Hi Christoph May be i didn't explained my question properly. What we have is a single web application running on https port 7070. This port is configured for https connection only and that the reason there is single connector. What we are seeing is if by mistake or intentionally the user types instead of https://localhost:7070/myapp he types http://localhost:7070/myapp the content with some garbled data gets downloaded. The question is whether i can prevent the garbled data and if so how i can do that.
Thanks for all the help On Mon, Mar 28, 2016 at 7:15 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Amey, > > On 3/28/16 3:54 AM, Amey Rokde wrote: > > Dear Community > > > > We are using the apache-tomcat-7.0.55 and have configured only one > > SSL connector (7070). > > > > The SSL connection (https) )works properly and i am able to fetch > > the request. But if we make http request we get the garbled data to > > be downloaded in the browser. > > This is expected behavior. > > > I tried searching over the net but the information available is > > more about redirect and things around it. What i want is to prevent > > this garbled data and get more of http 404 not found. > > Then you need to make an HTTP connection, not an HTTPS one. It's easy > to configure an HTTP connector that redirects to HTTPS. > > > Getting this garbled data is considered more or less security > > leak. > > Considered a security leak by whom? There is no information leakage. > There are no secrets being transmitted. This is an inconvenience to > the user that you can easily remedy. > > > I am attaching the sample server xml of the tomcat . > > Thanks, but it wasn't relevant (other than to confirm that you weren't > configuring an HTTPS connector on a standard HTTP port such as 80). > > > Please advise what needs to be done. > > If you want your users to get a 404, then you should listen on port 80 > (for HTTP) and return 404 for all requests. If you want to do better > than that, you should listen on port 80 (for HTTP) and redirect all > requests to the secure port. > > > PS: the higher tomcat versions namely apache-tomcat-8.0.32 does not > > show above behaviour. > > It should behave exactly the same way. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlb5NXEACgkQ9CaO5/Lv0PA1WACfVyLxPNvG8EDwcNgNthvA0GOI > eE0AoLOsRTnqp99mmIktin69zJz89pVj > =YDpX > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
