I'm using Tomcat 8.5.73 v
On tomcat,
<Connector URIEncoding="UTF-8" connectionTimeout="999999" port="8090" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" >
<SSLHostConfig>
<Certificate certificateKeyFile="E:/OpenSSL/key/test2/private.key" certificateFile="E:/OpenSSL/key/test2/certificate.crt" certificateChainFile="E:/OpenSSL/key/test2/ca_bundle.crt" type="RSA" />
</SSLHostConfig>
</Connector>
I wrote above code on server.xml and
this code in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTP</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
Redirecting is perfectly working and I thought there was no problem.
When I enter in http://localhost:8080 or https://localhost:8443, it works perfectly.
However, when I enter in http://myip(192.xxx.xx.xx):8080, it work when https://myip(192.xxx.xx.xx):8443 doesn't work with ERR_CONNECTION_REFUSED.
P.S. I added in-bound rule in firewall with 443/8443 port
I have one Linux server where I run three different websites
Server.xml looks like the following
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="1000" SSLEnabled="true" defaultSSLHostConfigName="sub1.domain1.info">
<SSLHostConfig hostName="sub1.domain1.info">
<Certificate certificateFile="conf/app1/cert.pem" certificateKeyFile="conf/app1/privkey.pem" certificateChainFile="conf/app1/chain.pem"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="www.domain2.com/">
<Certificate certificateFile="conf/app2/cert.pem" certificateKeyFile="conf/app2/privkey.pem" certificateChainFile="conf/app2/chain.pem"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="domain3.ac.in">
<Certificate certificateFile="conf/app3/cert.pem" certificateKeyFile="conf/app3/privkey.pem" certificateChainFile="conf/app3/chain.pem"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="*.domain3.ac.in">
<Certificate certificateFile="conf/app2/cert.pem" certificateKeyFile="conf/app2/privkey.pem" certificateChainFile="conf/app2/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<Host name="sub1.domain1.info" appBase="/home/applocation" unpackWARs="false" deployXML="false">
<Alias>sub1.domain1.info</Alias>
<Context path="" reloadable="true" docBase="/home/applocation" debug="1"/>
<Context docBase="/home/filepath" path="/pattern"/>
</Host>
<Host name="domain2.com" appBase="/home/app2path" unpackWARs="false" deployXML="false">
<Alias>www.domain2.com</Alias>
<Context path="" reloadable="true" docBase="/home/app2path" debug="1"/>
</Host>
<Host name="domain3.ac.in" appBase="/home/app3path" unpackWARs="false" deployXML="false">
<Alias>www.domain3.ac.in</Alias>
<Context path="" reloadable="true" docBase="/home/app3path" debug="1"/>
</Host>
Certificates generated using certbot
certbot certonly --standalone -d domainName
For some reason, when domain2.com is loaded on the browser, it says certificate is not valid. When I check details of the certificate, it carried the details of sub1.domain1.info's certificate (issued to sub1.domain1.info).
I am confused because, it worked for domain3.ac.in
Certificates were first generated for sub1.domain1.com followed by domain3.ac.in and at last www.domain2.com (at least 3 times generated for this domain now).
One thing I noted is that I get one warning while generating certificate for www.domain2.com that says something like "this might not work" but got generated anyway.
Also I am new to SSL with Tomcat, so please suggest any other necessary changes also.
I have domain and 2 web-servers running on it with different port:
1) https://intellirehab.usim.edu.my (APACHE)
2) http://intellirehab.usim.edu.my:8081 (TOMCAT)
I have the SSL certificates for both of them; server.crt (for APACHE) and server.jks (for TOMCAT). I'm done the configuration part on APACHE server and 'HTTPS' just work fine for me. BUT, I'm trying to configure TOMCAT server to use SSL connection and it doesn't work. I am attempting to follow the instructions for setting up SSL in Tomcat 7 still doesn't work.
This is my server.xml file:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<!--<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> REMOVE IT IF USE KEYSTORE-->
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="1048576" maxThreads="1000" scheme="https" secure="true" SSLEnabled="true" keystoreFile="conf/server.jks" keystorePass="*******" clientAuth="false" sslProtocol="TLS"
/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="intellirehab.usim.edu.my">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
</Realm>
<Host name="intellirehab.usim.edu.my" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
I've solve this problem by configuring SSL in 8081 connector and remove the 8443 connector. Thanks!
To be able to display the download status in a java application, I need to disable GZIP compression on a wildfly 10 server. It seems to be enabled by default. I found a lot of pages on how to enable it, nothing to disable it. Any clue ?
EDIT
I tried removing completely gzip filter from config as you can see below. The files I download (3 MB) are still compressed during transfert
<subsystem xmlns="urn:jboss:domain:undertow:3.1" statistics-enabled="true">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
I'm trying to secure my tomcat 7 setup. I have currently two problems here comes my first one:
I use basically the default configuration, I just extended the ssl configuration to get an A rating on SSL Labs.
My problem is that I want to disable RC4 since it is insecure, so I added the cipher suites which I trust (well it is the list of Mozilla) it ends with !aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK which means AFIK that those algorithm should not been used. But RC4 is still used here is my full configuration (without comments):
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLHonorCipherOrder="true"
SSLDisableCompression="true" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
SSLCertificateChainFile="/root/ca.crt"
SSLCACertificatePath="/etc/ssl/certs"
keystoreFile="/path/to/keystore" keystorePass="pwd" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
If you know what I'm doing wrong please inform me.
You've formatted your cipher suite list as if you were using APR / OpenSSL, but are still configured to use the NIO connector, which will rely on Java to do the connection, and as such needs that format for the cipher list. Put your preferred suites into a comma delimited list (no classes of suites, only explicit configurations), restart, and see if that doesn't resolve it for you.
Oracle Java 8 cipher names can be found here: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
You can use this connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLHonorCipherOrder="true"
SSLDisableCompression="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
keystoreFile="/path/to/keystore" keystorePass="pwd" />