Re: Tomcat/manager/ disable redirect from HTTPS to HTTP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hans, On 10/15/18 03:17, Hans Schou wrote: > On Fri, 12 Oct 2018 at 14:12, Mark Thomas > wrote: > >> >> For the HTTP connector processing proxied traffic originally >> received over HTTPS you want: SSLEnabled="false" scheme="https" >> secure="true" >> > > Thanks, this one is working exactly as expected: > > connectionTimeout="2" SSLEnabled="false" scheme="https" > secure="true" /> > > A bonus is that I now got forced use of SSL. Note that port 8080 being TLS might be "surprising" to some clients. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvInk4ACgkQHPApP6U8 pFjJhQ/9Em7SIjQY1EYUHdQQJHJlDKpF6leMw9eRgTZBsQm6KpjN7mHPxWSjnM6/ mlagtyAkKbC43k+a5oqn/NIPsCSGoLCT3aHR/ZkAktxc8D4Fckl9nzBvjAyKq3+E w2bfE6DrNeLefRNEyAYLoEXq4A/GlAP9MudZELtW9M+U1dzN9BdKfMVmE7qznESG kxg3cvoMb/cmn4jRjHvPfd9wN6bDT02JUOrQzxqMyqQXvdDbrn7iWVYE9R5Q6Tc4 21ZtqIglwO8p1GUll2hz1amnMLSl1nWdwQ0Li1Iy5q3nSZ4at+Q5EYHlSagAtd0h Vj4dAIDZZeONrHi3368cI2BFYtlo4SReczpAtubZ1CJaucHQ/evJ5AT1XPvXymav KaoFSzl8k5a8b+rYjRC0YOgcZRWCm89aqPGeps6fABHfe+86CNGIXH4l4whSyOJm +ObdbSiYDKmGeokuJYnh4RRrThZf7EbQTJya6dJE7za4JRZ6Qh7Ayah7X1MZzcZC x/wxKkORjhBYxIJUIjX0DBv/MsSzzkS1OH76mZXSu91hVKnpr5QDBxMvEFuJ7Tv5 oJGk/Y1JWsLaQTQN9Jj6alQTTqxnusHoguVMcm1NqAwC3D+bO1XXBq+CURcbKx6x Sfu/KOzHMedQiZOVBSDVNF1k0k5UsyVfM5+T9rZCR0lsHcRqCz4= =8bbY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat/manager/ disable redirect from HTTPS to HTTP
On Fri, 12 Oct 2018 at 14:12, Mark Thomas wrote: > > For the HTTP connector processing proxied traffic originally received > over HTTPS you want: > SSLEnabled="false" > scheme="https" > secure="true" > Thanks, this one is working exactly as expected: A bonus is that I now got forced use of SSL. -- Venlig hilsen - best regards Hans Schou
Re: Tomcat/manager/ disable redirect from HTTPS to HTTP
On 12/10/18 12:18, Hans Schou wrote: > Hi > > I have a Tomcat 8.5 with Java 1.8 on Windows with Nginx reverse proxy. > > When I access https://joe:p4zzw...@example.org/manager/ the request goes to > Nginx, which proxy_pass it to http://srv321.local:8080/ > > Authentication appears right away but the first response from Tomcat is > Location: http://example.org/manager/html?NONCE... > note the SSL has been cut off. Since Nginx is switching from HTTPS->HTTP on the way in, my initial expectation would be that Nginx should switch from HTTP->HTTPS on the way back out. Note that it isn't quite as simple as 'just' switching the protocol. Nginx also needs to take account of things like setting the secure attribute on any cookies. You can configure your way around this on Tomcat. To ensure a secure configuration, you need to ensure that any traffic proxied via Nginx received over HTTPS and any traffic proxied via Nginx received over HTTP (if any) go to separate HTTP connectors on Tomcat. For the HTTP connector processing proxied traffic originally received over HTTPS you want: SSLEnabled="false" scheme="https" secure="true" For the HTTP connector processing proxied traffic originally received over HTTP you want: SSLEnabled="false" scheme="http" secure="false" Mark > > I can then manually go to the URL and change 'http' to 'https' and then it > works fine with SSL all the way around. > > The location redirect has been seen on the network with "tcpdump -X", to > make sure it was not Nginx which was redirecting something. > > In webapps/WEB-INF/web.xml I have tried add: > > > HTTPSOnly > /* > > > CONFIDENTIAL > > > but that did not work either. > > Is there a way to avoid being redirected from HTTPS to HTTP? > > Thanks. > > -- > > Venlig hilsen - best regards > > Hans Schou > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
