On 31/08/2022 17:39, Yanhua Wusands wrote:
You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it
is passed that, tomcat is set up to listen 8080.
If I understand you correctly, we will need to setup SSL in TOMCAT as well in
order to have HSTS working, is it right?
No. That is not correct.
There are several options at this point. We need more information to
identify the best one.
Is it true that all traffic seen by Tomcat must have been sent over TLS
between the user agent and AWS LB?
Mark
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 11:21 AM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
You don't have any TLS connectors configured so the HSTS filter isn't going to
do anything.
Given you access the server via port 443 but Tomcat is only listening on port
8080 you must have a reverse proxy configured somewhere that is likely
terminating the TLS.
You need to configure HSTS wherever the TLS is being terminated.
As an aside, you need to be *very* careful proxying secure traffic to an HTTP
connector on Tomcat. I trust that you have the appropriate configuration in
place (typically the RemoteIpValve) to ensure that Tomcat can correctly
identify which traffic has been received via a secure channel and which via an
insecure channel.
Mark
On 31/08/2022 16:10, Yanhua Wusands wrote:
<Connector port="8080" protocol="HTTP/1.1"
acceptorThreadCount="2"
acceptCount="20"
maxConnections="200"
maxThreads="200"
minSpareThreads="10"
scheme="https"
proxyPort="443"
redirectPort="8443"
/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used
below.
-->
<!--
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in
TOMCAT
On 31/08/2022 15:36, Yanhua Wusands wrote:
We are using TOMCAT 9.0.40 on linux, and are trying setup
Strict-Transport-Security per requirement from our security team.
We followed this note:
https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a
r
ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i
y
8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5
h
TO4K-UbrvgSvSAepZe_e-U8$
Changed $CATALINA_HOME/conf/web.xml
With:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f
i
lter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31556927</param-value>
</init-param>
</filter>
And uncommented:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
After we restarted TOMCAT APACHE, we still couldn't see
Strict-Transport-Security using following curl cmd:
curl -i -s
https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut
o
.cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
G
A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U
b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
I am reaching out to see if there is any additional steps need to be done for
setting up this security flag.
Please provide the Connector element(s) (with sensitive data like passwords
masked) from your $CATALINA_BASE/conf/server.xml file.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
