Comments on: How do I force HTTPS in Tomcat (through Apache and mod_jk)?

Question: How do I force HTTPS in Tomcat (through Apache and mod_jk)?

purephase — Wed, 13 Dec 2006 15:56:41 -0800

I'm at my wit's end. I've been trying to configure tomcat (through apache 2 using mod_jk) to automatically re-direct all traffic to HTTPS from HTTP. More boring technical details to follow.

Specifically, I'm trying to get CAS working. Tomcat is successfully serving-up the pages over HTTP and HTTPS and the application is working as expected. However, since this particular servlet handles user authentication I would like Tomcat to force HTTPS for all requests.

I have tried using isSecure() through JSP to redirect users but it simply puts the requests into an endless loop. I have tried the following configuration in the web.xml file (see Lukas Bradleys' answer) and it does force a redirect, but it uses the server hostname as the URL and not the proxied URL to the server (which means it doesn't work externally).

I've tried changing the hostname on the server but it continues to use the initial hostname which leads me to believe that this value is somewhere in the Tomcat configuration, but I cannot locate it.

So, is there an easier way to do this? Or, does anyone know where to look to modify that hostname to use the URL for the proxied site? Any assistance would be appreciated.

By: boaz

boaz — Wed, 13 Dec 2006 16:16:17 -0800

Mod_rewrite will handle this lickety-split.

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^/(.*) https://%{HTTP_HOST}/$1  [L,R]

You might want to test that first. You can use a second rule to limit it to certain urls, like RewriteCond %{REQUEST_URI} /mydir/(.*).

By: SirStan

SirStan — Wed, 13 Dec 2006 16:19:39 -0800

boaz has it covered.

By: majick

majick — Wed, 13 Dec 2006 17:03:26 -0800

No need to get fancy with mod_rewrite. Just use the SSLRequireSSL directive.

By: drstein

drstein — Wed, 13 Dec 2006 17:21:51 -0800

I think you can also run it through the ProxyPass directive.

By: purephase

purephase — Wed, 13 Dec 2006 17:22:10 -0800

Using re-write rules in the virtual host settings in Apache cause extremely weird reactions. .htaccess files also do not seem to have any effect at all.

I haven't tried SSLRequireSSL so I've sent that off to my server admin to see if he can give it a shot (I don't have access to the apache conf, just the servlets).

By: SirStan

SirStan — Wed, 13 Dec 2006 17:49:00 -0800

I use mod_rewrite on ~40 vhosts no problem. Not sure what 'wierd reactions' you are talking about.

This sounds like a case of a really poorly configured server.

By: purephase

purephase — Wed, 13 Dec 2006 18:05:34 -0800

Are they passing servlets through Tomcat? I have no issue with mod_rewrite through Apache, it's only when it's done with mod_jk and Tomcat that the same rules do not work as I intended.

By: sbutler

sbutler — Wed, 13 Dec 2006 20:21:07 -0800

How do you have your connectors configured? You should have two: one for the unsecured traffice, and another for the secured. Here's an example of a server.xml (this is all from memory... untested):


<Connector protocol="AJP/1.3" redirectPort="443" scheme="http" secure="false" address="127.0.0.1" port="8008" />


<Connector protocol="AJP/1.3" redirectPort="443" scheme="https" secure="true" address="127.0.0.1" port="8009" />

Then, when you configure the workers.properties, you need two workers:

worker.list=ajp13unsecure, ajp13secure

worker.ajp13unsecure.type=ajp13
worker.ajp13unsecure.host=localhost
worker.ajp13unsecure.port=8008

worker.ajp13secure.type=ajp13
worker.ajp13secure.host=localhost
worker.ajp13secure.port=8009

Finally, inside your apache vhost config files, you'll have something like this:

<VirtualHost *:80>
# ...
JkMount /*.jsp ajp13unsecure
JkMount /servlet/* ajp13unsecure
</VirtualHost>

<VirtualHost *:443>
# ...
JkMount /*.jsp ajp13secure
JkMount /servlet/* ajp13secure
</VirtualHost>

So basically, you have to setup two parallel configurations: one secured, one unsecured. Then Tomcat will know how to forward requests, and when a request is secure or not.

By: purephase

purephase — Wed, 13 Dec 2006 20:37:34 -0800

Is the workers.properties file integral to this? My server admin disagrees (and he knows this stuff much better than I do). Does Tomcat use the values in that file to determine the host information when handling the CONFIDENTIAL secure transport?

By: sbutler

sbutler — Wed, 13 Dec 2006 20:40:08 -0800

Yes. If you don't specify the other connector in the workers.properties file, then how is Apache and mod_jk supposed to know it exists?

The only way that Tomcat knows a connection is secure is because you marked it secure in the Connector element. So if you want to handle both secure and unsecure traffic, you need two connectors.

By: sbutler

sbutler — Wed, 13 Dec 2006 21:01:41 -0800

What I should say is that this method has worked for me in the past. Looking through the mod_jk docs a little closer, it appears there may be other ways that don't require two connectors. Specifically, look at JkExtractSSL. Perhaps that's what your admin is thinking of.

By: purephase

purephase — Wed, 13 Dec 2006 21:05:14 -0800

The server.xml file has the two connectors specified, and both the 80 and 443 vhosts are specified in the httpd and ssl conf files.

There is no workers.properties file at the moment but I'll get him to look into that tomorrow. The SSL redirect works in Tomcat when I specify the CONFIDENTIAL secure-transport setting, it just doesn't re-direct to the correct URL (it uses the server hostname, not the proxied URL). Maybe specifying the .host values in the workers.properties will ensure that it uses the URL instead of the hostname.

The ServerName value in the vhosts files do not seem to have any effect.

Thanks for the help.

By: sbutler

sbutler — Wed, 13 Dec 2006 21:11:52 -0800

There're proxyName/proxyPort attributes for the Connector. I don't really know much about that, though.

By: purephase

purephase — Thu, 14 Dec 2006 18:51:57 -0800

I think you might be on to something. Thanks for the links and explanation. I think the missing link here is the workers.properties file so we need to start there. The proxyPort and proxyName attributes, as well as properly defined defaultHost attributes in the server.xml file (and associated host and vhost settings in workers.properties and httpd.conf) are the key making all of this fit together.

I'll post more tomorrow if there is any success/failures etc.

By: purephase

purephase — Fri, 15 Dec 2006 09:15:42 -0800

No luck. I've posted the question to the CAS listserv to see if anyone has any ideas there.