Re: Redirecting to https URL when https port is accessed with http scheme
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martynas, On 10/6/18 06:31, Martynas Jusevičius wrote: > see also this thread: > https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3C cae35vmwcm9dkxmvabofgjb5d_oa07a6mrjxwcgknksbzgjh...@mail.gmail.com%3E > > I did this with front nginx eventually. In this case, Ettra is wanting to make an HTTP request to an HTTPS service, which usually just fails to establish a TLS handshake. Instead of failing, Ettra would prefer to have Tomcat respond with an HTTP response with no encryption. This is how Apache httpd currently behaves: === CUT === $ telnet localhost 443 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / Host: localhost HTTP/1.1 400 Bad Request Date: Wed, 10 Oct 2018 14:52:08 GMT Server: Apache/2 Content-Length: 432 Connection: close Content-Type: text/html; charset=iso-8859-1 400 Bad Request Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2 Server at phobos.chadis.com Port 443 Connection closed by foreign host. === CUT === Tomcat will simply close the connection in its current implementation. - -chris > On Sat, Oct 6, 2018 at 7:29 AM ettra lancelot > wrote: >> >> Thank you for the detailed answer, Chris. >> >> On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Etcy, > > On 10/5/18 14:57, ettra lancelot wrote: > I would like to know whether it's possible to configure > tomcat to automatically redirect to the https URL when > https port is access using http scheme instead of https*.* > > There is no way to get Tomcat to do this for you right now. > > There is, however, the possibility of adding such a feature to > Tomcat. > > If you make an HTTP request to Apache httpd on a TLS-enabled port, > you'll get a response that says "Looks like you made a mistake". > > In the past, that would have been a huge pain in the neck for > Tomcat, since the TLS handshake was handled *entirely* by the > underlying crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that > code has been re-written and Tomcat is buffering everything > internally and probing the handshake, etc. > > It should therefore be possible to respond in the way you > describe, but I'm not sure how much appetite there is for issuing a > redirect rather than just an informational page such as the one > httpd returns. > > Unfortunately, Bill is incorrect when he says that you can write a > Filter for this. No application code will ever see a connection > over a connection which failed a TLS handshake. > > -chris >>> >>> - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+El4ACgkQHPApP6U8 pFh7BA//WfMVYmUI97gCsgHuNIVwUbDnFYYJaiefGkexhW+ujQTqP+WeqPO4YJYW FqZ2d2ZJ+e6VWfb9poB9c/couTh9shyIefPGE6CBXLD0AaWXdbT6s9fzQEq9803f G3w9AnK20r4tCcE4bZkz5NWGcnvII8LVr78PR/QEuCkKMlabSMZ1hY12XrPXUO/3 IjGBdiuEqedLAOxrqp65ZXbZ5hKA5UXYSxIxrT+PN52TpncmIpVecJO29yjrTIAo cBFOoOqYP0I1ylvSTRTPMsk+1pNE9V+KxIyqwxGC24gJvE/x0U+xvvehj5NUlsFz IwHRolJ1iQYtE1OONEQ1jDtqGUjllme3JJ79cZFRDbhUgMum+4V91bK9Oou6Lrwq 85oIudC2kFc9CMoq7QocOaTJTMNVwLj2/xHZIO4tPXw7S1Tw3eHEyqe6vReWDlKf B7qQTqgA2EKFp3BZOLV94IazMxK/Gf5lBFyL9f9j4OVKunEiJ9NSNjmwB23vhsNT Kmz/RyvRHd0EF4127YwUqjVQqOeWfhnNivZRf4GQGX1AbrcrJBfVOgp60z+VI9lD iO/5u+zeFflocbvDHxEfDfWZZYdB1XXdH16ug6n6BaoERs/gRRNFAuEqP4Qk5joI CfDz3SDdaqI+Ve0PXMOINxm3EqtdgpCo5l6tl3U2h/ITxijYr4Q= =ULFh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Redirecting to https URL when https port is accessed with http scheme
Ettra, see also this thread: https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3ccae35vmwcm9dkxmvabofgjb5d_oa07a6mrjxwcgknksbzgjh...@mail.gmail.com%3E I did this with front nginx eventually. On Sat, Oct 6, 2018 at 7:29 AM ettra lancelot wrote: > > Thank you for the detailed answer, Chris. > > On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Etcy, > > > > On 10/5/18 14:57, ettra lancelot wrote: > > > I would like to know whether it's possible to configure tomcat to > > > automatically redirect to the https URL when https port is access > > > using http scheme instead of https*.* > > > > There is no way to get Tomcat to do this for you right now. > > > > There is, however, the possibility of adding such a feature to Tomcat. > > > > If you make an HTTP request to Apache httpd on a TLS-enabled port, > > you'll get a response that says "Looks like you made a mistake". > > > > In the past, that would have been a huge pain in the neck for Tomcat, > > since the TLS handshake was handled *entirely* by the underlying > > crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been > > re-written and Tomcat is buffering everything internally and probing > > the handshake, etc. > > > > It should therefore be possible to respond in the way you describe, > > but I'm not sure how much appetite there is for issuing a redirect > > rather than just an informational page such as the one httpd returns. > > > > Unfortunately, Bill is incorrect when he says that you can write a > > Filter for this. No application code will ever see a connection over a > > connection which failed a TLS handshake. > > > > - -chris > > -BEGIN PGP SIGNATURE- > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8 > > pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F > > aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus > > RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM > > 29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV > > fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf > > FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy > > 8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w > > QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP > > ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0 > > GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798 > > QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as= > > =wLba > > -END PGP SIGNATURE- > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Redirecting to https URL when https port is accessed with http scheme
Thank you for the detailed answer, Chris. On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Etcy, > > On 10/5/18 14:57, ettra lancelot wrote: > > I would like to know whether it's possible to configure tomcat to > > automatically redirect to the https URL when https port is access > > using http scheme instead of https*.* > > There is no way to get Tomcat to do this for you right now. > > There is, however, the possibility of adding such a feature to Tomcat. > > If you make an HTTP request to Apache httpd on a TLS-enabled port, > you'll get a response that says "Looks like you made a mistake". > > In the past, that would have been a huge pain in the neck for Tomcat, > since the TLS handshake was handled *entirely* by the underlying > crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been > re-written and Tomcat is buffering everything internally and probing > the handshake, etc. > > It should therefore be possible to respond in the way you describe, > but I'm not sure how much appetite there is for issuing a redirect > rather than just an informational page such as the one httpd returns. > > Unfortunately, Bill is incorrect when he says that you can write a > Filter for this. No application code will ever see a connection over a > connection which failed a TLS handshake. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8 > pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F > aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus > RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM > 29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV > fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf > FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy > 8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w > QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP > ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0 > GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798 > QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as= > =wLba > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Redirecting to https URL when https port is accessed with http scheme
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Etcy, On 10/5/18 14:57, ettra lancelot wrote: > I would like to know whether it's possible to configure tomcat to > automatically redirect to the https URL when https port is access > using http scheme instead of https*.* There is no way to get Tomcat to do this for you right now. There is, however, the possibility of adding such a feature to Tomcat. If you make an HTTP request to Apache httpd on a TLS-enabled port, you'll get a response that says "Looks like you made a mistake". In the past, that would have been a huge pain in the neck for Tomcat, since the TLS handshake was handled *entirely* by the underlying crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been re-written and Tomcat is buffering everything internally and probing the handshake, etc. It should therefore be possible to respond in the way you describe, but I'm not sure how much appetite there is for issuing a redirect rather than just an informational page such as the one httpd returns. Unfortunately, Bill is incorrect when he says that you can write a Filter for this. No application code will ever see a connection over a connection which failed a TLS handshake. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8 pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM 29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy 8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0 GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798 QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as= =wLba -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Redirecting to https URL when https port is accessed with http scheme
Well, not a configuration, you could write and register a filter that sends a re-direct. You have to do something similar to this (but in reverse): https://stackoverflow.com/questions/9389211/using-filters-to-redirect-from-https-to-http On 10/5/2018 3:23 PM, Gillett, Phil wrote: Hello: Perfect timing!! I've been assigned at my job to apply something similar with Tomcat and Footprints 12, and have had some issues. I hope someone has a solution, and I thank you in advance! Phil G. -Original Message- From: ettra lancelot Sent: Friday, October 5, 2018 1:57 PM To: users@tomcat.apache.org Subject: Redirecting to https URL when https port is accessed with http scheme Hi, I would like to know whether it's possible to configure tomcat to automatically redirect to the https URL when https port is access using http scheme instead of https*.* For example, say I have configured an ssl connector on port 8443, if I access the connector using http scheme (eg: http://localhost:8443) instead of using https scheme, I'm receiving some meaningless characters (refer [1]). Instead, is it possible to make an automatic redirection to the https url (eg: https://localhost:8443) ? Few details about the setup. - Tomcat version - 7.0.85 - SSL connector is configure on port 8443 - Added the following security-constrain to web.xml HTTPSOnly /* CONFIDENTIAL [1] - https://i.stack.imgur.com/1LVq7.png Thank you, Etcy. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Redirecting to https URL when https port is accessed with http scheme
Hello: Perfect timing!! I've been assigned at my job to apply something similar with Tomcat and Footprints 12, and have had some issues. I hope someone has a solution, and I thank you in advance! Phil G. -Original Message- From: ettra lancelot Sent: Friday, October 5, 2018 1:57 PM To: users@tomcat.apache.org Subject: Redirecting to https URL when https port is accessed with http scheme Hi, I would like to know whether it's possible to configure tomcat to automatically redirect to the https URL when https port is access using http scheme instead of https*.* For example, say I have configured an ssl connector on port 8443, if I access the connector using http scheme (eg: http://localhost:8443) instead of using https scheme, I'm receiving some meaningless characters (refer [1]). Instead, is it possible to make an automatic redirection to the https url (eg: https://localhost:8443) ? Few details about the setup. - Tomcat version - 7.0.85 - SSL connector is configure on port 8443 - Added the following security-constrain to web.xml HTTPSOnly /* CONFIDENTIAL [1] - https://i.stack.imgur.com/1LVq7.png Thank you, Etcy.
