Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

Wed, 31 Aug 2022 08:20:56 -0700

You don't have any TLS connectors configured so the HSTS filter isn't going to do anything.
Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS. 

You need to configure HSTS wherever the TLS is being terminated.


As an aside, you need to be *very* careful proxying secure traffic to an 
HTTP connector on Tomcat. I trust that you have the appropriate 
configuration in place (typically the RemoteIpValve) to ensure that 
Tomcat can correctly identify which traffic has been received via a 
secure channel and which via an insecure channel.


Mark


On 31/08/2022 16:10, Yanhua Wusands wrote:

<Connector port="8080" protocol="HTTP/1.1"
     acceptorThreadCount="2"
     acceptCount="20"
     maxConnections="200"
     maxThreads="200"
     minSpareThreads="10"
     scheme="https"
     proxyPort="443"
     redirectPort="8443"
  />

     <!-- A "Connector" using the shared thread pool-->
     <!--
     <Connector executor="tomcatThreadPool"
                port="8080" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443" />
     -->
     <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
          This connector uses the NIO implementation. The default
          SSLImplementation will depend on the presence of the APR/native
          library and the useOpenSSL attribute of the
          AprLifecycleListener.
          Either JSSE or OpenSSL style configuration may be used regardless of
          the SSLImplementation selected. JSSE style configuration is used 
below.
     -->
     <!--
     <Connector port="8443" 
protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true">
         <SSLHostConfig>
             <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                          type="RSA" />
         </SSLHostConfig>
     </Connector>
     -->
     <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
          This connector uses the APR/native implementation which always uses
          OpenSSL for TLS.
          Either JSSE or OpenSSL style configuration may be used. OpenSSL style
          configuration is used below.
     -->
     <!--
     <Connector port="8443" 
protocol="org.apache.coyote.http11.Http11AprProtocol"
                maxThreads="150" SSLEnabled="true" >
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
         <SSLHostConfig>
             <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                          certificateFile="conf/localhost-rsa-cert.pem"
                          certificateChainFile="conf/localhost-rsa-chain.pem"
                          type="RSA" />
         </SSLHostConfig>
     </Connector>
     -->

     <!-- Define an AJP 1.3 Connector on port 8009 -->
     <!--
     <Connector protocol="AJP/1.3"
                address="::1"
                port="8009"
                redirectPort="8443" />
     -->



-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT

On 31/08/2022 15:36, Yanhua Wusands wrote:

We are using TOMCAT 9.0.40 on linux, and are trying setup 
Strict-Transport-Security per requirement from our security team.

We followed this note:
https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar
ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy
8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h
TO4K-UbrvgSvSAepZe_e-U8$

Changed $CATALINA_HOME/conf/web.xml

With:

     <filter>

          <filter-name>httpHeaderSecurity</filter-name>


          
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi

lter-class>

          <async-supported>true</async-supported>

<init-param>

<param-name>hstsEnabled</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

<param-name>hstsMaxAgeSeconds</param-name>

<param-value>31556927</param-value>

</init-param>

      </filter>

And uncommented:
      <filter-mapping>
          <filter-name>httpHeaderSecurity</filter-name>
          <url-pattern>/*</url-pattern>
          <dispatcher>REQUEST</dispatcher>
      </filter-mapping>

After we restarted TOMCAT APACHE, we still couldn't see 
Strict-Transport-Security using following curl cmd:

curl -i -s
https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto
.cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G
A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub
rvgSvSAepLuScW-A$  | grep -i Strict-Transport-Security

I am reaching out to see if there is any additional steps need to be done for 
setting up this security flag.


Please provide the Connector element(s) (with sensitive data like passwords 
masked) from your $CATALINA_BASE/conf/server.xml file.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to