You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it is passed that, tomcat is set up to listen 8080. If I understand you correctly, we will need to setup SSL in TOMCAT as well in order to have HSTS working, is it right?
-----Original Message----- From: Mark Thomas <ma...@apache.org> Sent: Wednesday, August 31, 2022 11:21 AM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT You don't have any TLS connectors configured so the HSTS filter isn't going to do anything. Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS. You need to configure HSTS wherever the TLS is being terminated. As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel. Mark On 31/08/2022 16:10, Yanhua Wusands wrote: > <Connector port="8080" protocol="HTTP/1.1" > acceptorThreadCount="2" > acceptCount="20" > maxConnections="200" > maxThreads="200" > minSpareThreads="10" > scheme="https" > proxyPort="443" > redirectPort="8443" > /> > > <!-- A "Connector" using the shared thread pool--> > <!-- > <Connector executor="tomcatThreadPool" > port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" > redirectPort="8443" /> > --> > <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 > This connector uses the NIO implementation. The default > SSLImplementation will depend on the presence of the APR/native > library and the useOpenSSL attribute of the > AprLifecycleListener. > Either JSSE or OpenSSL style configuration may be used regardless of > the SSLImplementation selected. JSSE style configuration is used > below. > --> > <!-- > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true"> > <SSLHostConfig> > <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" > type="RSA" /> > </SSLHostConfig> > </Connector> > --> > <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 > This connector uses the APR/native implementation which always uses > OpenSSL for TLS. > Either JSSE or OpenSSL style configuration may be used. OpenSSL > style > configuration is used below. > --> > <!-- > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> > <SSLHostConfig> > <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" > certificateFile="conf/localhost-rsa-cert.pem" > certificateChainFile="conf/localhost-rsa-chain.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > --> > > <!-- Define an AJP 1.3 Connector on port 8009 --> > <!-- > <Connector protocol="AJP/1.3" > address="::1" > port="8009" > redirectPort="8443" /> > --> > > > > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Wednesday, August 31, 2022 11:03 AM > To: users@tomcat.apache.org > Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in > TOMCAT > > On 31/08/2022 15:36, Yanhua Wusands wrote: >> We are using TOMCAT 9.0.40 on linux, and are trying setup >> Strict-Transport-Security per requirement from our security team. >> >> We followed this note: >> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a >> r >> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i >> y >> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5 >> h >> TO4K-UbrvgSvSAepZe_e-U8$ >> >> Changed $CATALINA_HOME/conf/web.xml >> >> With: >> >> <filter> >> >> <filter-name>httpHeaderSecurity</filter-name> >> >> >> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f >> i >> lter-class> >> >> <async-supported>true</async-supported> >> >> <init-param> >> >> <param-name>hstsEnabled</param-name> >> >> <param-value>true</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>hstsMaxAgeSeconds</param-name> >> >> <param-value>31556927</param-value> >> >> </init-param> >> >> </filter> >> >> And uncommented: >> <filter-mapping> >> <filter-name>httpHeaderSecurity</filter-name> >> <url-pattern>/*</url-pattern> >> <dispatcher>REQUEST</dispatcher> >> </filter-mapping> >> >> After we restarted TOMCAT APACHE, we still couldn't see >> Strict-Transport-Security using following curl cmd: >> >> curl -i -s >> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut >> o >> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh! >> G >> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U >> b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security >> >> I am reaching out to see if there is any additional steps need to be done >> for setting up this security flag. > > Please provide the Connector element(s) (with sensitive data like passwords > masked) from your $CATALINA_BASE/conf/server.xml file. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org