Re: Tomcat Redirect Port 80 to 443 and Block OPTIONS HTTP Method

Fri, 07 Oct 2022 10:58:42 -0700 

On 07/10/2022 18:09, Bhavesh Mistry wrote:

Hi Tomcat Team,

We have a unique situation.  We wanted to block ALL *OPTIONALS* HTTP method
on port 80 and 443.

We have connector definitions as follows:


     <Connector executor="tomcatThreadPool"
                port="8080" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443" />
     -->
     -->
     <Connector port="${tomcat.secure.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
                relaxedPathChars="[\\]^`{|}" relaxedQueryChars="[\\]^`{|}"
                address="${tomcat.address}" minSpareThreads="100"
  maxThreads="200" SSLEnabled="true"
                scheme="https" secure="true" maxSwallowSize="-1"
maxPostSize="-1">
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
readTimeout="50000" streamReadTimeout ="-1" streamWriteTimeout="-1"
         overheadContinuationThreshold="0" overheadDataThreshold="0"
overheadWindowUpdateThreshold="0"/>

     </Connector>

and we have an application filter to block and return 405.  This works for
HTTPS port 443.  But request going to HTTP port 80 always get redirected
regardless of the method.

curl -i -k -X OPTIONS http://10.43.243.8/versa/
*HTTP/1.1 302*
Cache-Control: private
Location: https://10.43.243.8/versa/
Content-Length: 0
Date: Fri, 07 Oct 2022 16:58:27 GMT
Server: Versa Director

curl -i -k -X OPTIONS https://10.43.243.8/versa/
*HTTP/2 405*
cache-control: private
content-length: 0
date: Fri, 07 Oct 2022 16:58:51 GMT

We wanted to block OPTIONS on port 80 as well, it seems to me that tomcat
internally  (via connector) redirects requests without application code.
How can I achieve blocking OPTIONS, TRACE, and CONNECT  HTTP methods on
port 80 while redirect is ON for the connector?

Any pointers or help is greatly appreciated.
Tomcat only redirects http to https as the result of an application defined transport-guarantee element in web.xml. 

Security constraints get processed before Filters.

You can't change the either of the above.
What you could do, is remove the transport-guarantee from web.xml and perform the http to https redirect in your Filter. Then you'd have the option to return 405 instead of the redirect. 

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to