On Mon, Oct 16, 2017 at 10:25 PM, Carter Sema <[email protected]> wrote:
> I checked my Apache folders and my only site-enabled is my tomcat one, and > just to be safe, I deleted the default ones in sites-available, rebooted > apache2 and reloaded, still no luck. I can actually access HTTP content > such as Guac(not static default tomcat sites) and it works. Any other > tricks or ideas? > Nothing off the top of my head - clearly something else there is still servicing the traffic on port 80, but I'm not able to spot what it is in the configs you've posted. > Do I need to enable Rewrite? The only reason I ask, is because on my other > ubuntu-apache2-tomcat8 box, I don't have Rewrite enabled, and it works. > I think you should be able to do it without rewrite and with alias, using the Redirect permanent line you have. According to docs, the Redirect directive is part of mod_alias, so you should only need to enable mod_alias and then put that Redirect permanent / https://<host>/ line in there. > I ended up doing what you suggested and blocking my traffic to port 80. As > a fix for right now, eventually I will go back and investigate more. As you > said, it's not pretty, but it restricts unwanted access on unsecured ports. > I'm pretty new to linux in general but quickly learning, is blocking the > port 80/8080 just as secure as forcing a redirect to https? > It's certainly no less secure that forcing a redirect - it might be slightly more secure than allowing port 80 through and forcing the redirect, since it's truly blocking all non-SSL/TLS traffic, so there's not anything unencrypted that will get by. Based on your setup, proxying through Apache httpd, I would *definitely* block port 8080 and 8009 from the outside world - my usual practice is to reconfigure Tomcat to only listen on 127.0.0.1 so that the 8080/8009 traffic remains internal to the host, and httpd (or nginx when I use that) is handling all of the requests coming in from the network. -Nick
