Hi, > -----Original Message----- > From: Andrew Geery [mailto:andrew.ge...@gmail.com] > Sent: Saturday, July 18, 2015 3:16 PM > To: users@tomcat.apache.org > Subject: iis isapi redirect problem > > I have successfully gotten Tomcat 8 to work with IIS 8.5 using these > directions: https://tomcat.apache.org/connectors-doc/reference/iis.html > > IIS correctly forwards requests to Tomcat to handle and Tomcat correctly > hands the response back to IIS to return to the client. This works over > http and over https. > > Now there is a requirement that all traffic should go over ssl, so in IIS I > added the following redirect to C:\inetpub\httproot: > > <?xml version="1.0" encoding="UTF-8"?> > <configuration> > <system.webServer> > <httpRedirect enabled="true" destination="<https location of the > site>" exactDestination="false" httpResponseStatus="Found" /> > </system.webServer> > </configuration> > > The effect of this is that when a client requests a page over http, the > server sends a redirect (302) to the same page over https. This works for > other, non-Tomcat related pages on the site. However, it does not work for > pages that use the ISAPI redirector. When a Tomcat page is requested, the > URL that is returned is > > https://<website>/jakarta/isapi_redirect.dll > > That is, what seems to be happening is that rather having the ISAPI handler > render the page, the extension_uri value from the registry entry is being > returned to the client. > > My questions are: > 1) is there a better way to force http -> https in IIS? or > 2) if not, is there a way to get IIS/ISAPI to work with a redirect (301 or > 302)?
I don't have much knowledge about ISAPI but I think this URL is returned because the Tomcat ISAPI Redirector DLL first acts as a ISAPI Filter to rewrite the URL to itself, so that in the next step it can act as a ISAPI Extension to actually forward the request to Tomcat. I don't know about the <httpRedirect> element in IIS, but with IIS you can also use a HttpModule that redirect non-HTTPS requests. Note that when redirecting HTTP to HTTPS, you normally would use HSTS (HTTP Strict Transport Security) [1] so that the client knows that every request to this host should go over HTTPS. Without HSTS a MITM attacker could simply strip out the redirect and SSL/TLS when the user wants to visit the page, because when the user enters "www.example.com" the browser usually would make a request to "http://www.example.com/"; instead of "https://www.example.com";. With HSTS, only the first request is "vulnerable" (as long as you don't add the website to the HSTS preload list [2]), but for subsequent requests the browser automatically replaces http://... with https://... for that host, so without HSTS the users would not really be protected. To implement a permanent (301) redirect and add a HSTS header, you could use a HTTP module like the following in IIS 7+: [[[ using System; using System.Web; namespace Webapp.Code.Utils { /// <summary> /// A module that redirects HTTP requests to HTTPS ones, adding a HSTS header. /// </summary> public class SslAndHstsModule : IHttpModule { public void Init(HttpApplication context) { context.BeginRequest += context_BeginRequest; } private void context_BeginRequest(object sender, EventArgs e) { HttpApplication app = (HttpApplication)sender; HttpRequest request = app.Request; HttpResponse response = app.Response; if (request.IsSecureConnection) { // Add a HSTS header response.AppendHeader("Strict-Transport-Security", "max-age=63072000"); } else { // Permanently redirect a HTTP request to HTTPS string path = "https://"; + request.ServerVariables["SERVER_NAME"] + request.ServerVariables["UNENCODED_URL"]; response.RedirectPermanent(path, false); app.CompleteRequest(); } } public void Dispose() { // Do nothing } } } ]]] To use it, you can put the code into a text file with the extension ".cs" and place it into the "App_Code" directory in your IIS web application directory. Then you can enable the module by adding it to the web.config file in the configuration/system.webServer/modules section: <configuration> <system.webServer> <modules> <!-- Redirect HTTP requests to HTTPS and add a HSTS header --> <add name="SslAndHstsModule" type="Webapp.Code.Utils.SslAndHstsModule"/> </modules> </system.webServer> </configuration> Regards, Konstantin Preißer [1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security [2] https://hstspreload.appspot.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
