Re: Query: HSTS | Tomcat 9.0.50
Deepti, On 1/16/23 23:00, Deepti Sharma S wrote: 1. There is no reverse proxy in between tomcat and UA in my use case. 2. In Tomcat/conf/server.xml I have below connector settings : When I configure HSTS in Tomcat/conf/web.xml and try to access website via HTTPS https://[domain]:8443, HSTS header is returned but ignored If the HSTS header is returned, that's all Tomcat can do. as in when I change URL to http://[domain]:8080 URL is not changed to secured URL. 3. When I change conf/server.xml with below connector settings along with HSTS : Try to access website via HTTPS https://[domain]:433 URL is changed to https://[domain], HSTS header is returned and honoured as in when I change URL to http://[domain]:80 URL is changed to secured URL https://[domain]. So my query is how to configure HSTS on explicit custom ports(like in my case mentioned in point 2 8080/8443) or what is the recommendation, please suggest? I wonder if browsers are not sensitive to the port number being used for HTTPS. The HSTS header is intended to tell the browser "only use HTTPS on this site" but it does allow a port number to be specified. The browser *could* retain the port number as well, but that might not be correct or it may not be a part of the spec. I'm sorry, I'm not familiar enough with the spec to know whether this could be a problem or not, but it seems plausible. But if Tomcat is returning the HSTS header as expected, there isn't really any more that you can do. Thanks, -chris -Original Message- From: Olaf Kock Sent: 16 January 2023 13:56 To: users@tomcat.apache.org Subject: Re: Query: HSTS | Tomcat 9.0.50 On 16.01.23 06:57, Deepti Sharma S wrote: Hello Team, Can you please help us for below query: Query : How to enable HSTS in Apache Tomcat on non-default ports? We have custom ports for http and https and we want to enable HSTS on those custom ports. Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports. In order to "work", HSTS *must* be on https, by specification. When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser. Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working. If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting. Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Query: HSTS | Tomcat 9.0.50
On 17.01.23 13:09, Olaf Kock wrote: On 17.01.23 11:45, Deepti Sharma S wrote: Hello, I have tried with both Chrome and Mozilla in private window where information is not cached. HSTS is not working on custom ports. I'm not confident that HSTS is among those cached values that are not shared between normal and incognito mode. Try curl -v As far as I know, curl does not save any HSTS state anywhere. Thomas' suggestion makes the most sense: Once your browser knows positively that it absolutely must connect through https on port 443, I can easily imagine it never even to attempt to try 8080. I should have edited ^ this after adding the specs from RFC 6797: Once the browser knows that it *must* use https for this host, it will not connect through http, no matter which port. The browser keeps records of this by domain name, not by name/port. Also, according to the specs: The browser will - under no circumstances - connect to your host through http. The specs say: |The UA MUST replace the URI scheme with "https" [RFC2818], and if the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or>> if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise, if the URI does not contain an explicit port component, the UA MUST NOT add one. NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host.| So, if you connect to 8080 from your browser, your browser would try to speak https to port 8080 if it has already seen the HSTS header before. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Query: HSTS | Tomcat 9.0.50
On 17.01.23 11:45, Deepti Sharma S wrote: Hello, I have tried with both Chrome and Mozilla in private window where information is not cached. HSTS is not working on custom ports. I'm not confident that HSTS is among those cached values that are not shared between normal and incognito mode. Try curl -v As far as I know, curl does not save any HSTS state anywhere. Thomas' suggestion makes the most sense: Once your browser knows positively that it absolutely must connect through https on port 443, I can easily imagine it never even to attempt to try 8080. Also, according to the specs: The browser will - under no circumstances - connect to your host through http. The specs say: |The UA MUST replace the URI scheme with "https" [RFC2818], and if the URI contains an explicit port component of "80", then the UA MUST convert the port component to be "443", or>> if the URI contains an explicit port component that is not equal to "80", the port component value MUST be preserved; otherwise, if the URI does not contain an explicit port component, the UA MUST NOT add one. NOTE: These steps ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS Host.| So, if you connect to 8080 from your browser, your browser would try to speak https to port 8080 if it has already seen the HSTS header before. Olaf
RE: Query: HSTS | Tomcat 9.0.50
Hello, I have tried with both Chrome and Mozilla in private window where information is not cached. HSTS is not working on custom ports. Regards, Deepti Sharma PMP(r) & ITIL -Original Message- From: Thomas Hoffmann (Speed4Trade GmbH) Sent: 17 January 2023 15:40 To: Tomcat Users List Subject: AW: Query: HSTS | Tomcat 9.0.50 Hello, Which browser are you using? Can you clear the hsts information in the browser after changing the port in your configuration? I think browsers cache the hsts and port Informationen and don't switch to other ports with hsts. Greetings, Thomas Von: Deepti Sharma S Gesendet: Dienstag, 17. Januar 2023 05:00:35 An: Tomcat Users List Betreff: RE: Query: HSTS | Tomcat 9.0.50 Hi Olaf, Let me explain more on my use-case : 1. There is no reverse proxy in between tomcat and UA in my use case. 2. In Tomcat/conf/server.xml I have below connector settings : When I configure HSTS in Tomcat/conf/web.xml and try to access website via HTTPS https://[domain]:8443, HSTS header is returned but ignored as in when I change URL to http://[domain]:8080 URL is not changed to secured URL. 3. When I change conf/server.xml with below connector settings along with HSTS : Try to access website via HTTPS https://[domain]:433 URL is changed to https://[domain], HSTS header is returned and honoured as in when I change URL to http://[domain]:80 URL is changed to secured URL https://[domain]. So my query is how to configure HSTS on explicit custom ports(like in my case mentioned in point 2 8080/8443) or what is the recommendation, please suggest? Regards, Deepti Sharma PMP(r) & ITIL -Original Message- From: Olaf Kock Sent: 16 January 2023 13:56 To: users@tomcat.apache.org Subject: Re: Query: HSTS | Tomcat 9.0.50 On 16.01.23 06:57, Deepti Sharma S wrote: > Hello Team, > > Can you please help us for below query: > > Query : How to enable HSTS in Apache Tomcat on non-default ports? > We have custom ports for http and https and we want to enable HSTS on > those custom ports. > > Note: We could see HSTS is working with default ports 80/443 though it's not > working on other custom ports, please let us know if there are different > steps to enable HSTS on non-default ports. > In order to "work", HSTS *must* be on https, by specification. When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser. Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working. If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting. Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Query: HSTS | Tomcat 9.0.50
Hi Olaf, Let me explain more on my use-case : 1. There is no reverse proxy in between tomcat and UA in my use case. 2. In Tomcat/conf/server.xml I have below connector settings : When I configure HSTS in Tomcat/conf/web.xml and try to access website via HTTPS https://[domain]:8443, HSTS header is returned but ignored as in when I change URL to http://[domain]:8080 URL is not changed to secured URL. 3. When I change conf/server.xml with below connector settings along with HSTS : Try to access website via HTTPS https://[domain]:433 URL is changed to https://[domain], HSTS header is returned and honoured as in when I change URL to http://[domain]:80 URL is changed to secured URL https://[domain]. So my query is how to configure HSTS on explicit custom ports(like in my case mentioned in point 2 8080/8443) or what is the recommendation, please suggest? Regards, Deepti Sharma PMPĀ® & ITIL -Original Message- From: Olaf Kock Sent: 16 January 2023 13:56 To: users@tomcat.apache.org Subject: Re: Query: HSTS | Tomcat 9.0.50 On 16.01.23 06:57, Deepti Sharma S wrote: > Hello Team, > > Can you please help us for below query: > > Query : How to enable HSTS in Apache Tomcat on non-default ports? > We have custom ports for http and https and we want to enable HSTS on > those custom ports. > > Note: We could see HSTS is working with default ports 80/443 though it's not > working on other custom ports, please let us know if there are different > steps to enable HSTS on non-default ports. > In order to "work", HSTS *must* be on https, by specification. When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser. Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working. If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting. Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Query: HSTS | Tomcat 9.0.50
On 16.01.23 06:57, Deepti Sharma S wrote: Hello Team, Can you please help us for below query: Query : How to enable HSTS in Apache Tomcat on non-default ports? We have custom ports for http and https and we want to enable HSTS on those custom ports. Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports. In order to "work", HSTS *must* be on https, by specification. When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser. Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working. If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting. Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
