Hello,
Which browser are you using?
Can you clear the hsts information in the browser after changing the port in
your configuration?
I think browsers cache the hsts and port Informationen and don't switch to
other ports with hsts.
Greetings, Thomas
________________________________
Von: Deepti Sharma S <deepti.s.sha...@ericsson.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 05:00:35
An: Tomcat Users List
Betreff: RE: Query: HSTS | Tomcat 9.0.50
Hi Olaf,
Let me explain more on my use-case :
1. There is no reverse proxy in between tomcat and UA in my use case.
2. In Tomcat/conf/server.xml I have below connector settings :
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
When I configure HSTS in Tomcat/conf/web.xml and try to access website via
HTTPS https://[domain]:8443, HSTS header is returned but ignored
as in when I change URL to http://[domain]:8080 URL is not changed to secured
URL.
3. When I change conf/server.xml with below connector settings along with HSTS :
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Try to access website via HTTPS https://[domain]:433 URL is changed to
https://[domain],
HSTS header is returned and honoured as in when I change URL to
http://[domain]:80 URL is changed to secured URL https://[domain].
So my query is how to configure HSTS on explicit custom ports(like in my case
mentioned in point 2 8080/8443) or what is the recommendation, please suggest?
Regards,
Deepti Sharma
PMPĀ® & ITIL
-----Original Message-----
From: Olaf Kock <tom...@olafkock.de>
Sent: 16 January 2023 13:56
To: users@tomcat.apache.org
Subject: Re: Query: HSTS | Tomcat 9.0.50
On 16.01.23 06:57, Deepti Sharma S wrote:
> Hello Team,
>
> Can you please help us for below query:
>
> Query : How to enable HSTS in Apache Tomcat on non-default ports?
> We have custom ports for http and https and we want to enable HSTS on
> those custom ports.
>
> Note: We could see HSTS is working with default ports 80/443 though it's not
> working on other custom ports, please let us know if there are different
> steps to enable HSTS on non-default ports.
>
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see the
headers, but it's not working. Most likely the header is ignored by the browser.
Whereever you handle your https termination - that might be on Tomcat, or on a
reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS
handling. /That/ server knows it's serving https. And there the header actually
is valid and working.
If you try to configure a http (not https) connector on Tomcat for adding the
HSTS headers, it's well within the specification to ignore that setting.
Technically you can do some trickery around that, but to make that sensible and
safely would take more than a quick answer. And leave room for
misinterpretation and configuration mistakes. So: Configure it anyhwere you
terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
