Deepti,
On 1/16/23 23:00, Deepti Sharma S wrote:
1. There is no reverse proxy in between tomcat and UA in my use case.
2. In Tomcat/conf/server.xml I have below connector settings :
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
When I configure HSTS in Tomcat/conf/web.xml and try to access
website via HTTPS https://[domain]:8443, HSTS header is returned but
ignored
If the HSTS header is returned, that's all Tomcat can do.
as in when I change URL to http://[domain]:8080 URL is not changed to secured
URL.
3. When I change conf/server.xml with below connector settings along with HSTS :
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Try to access website via HTTPS https://[domain]:433 URL is changed
to https://[domain], HSTS header is returned and honoured as in when
I change URL to http://[domain]:80 URL is changed to secured URL
https://[domain].
So my query is how to configure HSTS on explicit custom ports(like in
my case mentioned in point 2 8080/8443) or what is the
recommendation, please suggest?
I wonder if browsers are not sensitive to the port number being used for
HTTPS. The HSTS header is intended to tell the browser "only use HTTPS
on this site" but it does allow a port number to be specified. The
browser *could* retain the port number as well, but that might not be
correct or it may not be a part of the spec.
I'm sorry, I'm not familiar enough with the spec to know whether this
could be a problem or not, but it seems plausible.
But if Tomcat is returning the HSTS header as expected, there isn't
really any more that you can do.
Thanks,
-chris
-----Original Message-----
From: Olaf Kock <tom...@olafkock.de>
Sent: 16 January 2023 13:56
To: users@tomcat.apache.org
Subject: Re: Query: HSTS | Tomcat 9.0.50
On 16.01.23 06:57, Deepti Sharma S wrote:
Hello Team,
Can you please help us for below query:
Query : How to enable HSTS in Apache Tomcat on non-default ports?
We have custom ports for http and https and we want to enable HSTS on
those custom ports.
Note: We could see HSTS is working with default ports 80/443 though it's not
working on other custom ports, please let us know if there are different steps
to enable HSTS on non-default ports.
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see the
headers, but it's not working. Most likely the header is ignored by the browser.
Whereever you handle your https termination - that might be on Tomcat, or on a
reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS
handling. /That/ server knows it's serving https. And there the header actually
is valid and working.
If you try to configure a http (not https) connector on Tomcat for adding the
HSTS headers, it's well within the specification to ignore that setting.
Technically you can do some trickery around that, but to make that sensible and
safely would take more than a quick answer. And leave room for
misinterpretation and configuration mistakes. So: Configure it anyhwere you
terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
