I'm in the process of breaking apart and migrating an apache internal webserver to an IIS web server.
I believe what the snippet of apache web config does below when testing is re-direct any requests coming in from "bobby" to http://localhost:8181/
bobby is a DNS entry on our domain which resolves to 192.168.8.50.
In short, if you place bobby/ into a web browser on our domain without the port specified the below will forward to local host with the correct port.
How can I replicate this in IIS?
<VirtualHost 192.168.8.50:80>
ServerName bobby
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://localhost:8181/
ProxyPassReverse / http://localhost:8181/
</VirtualHost>
Do you mean you want to redirect all the request from the "bobby" to "http://localhost:8181/"?
If this is your requirement , I suggest you could try to use IIS url rewrite module IIS reverse proxy to achieve your requirement.
You could install it from this url.
Then you could add below config settings in the bobby web.config file in system.webServer tag.
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:8181/{R:1}" />
</rule>
</rules>
</rewrite>
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
<Connector executor="tomcatThreadPool"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?
You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So you don't have to change it on the web.xml of your webapp.
That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:
<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate certificateKeyFile="/your/own/privkey.pem"
certificateFile="/eyour/own/cert.pem"
certificateChainFile="/your/own/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
The connector configuration you shown does not redirect a specific URL in the way you suppose.
That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.
I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.
So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.
Edit
As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.
To configure this HTTPS connector, you can use a configuration as following:
<Connector connectionTimeout="20000"
acceptCount="100" scheme="https" secure="true"
port="443" clientAuth="false" sslProtocol="TLS"
keystoreFile="PATH_TO_KEY_STORE"
keystorePass="KEY_STORE_PASS"
keyAlias="KEY_STORE_ALIAS"/>
This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.
The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.
I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.
There is no way to overwrite that setting on per-application basis.
If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.
// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.
If you use tomcat with httpd, you can use RewriteEngine.
With port specified is like the followings in the http.conf:
NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
ServerName www.example.com
Redirect permanent / https://secure.example.com/
</VirtualHost>
See: RewriteHTTPToHTTPS and Redirect Request to SSL
Putting transport-guarantee CONFIDENTIAL in conf/web.xml is good, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
My solution is to put a valve in conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/
It's too late to answer, still I'm sharing my experience over the same, do the following changes in
Apache Software Foundation\Tomcat 8.5\conf\web.xml
Take a restart.
Pre-Req: configure https port and disable http port(optional[I did it])
<Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443"
SSLEnabled="true"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="550"
minSpareThreads="25"
scheme="https"
secure="true"
compression="on"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.2"
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
<Certificate type="RSA"
certificateKeystoreFile="/ssl/self-signed/your-keystore.jks"
certificateKeystorePassword="123456"
certificateKeyAlias="your-alias" />
</SSLHostConfig>
</Connector>
I'm using Wildfly 9.0.1.Final with single-sign-on to secure my backend and frontend with the following configuration:
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on path="/"/>
</host>
</server>
...
In my development environment, everything is working fine. But if I use FORM login in production environment, where the wildfly is behind an apache server, clients only get JSESSIONID but no JSESSIONIDSSO.
The corresponding apache config is:
ProxyPass /user http://localhost:10080/user
ProxyPassReverse /user http://localhost:10080/user
ProxyPass /backend http://localhost:10080/backend
ProxyPassReverse /backend http://localhost:10080/backend
What could be the problem?
This could be happening because of couple of reasons:
The domain name on the cookie will be reflecting the wildfly domain,
which will be different than the actual domain, which is being used
by the client.
and OR
The path which is set on the cookie is different from the path from where the reverse proxy call being made.
In any of the above case the Set-Cookie header will be received by the browser, its just that it will silently discard it.
You can add the following extra configuration in Apache to solve the issue
ProxyPassReverseCookiePath /example.com /
ProxyPassReverseCookieDomain localhost example.com
Please refer to the Apache documentation for more details and check the error logs for Warning regarding cookies
Is it possible to run SSL and non-SSL web applications on same standalone Wildfly?
I am using Wildfly 8.1.0 (Undertow) and I am having troubles at configuring this scenario...
For example, I know how to configure either HTTP or HTTPS themselves, but whenever I try to run a configuration for both, the HTTP response is redirected to the SSL one... :(
Could somebody please point out what to change for example in the default standalone.xml?
Yes it's possible.
first you need to add bellow code in ApplicationRealm
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="abcd1234" alias="server" key-password="abcd1234"/>
</ssl>
</server-identities>
Then you required to add lisner for both http and https
<server name="default-server">
<http-listener name="default-http" socket-binding="http"/>
<https-listener name="default-https" socket-binding="https" security-realm="ApplicationRealm"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
Now configure the connector for both http and https
<subsystem xmlns="urn:jboss:domain:remoting:2.0">
<endpoint worker="default"/>
<http-connector name="http-remoting-connector" connector-ref="default-http" security-realm="ApplicationRealm"/>
<http-connector name="https-remoting-connector" connector-ref="default-https" security-realm="ApplicationRealm"/>
</subsystem>
But generally people won't keep enable both http and https. They redirect the request from http to https.
hay all.
maybe you have an answer
i have a client that need to go to my service but he is using proxy server, i have problem with the ssl connection. i have read a lot of answers, but what do i have to use in the end?
<system.net>
<defaultProxy useDefaultCredentials="true" >
</defaultProxy>
</system.net>
or something else ?
thank you
Yes in client configuration add:
<defaultProxy useDefaultCredentials="true">
<proxy bypassonlocal="True" proxyaddress="http://..." />
</defaultProxy>
And make sure that binding has useDefaultWebProxy="true" (should be default value).