How do I force HTTPS in Tomcat (through Apache and mod_jk)?
December 13, 2006 3:56 PM Subscribe
I'm at my wit's end. I've been trying to configure tomcat (through apache 2 using mod_jk) to automatically re-direct all traffic to HTTPS from HTTP. More boring technical details to follow.
Specifically, I'm trying to get CAS working. Tomcat is successfully serving-up the pages over HTTP and HTTPS and the application is working as expected. However, since this particular servlet handles user authentication I would like Tomcat to force HTTPS for all requests.
I have tried using isSecure() through JSP to redirect users but it simply puts the requests into an endless loop. I have tried the following configuration in the web.xml file (see Lukas Bradleys' answer) and it does force a redirect, but it uses the server hostname as the URL and not the proxied URL to the server (which means it doesn't work externally).
I've tried changing the hostname on the server but it continues to use the initial hostname which leads me to believe that this value is somewhere in the Tomcat configuration, but I cannot locate it.
So, is there an easier way to do this? Or, does anyone know where to look to modify that hostname to use the URL for the proxied site? Any assistance would be appreciated.
Specifically, I'm trying to get CAS working. Tomcat is successfully serving-up the pages over HTTP and HTTPS and the application is working as expected. However, since this particular servlet handles user authentication I would like Tomcat to force HTTPS for all requests.
I have tried using isSecure() through JSP to redirect users but it simply puts the requests into an endless loop. I have tried the following configuration in the web.xml file (see Lukas Bradleys' answer) and it does force a redirect, but it uses the server hostname as the URL and not the proxied URL to the server (which means it doesn't work externally).
I've tried changing the hostname on the server but it continues to use the initial hostname which leads me to believe that this value is somewhere in the Tomcat configuration, but I cannot locate it.
So, is there an easier way to do this? Or, does anyone know where to look to modify that hostname to use the URL for the proxied site? Any assistance would be appreciated.
No need to get fancy with mod_rewrite. Just use the SSLRequireSSL directive.
posted by majick at 5:03 PM on December 13, 2006
posted by majick at 5:03 PM on December 13, 2006
I think you can also run it through the ProxyPass directive.
posted by drstein at 5:21 PM on December 13, 2006
posted by drstein at 5:21 PM on December 13, 2006
Response by poster: Using re-write rules in the virtual host settings in Apache cause extremely weird reactions. .htaccess files also do not seem to have any effect at all.
I haven't tried SSLRequireSSL so I've sent that off to my server admin to see if he can give it a shot (I don't have access to the apache conf, just the servlets).
posted by purephase at 5:22 PM on December 13, 2006
I haven't tried SSLRequireSSL so I've sent that off to my server admin to see if he can give it a shot (I don't have access to the apache conf, just the servlets).
posted by purephase at 5:22 PM on December 13, 2006
I use mod_rewrite on ~40 vhosts no problem. Not sure what 'wierd reactions' you are talking about.
This sounds like a case of a really poorly configured server.
posted by SirStan at 5:49 PM on December 13, 2006
This sounds like a case of a really poorly configured server.
posted by SirStan at 5:49 PM on December 13, 2006
Response by poster: Are they passing servlets through Tomcat? I have no issue with mod_rewrite through Apache, it's only when it's done with mod_jk and Tomcat that the same rules do not work as I intended.
posted by purephase at 6:05 PM on December 13, 2006
posted by purephase at 6:05 PM on December 13, 2006
How do you have your connectors configured? You should have two: one for the unsecured traffice, and another for the secured. Here's an example of a server.xml (this is all from memory... untested):
<!-- Unsecured connector -->
<Connector protocol="AJP/1.3" redirectPort="443" scheme="http" secure="false" address="127.0.0.1" port="8008" />
<!-- Secured connector -->
<Connector protocol="AJP/1.3" redirectPort="443" scheme="https" secure="true" address="127.0.0.1" port="8009" />
Then, when you configure the workers.properties, you need two workers:
worker.list=ajp13unsecure, ajp13secure
worker.ajp13unsecure.type=ajp13
worker.ajp13unsecure.host=localhost
worker.ajp13unsecure.port=8008
worker.ajp13secure.type=ajp13
worker.ajp13secure.host=localhost
worker.ajp13secure.port=8009
Finally, inside your apache vhost config files, you'll have something like this:
<VirtualHost *:80>
# ...
JkMount /*.jsp ajp13unsecure
JkMount /servlet/* ajp13unsecure
</VirtualHost>
<VirtualHost *:443>
# ...
JkMount /*.jsp ajp13secure
JkMount /servlet/* ajp13secure
</VirtualHost>
So basically, you have to setup two parallel configurations: one secured, one unsecured. Then Tomcat will know how to forward requests, and when a request is secure or not.
posted by sbutler at 8:21 PM on December 13, 2006
<!-- Unsecured connector -->
<Connector protocol="AJP/1.3" redirectPort="443" scheme="http" secure="false" address="127.0.0.1" port="8008" />
<!-- Secured connector -->
<Connector protocol="AJP/1.3" redirectPort="443" scheme="https" secure="true" address="127.0.0.1" port="8009" />
Then, when you configure the workers.properties, you need two workers:
worker.list=ajp13unsecure, ajp13secure
worker.ajp13unsecure.type=ajp13
worker.ajp13unsecure.host=localhost
worker.ajp13unsecure.port=8008
worker.ajp13secure.type=ajp13
worker.ajp13secure.host=localhost
worker.ajp13secure.port=8009
Finally, inside your apache vhost config files, you'll have something like this:
<VirtualHost *:80>
# ...
JkMount /*.jsp ajp13unsecure
JkMount /servlet/* ajp13unsecure
</VirtualHost>
<VirtualHost *:443>
# ...
JkMount /*.jsp ajp13secure
JkMount /servlet/* ajp13secure
</VirtualHost>
So basically, you have to setup two parallel configurations: one secured, one unsecured. Then Tomcat will know how to forward requests, and when a request is secure or not.
posted by sbutler at 8:21 PM on December 13, 2006
Response by poster: Is the workers.properties file integral to this? My server admin disagrees (and he knows this stuff much better than I do). Does Tomcat use the values in that file to determine the host information when handling the CONFIDENTIAL secure transport?
posted by purephase at 8:37 PM on December 13, 2006
posted by purephase at 8:37 PM on December 13, 2006
Yes. If you don't specify the other connector in the workers.properties file, then how is Apache and mod_jk supposed to know it exists?
The only way that Tomcat knows a connection is secure is because you marked it secure in the Connector element. So if you want to handle both secure and unsecure traffic, you need two connectors.
posted by sbutler at 8:40 PM on December 13, 2006
The only way that Tomcat knows a connection is secure is because you marked it secure in the Connector element. So if you want to handle both secure and unsecure traffic, you need two connectors.
posted by sbutler at 8:40 PM on December 13, 2006
What I should say is that this method has worked for me in the past. Looking through the mod_jk docs a little closer, it appears there may be other ways that don't require two connectors. Specifically, look at JkExtractSSL. Perhaps that's what your admin is thinking of.
posted by sbutler at 9:01 PM on December 13, 2006
posted by sbutler at 9:01 PM on December 13, 2006
Response by poster: The server.xml file has the two connectors specified, and both the 80 and 443 vhosts are specified in the httpd and ssl conf files.
There is no workers.properties file at the moment but I'll get him to look into that tomorrow. The SSL redirect works in Tomcat when I specify the CONFIDENTIAL secure-transport setting, it just doesn't re-direct to the correct URL (it uses the server hostname, not the proxied URL). Maybe specifying the .host values in the workers.properties will ensure that it uses the URL instead of the hostname.
The ServerName value in the vhosts files do not seem to have any effect.
Thanks for the help.
posted by purephase at 9:05 PM on December 13, 2006
There is no workers.properties file at the moment but I'll get him to look into that tomorrow. The SSL redirect works in Tomcat when I specify the CONFIDENTIAL secure-transport setting, it just doesn't re-direct to the correct URL (it uses the server hostname, not the proxied URL). Maybe specifying the .host values in the workers.properties will ensure that it uses the URL instead of the hostname.
The ServerName value in the vhosts files do not seem to have any effect.
Thanks for the help.
posted by purephase at 9:05 PM on December 13, 2006
There're proxyName/proxyPort attributes for the Connector. I don't really know much about that, though.
posted by sbutler at 9:11 PM on December 13, 2006
posted by sbutler at 9:11 PM on December 13, 2006
Response by poster: I think you might be on to something. Thanks for the links and explanation. I think the missing link here is the workers.properties file so we need to start there. The proxyPort and proxyName attributes, as well as properly defined defaultHost attributes in the server.xml file (and associated host and vhost settings in workers.properties and httpd.conf) are the key making all of this fit together.
I'll post more tomorrow if there is any success/failures etc.
posted by purephase at 6:51 PM on December 14, 2006
I'll post more tomorrow if there is any success/failures etc.
posted by purephase at 6:51 PM on December 14, 2006
Response by poster: No luck. I've posted the question to the CAS listserv to see if anyone has any ideas there.
posted by purephase at 9:15 AM on December 15, 2006
posted by purephase at 9:15 AM on December 15, 2006
This thread is closed to new comments.
RewriteEngine OnRewriteCond %{HTTPS} off
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]
You might want to test that first. You can use a second rule to limit it to certain urls, like
RewriteCond %{REQUEST_URI} /mydir/(.*).posted by boaz at 4:16 PM on December 13, 2006