<Connector port="8080" protocol="HTTP/1.1" acceptorThreadCount="2" acceptCount="20" maxConnections="200" maxThreads="200" minSpareThreads="10" scheme="https" proxyPort="443" redirectPort="8443" />
<!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> --> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation. The default SSLImplementation will depend on the presence of the APR/native library and the useOpenSSL attribute of the AprLifecycleListener. Either JSSE or OpenSSL style configuration may be used regardless of the SSLImplementation selected. JSSE style configuration is used below. --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector> --> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS. Either JSSE or OpenSSL style configuration may be used. OpenSSL style configuration is used below. --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" /> --> -----Original Message----- From: Mark Thomas <ma...@apache.org> Sent: Wednesday, August 31, 2022 11:03 AM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT On 31/08/2022 15:36, Yanhua Wusands wrote: > We are using TOMCAT 9.0.40 on linux, and are trying setup > Strict-Transport-Security per requirement from our security team. > > We followed this note: > https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar > ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy > 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h > TO4K-UbrvgSvSAepZe_e-U8$ > > Changed $CATALINA_HOME/conf/web.xml > > With: > > <filter> > > <filter-name>httpHeaderSecurity</filter-name> > > > <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi > lter-class> > > <async-supported>true</async-supported> > > <init-param> > > <param-name>hstsEnabled</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > <param-name>hstsMaxAgeSeconds</param-name> > > <param-value>31556927</param-value> > > </init-param> > > </filter> > > And uncommented: > <filter-mapping> > <filter-name>httpHeaderSecurity</filter-name> > <url-pattern>/*</url-pattern> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> > > After we restarted TOMCAT APACHE, we still couldn't see > Strict-Transport-Security using following curl cmd: > > curl -i -s > https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto > .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G > A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub > rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security > > I am reaching out to see if there is any additional steps need to be done for > setting up this security flag. Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org