Thank you for all the good insights Olaf. I am like you, I prefer to put a reverse proxy in front of my Tomcat instances as well. Unfortunately it is Qualsys that is calling this particular system out, so have to figure out how best to fix it.
Thanks again. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Olaf Kock <tom...@olafkock.de> > Sent: Saturday, April 22, 2023 2:14 AM > To: users@tomcat.apache.org > Subject: Re: OT: hsts in Tomcat 9.0.73 > > > Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID: > > Thanks Peter, > > > > I still do not see the hsts header. I'm wondering if this is causing it. > > > > SSL certificate verify result: self signed certificate in certificate chain > > (19), > continuing anyway. > > > > I don't know why it's complaining as the certificate for Tomcat is not a > > self- > signed certificate. > > That's a good guess: Anything self-signed is a problem for HSTS (though only > curl might see it as that, depending on the root certificate store it uses > compared to your browser). However, somehow I'd expect the server to be > ignorant to the level of trust that the client has and send the header anyway. > > Another aspect to dig into is the explicit nonstandard port number. I didn't > fully parse the RFC for it, but there are several statements on explicit, > implicit > ports and how they're mapped. > > In the end, it might be worth hitting the Tomcat filter in a debugger, or > inspecting the source - to see if any conditional branches in an unexpected > fashion, if a different filter than the expected one is hitting, or if the URL > doesn't match. > > Yet one more option: Set some nonstandard header, where no assumption > can be made in any server- or client-side code, and see if it gets through. > This > way you know that you're hitting the expected filter > > I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a reverse > proxy > (and I'm only setting up demo systems), so I can only make wild guesses. > > Olaf > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org