Re: Tomcat/manager/ disable redirect from HTTPS to HTTP

Fri, 12 Oct 2018 05:12:43 -0700 

On 12/10/18 12:18, Hans Schou wrote:
> Hi
> 
> I have a Tomcat 8.5 with Java 1.8 on Windows with Nginx reverse proxy.
> 
> When I access https://joe:p4zzw...@example.org/manager/ the request goes to
> Nginx, which proxy_pass it to http://srv321.local:8080/
> 
> Authentication appears right away but the first response from Tomcat is
>   Location: http://example.org/manager/html?....NONCE...
> note the SSL has been cut off.

Since Nginx is switching from HTTPS->HTTP on the way in, my initial
expectation would be that Nginx should switch from HTTP->HTTPS on the
way back out.

Note that it isn't quite as simple as 'just' switching the protocol.
Nginx also needs to take account of things like setting the secure
attribute on any cookies.

You can configure your way around this on Tomcat. To ensure a secure
configuration, you need to ensure that any traffic proxied via Nginx
received over HTTPS and any traffic proxied via Nginx received over HTTP
(if any) go to separate HTTP connectors on Tomcat.

For the HTTP connector processing proxied traffic originally received
over HTTPS you want:
SSLEnabled="false"
scheme="https"
secure="true"

For the HTTP connector processing proxied traffic originally received
over HTTP you want:
SSLEnabled="false"
scheme="http"
secure="false"

Mark

> 
> I can then manually go to the URL and change 'http' to 'https' and then it
> works fine with SSL all the way around.
> 
> The location redirect has been seen on the network with "tcpdump -X", to
> make sure it was not Nginx which was redirecting something.
> 
> In webapps/WEB-INF/web.xml I have tried add:
> <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>HTTPSOnly</web-resource-name>
>             <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <user-data-constraint>
>             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>         </user-data-constraint>
>     </security-constraint>
> but that did not work either.
> 
> Is there a way to avoid being redirected from HTTPS to HTTP?
> 
> Thanks.
> 
> --
> 
> Venlig hilsen - best regards
> 
> Hans Schou
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to