> Is it true that all traffic seen by Tomcat must have been sent over TLS > between the user agent and AWS LB?
Yes, that is true, at least it is my understanding... -----Original Message----- From: Mark Thomas <ma...@apache.org> Sent: Wednesday, August 31, 2022 12:57 PM To: users@tomcat.apache.org Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT On 31/08/2022 17:39, Yanhua Wusands wrote: > You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it > is passed that, tomcat is set up to listen 8080. > If I understand you correctly, we will need to setup SSL in TOMCAT as well in > order to have HSTS working, is it right? No. That is not correct. There are several options at this point. We need more information to identify the best one. Is it true that all traffic seen by Tomcat must have been sent over TLS between the user agent and AWS LB? Mark > > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Wednesday, August 31, 2022 11:21 AM > To: users@tomcat.apache.org > Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in > TOMCAT > > You don't have any TLS connectors configured so the HSTS filter isn't going > to do anything. > > Given you access the server via port 443 but Tomcat is only listening on port > 8080 you must have a reverse proxy configured somewhere that is likely > terminating the TLS. > > You need to configure HSTS wherever the TLS is being terminated. > > As an aside, you need to be *very* careful proxying secure traffic to an HTTP > connector on Tomcat. I trust that you have the appropriate configuration in > place (typically the RemoteIpValve) to ensure that Tomcat can correctly > identify which traffic has been received via a secure channel and which via > an insecure channel. > > Mark > > > On 31/08/2022 16:10, Yanhua Wusands wrote: >> <Connector port="8080" protocol="HTTP/1.1" >> acceptorThreadCount="2" >> acceptCount="20" >> maxConnections="200" >> maxThreads="200" >> minSpareThreads="10" >> scheme="https" >> proxyPort="443" >> redirectPort="8443" >> /> >> >> <!-- A "Connector" using the shared thread pool--> >> <!-- >> <Connector executor="tomcatThreadPool" >> port="8080" protocol="HTTP/1.1" >> connectionTimeout="20000" >> redirectPort="8443" /> >> --> >> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 >> This connector uses the NIO implementation. The default >> SSLImplementation will depend on the presence of the APR/native >> library and the useOpenSSL attribute of the >> AprLifecycleListener. >> Either JSSE or OpenSSL style configuration may be used regardless >> of >> the SSLImplementation selected. JSSE style configuration is used >> below. >> --> >> <!-- >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="150" SSLEnabled="true"> >> <SSLHostConfig> >> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" >> type="RSA" /> >> </SSLHostConfig> >> </Connector> >> --> >> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 >> This connector uses the APR/native implementation which always >> uses >> OpenSSL for TLS. >> Either JSSE or OpenSSL style configuration may be used. OpenSSL >> style >> configuration is used below. >> --> >> <!-- >> <Connector port="8443" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="150" SSLEnabled="true" > >> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" >> /> >> <SSLHostConfig> >> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" >> certificateFile="conf/localhost-rsa-cert.pem" >> >> certificateChainFile="conf/localhost-rsa-chain.pem" >> type="RSA" /> >> </SSLHostConfig> >> </Connector> >> --> >> >> <!-- Define an AJP 1.3 Connector on port 8009 --> >> <!-- >> <Connector protocol="AJP/1.3" >> address="::1" >> port="8009" >> redirectPort="8443" /> >> --> >> >> >> >> -----Original Message----- >> From: Mark Thomas <ma...@apache.org> >> Sent: Wednesday, August 31, 2022 11:03 AM >> To: users@tomcat.apache.org >> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in >> TOMCAT >> >> On 31/08/2022 15:36, Yanhua Wusands wrote: >>> We are using TOMCAT 9.0.40 on linux, and are trying setup >>> Strict-Transport-Security per requirement from our security team. >>> >>> We followed this note: >>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ >>> a >>> r >>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5 >>> i >>> y >>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe >>> 5 >>> h >>> TO4K-UbrvgSvSAepZe_e-U8$ >>> >>> Changed $CATALINA_HOME/conf/web.xml >>> >>> With: >>> >>> <filter> >>> >>> <filter-name>httpHeaderSecurity</filter-name> >>> >>> >>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</ >>> f >>> i >>> lter-class> >>> >>> <async-supported>true</async-supported> >>> >>> <init-param> >>> >>> <param-name>hstsEnabled</param-name> >>> >>> <param-value>true</param-value> >>> >>> </init-param> >>> >>> <init-param> >>> >>> <param-name>hstsMaxAgeSeconds</param-name> >>> >>> <param-value>31556927</param-value> >>> >>> </init-param> >>> >>> </filter> >>> >>> And uncommented: >>> <filter-mapping> >>> <filter-name>httpHeaderSecurity</filter-name> >>> <url-pattern>/*</url-pattern> >>> <dispatcher>REQUEST</dispatcher> >>> </filter-mapping> >>> >>> After we restarted TOMCAT APACHE, we still couldn't see >>> Strict-Transport-Security using following curl cmd: >>> >>> curl -i -s >>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceau >>> t >>> o >>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh! >>> G >>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K- >>> U b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security >>> >>> I am reaching out to see if there is any additional steps need to be done >>> for setting up this security flag. >> >> Please provide the Connector element(s) (with sensitive data like passwords >> masked) from your $CATALINA_BASE/conf/server.xml file. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
