<Connector port="8080" protocol="HTTP/1.1"
acceptorThreadCount="2"
acceptCount="20"
maxConnections="200"
maxThreads="200"
minSpareThreads="10"
scheme="https"
proxyPort="443"
redirectPort="8443"
/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
On 31/08/2022 15:36, Yanhua Wusands wrote:
> We are using TOMCAT 9.0.40 on linux, and are trying setup
> Strict-Transport-Security per requirement from our security team.
>
> We followed this note:
> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar
> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy
> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h
> TO4K-UbrvgSvSAepZe_e-U8$
>
> Changed $CATALINA_HOME/conf/web.xml
>
> With:
>
> <filter>
>
> <filter-name>httpHeaderSecurity</filter-name>
>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter-class>
>
> <async-supported>true</async-supported>
>
> <init-param>
>
> <param-name>hstsEnabled</param-name>
>
> <param-value>true</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>hstsMaxAgeSeconds</param-name>
>
> <param-value>31556927</param-value>
>
> </init-param>
>
> </filter>
>
> And uncommented:
> <filter-mapping>
> <filter-name>httpHeaderSecurity</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> After we restarted TOMCAT APACHE, we still couldn't see
> Strict-Transport-Security using following curl cmd:
>
> curl -i -s
> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto
> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G
> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub
> rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
>
> I am reaching out to see if there is any additional steps need to be done for
> setting up this security flag.
Please provide the Connector element(s) (with sensitive data like passwords
masked) from your $CATALINA_BASE/conf/server.xml file.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
