_wstunnel and mod_proxy_http in Apache 2.4 Web-socket connections works fine when accessed App via "http://webserver/myapp".
However app can also be accessed via http://webserver:8009/myapp.
I want my app to be accessible only via Apache webserver (http://webserver/myapp) and NOT directly using tomcat(http://webserver:8009/myapp). I cannot use AJP modules (mod_proxy_ajp or mod_jk) because AJP modules doesn't support web-sockets.
Is there a way I can limit tomcat Connector to Apache webserver only.
You can use this.
<Context path="/manager" docBase="manager" reloadable="true" privileged="true" >
<Valve className="org.apache.catalina.valves.RemoteIpValve"/>
<Valve className="org.apache.catalina.valves.RemoteHostValve" allow="<your IP regex>"/>
</Context>
Change appropriate valve in Context Path, docbase and IP Address. This would at least restrict to localhost.
Other way is to listen tomcat only on localhost with help of below code.
<Connector port="8009" address="127.0.0.1"
Use a firewall on your server. This way you not only make tomcat unavailable, but also any other process that happens to open a port on that machine.
Whitelist the ports that you want to be available to the world and default to blocking every other port.

(Tomcat Apache configurations)can't see Tomcat Apache landing page

Actually, I'm new to Linux and its configurations. I just installed Tomcat Apache 7.0.52 on my debian linux. I entered IP192.168.56.10, the server ip, but it shows it works! page which means the older version of apache server:Apache/2.2.16 (Debian) is running, not tomcat, the correct page should contain tomcat's logo. Is there any configurations I missed?
Check the server.xml. Tomcat's port is normally 8080, if you have not changed it. So please try the IP with the port: 192.168.56.10:8080
This defines the port, where the server listens:
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />

DNS Management for Tomcat server

I have a tomcat server running perfectly at http://68.169.56.63:8080 I have a subdomain http://solar.wbe.in. Now I want my website http://solar.wbe.in to point to that tomcat server so that if I open http://solar.wbe.in site my browser it should show http://68.169.56.63:8080 I was looking at A records in DNS management. It has option to map IP but not port number. How do I map port 80 of http://solar.wbe.in to port 8080 of http://68.169.56.63
You could change the port in the Tomcat Server.xml e.g
<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
Or you could install a webserver like apache to listen on port 80 and proxy the requests through to Tomact either use mod_jk or mod_proxy.