We Keep Coding

Redirect HTTP to HTTPS:PORT in Tomcat

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
<Connector executor="tomcatThreadPool"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?

You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you requre authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So you don't have to change it on the web.xml of your webapp.
That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:
<!-- Default tomcat connector, changed the redirectPort from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig>
<Certificate certificateKeyFile="/your/own/privkey.pem"
certificateFile="/eyour/own/cert.pem"
certificateChainFile="/your/own/chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>

The connector configuration you shown does not redirect a specific URL in the way you suppose.
That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.
I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.
So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.
Edit
As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.
To configure this HTTPS connector, you can use a configuration as following:
<Connector connectionTimeout="20000"
acceptCount="100" scheme="https" secure="true"
port="443" clientAuth="false" sslProtocol="TLS"
keystoreFile="PATH_TO_KEY_STORE"
keystorePass="KEY_STORE_PASS"
keyAlias="KEY_STORE_ALIAS"/>
This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.
The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:
As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.
There is no way to overwrite that setting on per-application basis.
If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.
// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.

If you use tomcat with httpd, you can use RewriteEngine.
With port specified is like the followings in the http.conf:
NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
ServerName www.example.com
Redirect permanent / https://secure.example.com/
</VirtualHost>
See: RewriteHTTPToHTTPS and Redirect Request to SSL

Putting transport-guarantee CONFIDENTIAL in conf/web.xml is good, but it does not cover the manager app and the host-manager app (Tomcat 8.5.38).
My solution is to put a valve in conf/context.xml that redirects all http requests to https.
https://bitbucket.org/bunkenburg/https-valve/src/master/

It's too late to answer, still I'm sharing my experience over the same, do the following changes in
Apache Software Foundation\Tomcat 8.5\conf\web.xml
Take a restart.
Pre-Req: configure https port and disable http port(optional[I did it])

<Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>
<Connector port="443"
SSLEnabled="true"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="550"
minSpareThreads="25"
scheme="https"
secure="true"
compression="on"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.2"
certificateVerification="none"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
<Certificate type="RSA"
certificateKeystoreFile="/ssl/self-signed/your-keystore.jks"
certificateKeystorePassword="123456"
certificateKeyAlias="your-alias" />
</SSLHostConfig>
   </Connector>

Single-Sign-On (JSESSIONIDSSO Cookie) in Wildfly 9 not working behind Apache

I'm using Wildfly 9.0.1.Final with single-sign-on to secure my backend and frontend with the following configuration:
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<single-sign-on path="/"/>
</host>
</server>
...
In my development environment, everything is working fine. But if I use FORM login in production environment, where the wildfly is behind an apache server, clients only get JSESSIONID but no JSESSIONIDSSO.
The corresponding apache config is:
ProxyPass /user http://localhost:10080/user
ProxyPassReverse /user http://localhost:10080/user
ProxyPass /backend http://localhost:10080/backend
ProxyPassReverse /backend http://localhost:10080/backend
What could be the problem?

This could be happening because of couple of reasons:
The domain name on the cookie will be reflecting the wildfly domain,
which will be different than the actual domain, which is being used
by the client.
and OR
The path which is set on the cookie is different from the path from where the reverse proxy call being made.
In any of the above case the Set-Cookie header will be received by the browser, its just that it will silently discard it.
You can add the following extra configuration in Apache to solve the issue
ProxyPassReverseCookiePath /example.com /
ProxyPassReverseCookieDomain localhost example.com
Please refer to the Apache documentation for more details and check the error logs for Warning regarding cookies

How to have 2 different web/app servers for the same domain but different context path?

I'm running a standard PHP application on my domain and did set that to www.johndoe.com/p/
Now, the port 80 is apparently serviced by this HTTP server (Apache, not Tomcat). Also, I installed Wildfly 8.2 on this server on port 8000. How, can I use Wildfly WAR applications on the same domain e.g. www.johndoe.com/w/?
I'm positive that there is a way of redirecting the /w/ requests to the Java EE server and keep the /p/ serviced by Apache, right?
I assume mod_proxy (http gateway) and mod_proxy_ajp are simple solutions. Can anyone reflect on my requirements and the the mod_proxy/ajp functionality?
ProxyPass /w ajp://localhost:8000/w
ProxyPassReverse /w http://www.johndoe.com/w
I do not demand load balacing or anything else sophisticated. Just the split of the two contexti. Only port 80 is accessible from the internet.
Thank you.

Okay. Here the resolution.
I added to Wildfly 8.2 standalone.xml the following ajp-listener...
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<ajp-listener name="ajp" socket-binding="ajp"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
... and bind it to the socket ...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:28009}"/>
<socket-binding name="http" port="${jboss.http.port:28080}"/>
<socket-binding name="https" port="${jboss.https.port:28443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="mail.johndoe.com" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
Invoke service wildfly reload or service wildfly restart. To Wildfly listening on AJP requests.
Finally, add to your http.conf file of your Apache Virtual Host Domain the following:
ProxyPass /w ajp://127.0.0.1:28009/w
ProxyPassReverse /w ajp://127.0.0.1:28009/w
Also for Apache, restart with service apache2 reload.
Caution. In Parallels Plesk, the virtual host config file must be edited in /var/www/vhosts/system/johndoe.com/conf/http.conf and NOT in /var/vhosts/johndoe.com/conf/http.conf

Tomcat subdomain association

I have a Spring application accessible as www.mydomain.com on Amazon AWS. Now I want another Spring application under the same Amazon instance (and hence using the same tomcat) to be accessible under mysubdomain.mydomain.com. My tomcat is fronted with Apache.
App corresponding to www.mydomain.com is located at:
/env/tomcat/apache-tomcat-7.0.26/webapps/ROOT
For the app to be accessible at mysubdomain.mydomain.com, I have created another folder at:
/env/tomcat/apache-tomcat-7.0.26/mysubdomainapps/ROOT
Below are the contents of server.xml and httpd.conf
server.xml
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
**<Host name="mysubdomain.mydomain.com" appBase="mysubdomainapps" unpackWARs="true" autoDeploy="true"></Host>**
</Engine>
</Service>
</Server>
httpd.conf
<VirtualHost *:80>
ServerName localhost
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
<VirtualHost *:80>
ServerName mysubdomain.mydomain.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
It's been hours I'm trying to sort it out, but couldn't succeed.
I'd really appreciate your help.
Thanks,
James

It worked! For DNS, I had created a CNAME earlier. I tried with A-record, and it worked great!

Tomcat / Apache / Grails Config

Hoping someone can help / advise as i'm not very familiar with Apache / Tomcat .. I already have Apache in front of Tomcat with grails app deployed. I have IIs setup (by someone else) which redirects www.xyz.com/myApp to an Apache instance which runs a grails app. In my apache conf I have a proxy ..
ProxyPass /myApp http://localhost:8080/myApp
ProxyPassReverse /myApp http://localhost:8080/myApp
and I have a connector defined in my tomcat server.xml
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
This works without problem
I now want to add another app so in IIS I had setup for me www.xyz.com/myOtherApp
with
ProxyPass /myOtherApp http://localhost:8081/anotherApp
ProxyPassReverse /myOtherApp http://localhost:8081/anotherApp
in my Apache conf I added another connector
<Connector port="8081" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
When i go to www.xyz.com/myOtherApp i get the url rendered (correctly i think) as https://www.xyz.com/anotherApp but with a 404 error saying "Object not Found" ..
Can anyone help me with the config ? Is it possible to have 2 connectors on different ports
with the same proxyName ? As i say i'm not familiar with Apache/Tomcat and i'd really like to get this done asap ..
Thanks
Hi #Stefan, The apps do live on the same server and domain so i eliminated one of the connector definitions . I'm now left with
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
proxyName="www.xyz.com"
proxyPort="443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
Also I switched on the logging (JULI) but it didn't seem to report anything . The apache error log just gives me a 404 .. I left it as HTTP rather than AJP as i'd have to setup HTTPS and i'm not sure how easy that is. So i'm left with the same problem in that one app works, the other doesn't .. Is it possible to run multiple grails apps over http as opposed to using ajp and virtual hosts ? Forgive me if i'm being stupid - i haven't had much exposure to webapps and i seem to have come to a grinding halt at what i thought should have been relatively easy - deployment !

If you want to use Apache in front of Tomcat, it's better to use mod_proxy_ajp instead of mod_proxy_http. For setting this up, see https://confluence.sakaiproject.org/display/~steve.swinsburg/Fronting+Tomcat+with+Apache+via+mod_proxy_ajp.
Be sore to add
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
Allow from localhost
</Proxy>
to your config to prevent abuse of the proxy.
If /myApp and /myOtherApp reside in the same tomcat engine, you only need a single connector for both apps. Aside from this, I can see no obvious error in your setup. Maybe you could post your tomcat's server.xml. During working on the config, using LogLevel Debug might be a good idea.

This isn't a direct answer to your question, but I was configuring Tomcat behind Apache before and I had problem with it.
I now use Amazons Elastic beanstalk...where you can deploy your grails app war file directly. It works a beautifully, especially with in built auto scaling and health monitoring!
Less configuration == Ease of life.