RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
> Is it true that all traffic seen by Tomcat must have been sent over TLS > between the user agent and AWS LB? Yes, that is true, at least it is my understanding... -Original Message- From: Mark Thomas Sent: Wednesday, August 31, 2022 12:57 PM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT On 31/08/2022 17:39, Yanhua Wusands wrote: > You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it > is passed that, tomcat is set up to listen 8080. > If I understand you correctly, we will need to setup SSL in TOMCAT as well in > order to have HSTS working, is it right? No. That is not correct. There are several options at this point. We need more information to identify the best one. Is it true that all traffic seen by Tomcat must have been sent over TLS between the user agent and AWS LB? Mark > > -Original Message- > From: Mark Thomas > Sent: Wednesday, August 31, 2022 11:21 AM > To: users@tomcat.apache.org > Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in > TOMCAT > > You don't have any TLS connectors configured so the HSTS filter isn't going > to do anything. > > Given you access the server via port 443 but Tomcat is only listening on port > 8080 you must have a reverse proxy configured somewhere that is likely > terminating the TLS. > > You need to configure HSTS wherever the TLS is being terminated. > > As an aside, you need to be *very* careful proxying secure traffic to an HTTP > connector on Tomcat. I trust that you have the appropriate configuration in > place (typically the RemoteIpValve) to ensure that Tomcat can correctly > identify which traffic has been received via a secure channel and which via > an insecure channel. > > Mark > > > On 31/08/2022 16:10, Yanhua Wusands wrote: >> > acceptorThreadCount="2" >> acceptCount="20" >> maxConnections="200" >> maxThreads="200" >> minSpareThreads="10" >> scheme="https" >> proxyPort="443" >> redirectPort="8443" >>/> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -Original Message- >> From: Mark Thomas >> Sent: Wednesday, August 31, 2022 11:03 AM >> To: users@tomcat.apache.org >> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in >> TOMCAT >> >> On 31/08/2022 15:36, Yanhua Wusands wrote: >>> We are using TOMCAT 9.0.40 on linux, and are trying setup >>> Strict-Transport-Security per requirement from our security team. >>> >>> We followed this note: >>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ >>> a >>> r >>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5 >>> i >>> y >>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe >>> 5 >>> h >>> TO4K-UbrvgSvSAepZe_e-U8$ >>> >>> Changed $CATALINA_HOME/conf/web.xml >>> >>> With: >>> >>> >>> >>>httpHeaderSecurity >>> >>> >>> org.apache.catalina.filters.HttpHeaderSecurityFilter>> f >>> i >>> lter-class> >>> >>>true >>> >>> >>> >>> hstsEnabled >>> >>> true >>> >>> >>> >>> >>> >>> hstsMaxAgeSeconds >>> >>> 31556927 >>> >>> >>> >>> >>> >>> And uncommented: >>> >>>httpHeaderSecurity >>>/* >>>REQUEST >>> >>> >>> After we restarted TOMCAT APACHE, we still couldn't see >>> Strict-Transport-Security using following curl cmd: >>> >>> curl -i -s >>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceau >>> t >>> o >>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh! >>> G >>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K- >>> U b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security >>> >>> I am reaching out to see if there is any additional steps need to be done >>> for settin
Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
On 31/08/2022 17:39, Yanhua Wusands wrote: You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it is passed that, tomcat is set up to listen 8080. If I understand you correctly, we will need to setup SSL in TOMCAT as well in order to have HSTS working, is it right? No. That is not correct. There are several options at this point. We need more information to identify the best one. Is it true that all traffic seen by Tomcat must have been sent over TLS between the user agent and AWS LB? Mark -Original Message- From: Mark Thomas Sent: Wednesday, August 31, 2022 11:21 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT You don't have any TLS connectors configured so the HSTS filter isn't going to do anything. Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS. You need to configure HSTS wherever the TLS is being terminated. As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel. Mark On 31/08/2022 16:10, Yanhua Wusands wrote: -Original Message- From: Mark Thomas Sent: Wednesday, August 31, 2022 11:03 AM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT On 31/08/2022 15:36, Yanhua Wusands wrote: We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team. We followed this note: https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a r ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i y 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5 h TO4K-UbrvgSvSAepZe_e-U8$ Changed $CATALINA_HOME/conf/web.xml With: httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter i lter-class> true hstsEnabled true hstsMaxAgeSeconds 31556927 And uncommented: httpHeaderSecurity /* REQUEST After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd: curl -i -s https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut o .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh! G A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security I am reaching out to see if there is any additional steps need to be done for setting up this security flag. Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it is passed that, tomcat is set up to listen 8080. If I understand you correctly, we will need to setup SSL in TOMCAT as well in order to have HSTS working, is it right? -Original Message- From: Mark Thomas Sent: Wednesday, August 31, 2022 11:21 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT You don't have any TLS connectors configured so the HSTS filter isn't going to do anything. Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS. You need to configure HSTS wherever the TLS is being terminated. As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel. Mark On 31/08/2022 16:10, Yanhua Wusands wrote: > acceptorThreadCount="2" > acceptCount="20" > maxConnections="200" > maxThreads="200" > minSpareThreads="10" > scheme="https" > proxyPort="443" > redirectPort="8443" > /> > > > > > > > > > > > > > > -----Original Message- > From: Mark Thomas > Sent: Wednesday, August 31, 2022 11:03 AM > To: users@tomcat.apache.org > Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in > TOMCAT > > On 31/08/2022 15:36, Yanhua Wusands wrote: >> We are using TOMCAT 9.0.40 on linux, and are trying setup >> Strict-Transport-Security per requirement from our security team. >> >> We followed this note: >> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a >> r >> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i >> y >> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5 >> h >> TO4K-UbrvgSvSAepZe_e-U8$ >> >> Changed $CATALINA_HOME/conf/web.xml >> >> With: >> >> >> >> httpHeaderSecurity >> >> >> org.apache.catalina.filters.HttpHeaderSecurityFilter> i >> lter-class> >> >> true >> >> >> >> hstsEnabled >> >> true >> >> >> >> >> >> hstsMaxAgeSeconds >> >> 31556927 >> >> >> >> >> >> And uncommented: >> >> httpHeaderSecurity >> /* >> REQUEST >> >> >> After we restarted TOMCAT APACHE, we still couldn't see >> Strict-Transport-Security using following curl cmd: >> >> curl -i -s >> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut >> o >> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh! >> G >> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U >> b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security >> >> I am reaching out to see if there is any additional steps need to be done >> for setting up this security flag. > > Please provide the Connector element(s) (with sensitive data like passwords > masked) from your $CATALINA_BASE/conf/server.xml file. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
You don't have any TLS connectors configured so the HSTS filter isn't going to do anything. Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS. You need to configure HSTS wherever the TLS is being terminated. As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel. Mark On 31/08/2022 16:10, Yanhua Wusands wrote: -Original Message- From: Mark Thomas Sent: Wednesday, August 31, 2022 11:03 AM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT On 31/08/2022 15:36, Yanhua Wusands wrote: We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team. We followed this note: https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h TO4K-UbrvgSvSAepZe_e-U8$ Changed $CATALINA_HOME/conf/web.xml With: httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> true hstsEnabled true hstsMaxAgeSeconds 31556927 And uncommented: httpHeaderSecurity /* REQUEST After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd: curl -i -s https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security I am reaching out to see if there is any additional steps need to be done for setting up this security flag. Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
-Original Message- From: Mark Thomas Sent: Wednesday, August 31, 2022 11:03 AM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT On 31/08/2022 15:36, Yanhua Wusands wrote: > We are using TOMCAT 9.0.40 on linux, and are trying setup > Strict-Transport-Security per requirement from our security team. > > We followed this note: > https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar > ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy > 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h > TO4K-UbrvgSvSAepZe_e-U8$ > > Changed $CATALINA_HOME/conf/web.xml > > With: > > > > httpHeaderSecurity > > > org.apache.catalina.filters.HttpHeaderSecurityFilter lter-class> > > true > > > > hstsEnabled > > true > > > > > > hstsMaxAgeSeconds > > 31556927 > > > > > > And uncommented: > > httpHeaderSecurity > /* > REQUEST > > > After we restarted TOMCAT APACHE, we still couldn't see > Strict-Transport-Security using following curl cmd: > > curl -i -s > https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto > .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G > A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub > rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security > > I am reaching out to see if there is any additional steps need to be done for > setting up this security flag. Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
