You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Felix Schumacher <fe...@internetallee.de> on 2020/02/25 15:53:19 UTC
Enabling http to https redirects for tomcat.apache.org
Hi all,
as more and more browsers are marking http as unsecure, we should
redirect all http requests to tomcat.apache.org to https.
We can enable that by adding a rewrite rule to the .htaccess file in the
xdocs folder of our site repo.
For JMeter we used the following fragment:
RewriteEngine On
# Redirect http to https
# From Cordova PMC Member raphinesse
# https://s.apache.org/An8s
# If we receive a forwarded http request from a proxy...
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
# ...or just a plain old http request directly from the client
RewriteCond %{HTTP:X-Forwarded-Proto} =""
RewriteCond %{HTTPS} !=on
# Redirect to https version
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L]
Anything against adding this to our .htaccess file?
Felix
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Felix,
On 2/25/20 11:10, Felix Schumacher wrote:
>
> Am 25.02.20 um 16:57 schrieb Christopher Schultz:
>> Felix,
>>
>> On 2/25/20 10:53, Felix Schumacher wrote:
>>> as more and more browsers are marking http as unsecure, we
>>> should redirect all http requests to tomcat.apache.org to
>>> https.
>>
>>> We can enable that by adding a rewrite rule to the .htaccess
>>> file in the xdocs folder of our site repo.
>>
>>> For JMeter we used the following fragment:
>>
>>> RewriteEngine On
>>
>>> # Redirect http to https # From Cordova PMC Member raphinesse
>>> # https://s.apache.org/An8s
>>
>>> # If we receive a forwarded http request from a proxy...
>>> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
>>
>>> # ...or just a plain old http request directly from the client
>>> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS}
>>> !=on
>>
>>> # Redirect to https version RewriteRule ^
>>> https://%{HTTP_HOST}%{REQUEST_URI} [L]
>>
>> Query string? Or is that part of REQUEST_URI?
>
> If I read the documentation for REQUEST_URI right, that
> QUERY_STRING is not part of it.
>
> Hm, another way to do this would probably be
>
> RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L]
>
> Taken partly from
> https://cwiki.apache.org/confluence/display/HTTPD/RewriteHTTPToHTTPS
>
> Do you think that would be better?
Yes. I don't think we have any pages which actually require a
query-string, but it's better to do it properly from the outset rather
than patching it ad-hoc whenever certain things don't work.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VhyMACgkQHPApP6U8
pFiSGw//VRNgOb8BgzKQ/tXdyhwL5K1Qgp1mhD+Pel99dcctI2ECRXZB862LExgw
QBqDPHZjjUpY06rVznw6U1Sz4QEpmCwk/uNYwR7YplQih11GJRyNGDojxl8IWVoL
9PcIiJ5V/hl3PkTNl4/7RUttg1PIefVkLFLh00yiDJJMW0H5cnwc26HAgkO6s5dy
0mjNGShayTS8cpI1bkEqxiGMYKHoaK+XkBFWwSOCxCXbErpMxLZwfCislFyIPO6u
oxIsOrnHXiWy69rHcyCtAl5YoxykNXKzEw9Ru23Ru8GeZVEM5crRwmLjfvVhXsbq
lnIW8nsGgJE2UXscj8hDorvJNx+CJvgK3NjNeOoSMcE9vOfUpzjoQIJHSvxqqEkR
dVXHYi4ixtb0eSzdgdxEYlo9MmVFT0BtsHs186pAwITSvwQ3TY9K75DymtO0WT9U
YjXJ8NpcD8enG07TtzQ0laL9sW8YKhHLpxbhXPm2rUN9lZwNyN9L76GZIuCjB3IC
McwAi4f/I32ijDN8dO4g8c5akoGmD3C1q4lhfqd/RU6eGKFsIJJvByN3AU/bToVg
joSd1tYCD+rXxIahpsIKphxUSY6JJHEaOBooHWU1OyNkUg8qErhnV6sLH+yS1LlT
5jnpgxu+YPuXMMyreMyXhaX6ZY7he2jo2ntMGu7sFCEuTBPlJ4Y=
=7Gng
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 25.02.20 um 16:57 schrieb Christopher Schultz:
> Felix,
>
> On 2/25/20 10:53, Felix Schumacher wrote:
> > as more and more browsers are marking http as unsecure, we should
> > redirect all http requests to tomcat.apache.org to https.
>
> > We can enable that by adding a rewrite rule to the .htaccess file
> > in the xdocs folder of our site repo.
>
> > For JMeter we used the following fragment:
>
> > RewriteEngine On
>
> > # Redirect http to https # From Cordova PMC Member raphinesse #
> > https://s.apache.org/An8s
>
> > # If we receive a forwarded http request from a proxy...
> > RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
>
> > # ...or just a plain old http request directly from the client
> > RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS}
> > !=on
>
> > # Redirect to https version RewriteRule ^
> > https://%{HTTP_HOST}%{REQUEST_URI} [L]
>
> Query string? Or is that part of REQUEST_URI?
If I read the documentation for REQUEST_URI right, that QUERY_STRING is
not part of it.
Hm, another way to do this would probably be
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L]
Taken partly from
https://cwiki.apache.org/confluence/display/HTTPD/RewriteHTTPToHTTPS
Do you think that would be better?
Felix
>
> > Anything against adding this to our .htaccess file?
>
> +1
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Felix,
On 2/25/20 10:53, Felix Schumacher wrote:
> as more and more browsers are marking http as unsecure, we should
> redirect all http requests to tomcat.apache.org to https.
>
> We can enable that by adding a rewrite rule to the .htaccess file
> in the xdocs folder of our site repo.
>
> For JMeter we used the following fragment:
>
> RewriteEngine On
>
> # Redirect http to https # From Cordova PMC Member raphinesse #
> https://s.apache.org/An8s
>
> # If we receive a forwarded http request from a proxy...
> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
>
> # ...or just a plain old http request directly from the client
> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS}
> !=on
>
> # Redirect to https version RewriteRule ^
> https://%{HTTP_HOST}%{REQUEST_URI} [L]
Query string? Or is that part of REQUEST_URI?
> Anything against adding this to our .htaccess file?
+1
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VQ90ACgkQHPApP6U8
pFiTFhAAtNxy3YoFbWNNRwEOWuRIrakfFaxHYpBz0sVK0B1s/hJtI1XW4V4pMSh8
4Vbwcnkoykt1F4DpZ8x8eDlWwbdhuPmKPwSsGChf2uws/j3Sc8rCpA0Tsb21FtvD
hKmA9T+R2/HAM+0eSbWnWE906/BAhGblZrhhYGumAs62I219v5FSBsI3RYSoEEkL
Fsn76Wg1z98boii1UERn6ZTJQ/B0TDo02XVjkEmNJRUbL/IPhv0issl7ENVI5pbo
EfagIbooXuS9aNIc00Z2+dF2qQL+Ta8Bd2iSpakpeklFXBPpy0DwuZPX7ubH0Jbk
3W+P94Z/L3Eur+YFKr+6E3DGP51kZLjArvA1lcKk0q7PtiJAmcUX0UTCIiVfD0o/
3zfqibHtBCqjoB/Vkjm4dH7sxURujQO9VtcVNT9bZ8weSiMCblISubd65lAnFEyr
H87N55AcqXgAYYfsJd1aMwKYnCt2lY5X7CqBlyF5CajQrB9KW/IgQd9BVSA3vGlw
dORLhKumvm+Nlo1Jk3+1Crd5g6dCn2lbjMmeoD6RhqYmZwuSQWA51GEz7n2GVlKb
Xs/VgyeNyFUBno7/VN5izniMsNNMav/ucCC9jPzWB8vqbo6RFNL0kIgsDE8H1ySV
AKk2T+lDfRKq2KCkU6+ObNUVNy5i+Nr2ZRdm9NfQASDzfneNBJ0=
=XSel
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 2/25/20 17:29, Mark Thomas wrote:
> On 25/02/2020 20:45, Christopher Schultz wrote:
>> Mark,
>>
>> On 2/25/20 14:34, Mark Thomas wrote:
>>> On 25/02/2020 15:53, Felix Schumacher wrote:
>>>> Hi all,
>>>>
>>>> as more and more browsers are marking http as unsecure, we
>>>> should redirect all http requests to tomcat.apache.org to
>>>> https.
>>
>>> I really don't like this.
>>
>>> I'm happy to support https for those people that want to use it
>>> but I see no need to require https for everybody for
>>> tomcat.apache.org.
>>
>>> We should not be dictating to our users what security / privacy
>>> / caching / performance / etc. trade-offs are appropriate for
>>> them. We should support as many options as possible and let our
>>> users decided.
>>
>>> I'm not quite -1 on this but I am close.
>>
>> https://www.troyhunt.com/heres-why-your-static-website-needs-https/
>
>>
> Sorry, not convinced. We need to let users make this choice.
>
> The numbers are significant.
>
> tomcat.apache.org from China can be significantly slower over
> https compared to http. Typically 2 to 3 times slower in my testing
> with
>
> https://www.websitepulse.com/tools/china-firewall-test#
>
> 3.5s to 8s to load the index page over https compared to ~1.5s
> over http. That said, I didn't repeat the test enough for those
> results to be considered statistically reliable.
Plus, the Great Firewall is already a giant MiTM, so forcing HTTPS
doesn't really prevent them from performing whatever content
filtering/tampering they want, anyway.
> Not everyone has a low latency, high bandwidth connection to the
> internet. We need to let the users decide if they want to pay the
> performance penalty for the benefits of https or not. We should not
> be assuming we know best for everyone.
What's a few three-legged handshakes between friends?
Hopefully TLSv1.3 will improve things for everyone. Well, unless they
are deployed in AWS (*ducks*).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VpQIACgkQHPApP6U8
pFjIKxAAuJkW5JCWyPc7cKvumAEO1bEws9LvngupUxPevsEnkG2smw2sGo46N8cj
YSWBTo+XJawKQGyPt9C9QEXgw7c2L0YYK6yrMfEz+pEErZwXB1hpREn8PaBzlvgC
fHJoj1BakHbWyS8lGRP7ninkpUWav1ZLOOVZnPJTMIG/wQqSM29TcO6wDPWTVVOD
SJzA7adP4XZAQMGq0hiNphZzqWOdLweF2pScb0avB6Pzin0AzJdCoItCCC+PiLY1
iOJ7gv6WPYrvrqjQGXxbwZH8cjg/nQbTlf1QOBAoCP+/MNIECT4vsmJcBuWa07e8
4cpS/4b1RqGCL8m68Emmv1uhrqR5oShIJ4bVUprK4c4xLhtCGrRBRv9bgdyKjVq6
gzDMl+qju46RniLMNJ9AzbMByfGTbf97tbjJjP9Hhnn3fuaG/2yOnotL+32eNdGU
SmprXNb3l9vbnfyqsDLP2Nn82btHE7FsmsCeA7AvccMSF7lB8iq7MSub4m6TuVsG
Jwtgnz8WnuajNh5SAfA+xDhvMd2KMOGg1f/vPLXr4vEOT3t2bWZxgVUN4DM3+FTF
0UNl4DDYijQ6SdejAkS4XhSBqPUpyA8txE56uNkhS51qrDxA9VDbjoQzQ2hYieUg
RBW2JSeMqxF2qOwLbo3hmJTnYlEJnWhaMWuG2+az7mPlnrY4xU4=
=AapR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Mark Thomas <ma...@apache.org>.
On 25/02/2020 20:45, Christopher Schultz wrote:
> Mark,
>
> On 2/25/20 14:34, Mark Thomas wrote:
>> On 25/02/2020 15:53, Felix Schumacher wrote:
>>> Hi all,
>>>
>>> as more and more browsers are marking http as unsecure, we
>>> should redirect all http requests to tomcat.apache.org to https.
>
>> I really don't like this.
>
>> I'm happy to support https for those people that want to use it but
>> I see no need to require https for everybody for
>> tomcat.apache.org.
>
>> We should not be dictating to our users what security / privacy /
>> caching / performance / etc. trade-offs are appropriate for them.
>> We should support as many options as possible and let our users
>> decided.
>
>> I'm not quite -1 on this but I am close.
>
> https://www.troyhunt.com/heres-why-your-static-website-needs-https/
Sorry, not convinced. We need to let users make this choice.
The numbers are significant.
tomcat.apache.org from China can be significantly slower over https
compared to http. Typically 2 to 3 times slower in my testing with
https://www.websitepulse.com/tools/china-firewall-test#
3.5s to 8s to load the index page over https compared to ~1.5s over
http. That said, I didn't repeat the test enough for those results to be
considered statistically reliable.
Not everyone has a low latency, high bandwidth connection to the
internet. We need to let the users decide if they want to pay the
performance penalty for the benefits of https or not. We should not be
assuming we know best for everyone.
Mark
>
> -chris
>
>>> We can enable that by adding a rewrite rule to the .htaccess file
>>> in the xdocs folder of our site repo.
>>>
>>> For JMeter we used the following fragment:
>>>
>>> RewriteEngine On
>>>
>>> # Redirect http to https # From Cordova PMC Member raphinesse #
>>> https://s.apache.org/An8s
>>>
>>> # If we receive a forwarded http request from a proxy...
>>> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
>>>
>>> # ...or just a plain old http request directly from the client
>>> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS}
>>> !=on
>>>
>>> # Redirect to https version RewriteRule ^
>>> https://%{HTTP_HOST}%{REQUEST_URI} [L]
>>>
>>> Anything against adding this to our .htaccess file?
>
>
>>>
>>> Felix
>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>
>
>> ---------------------------------------------------------------------
>
>
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Romain Manni-Bucau <rm...@gmail.com>.
+1 with some light (1 month?) notice time in case anyone uses http directly
intentionally, will avoid some security breaches http can get, in
particular on subdomains.
Le mar. 25 févr. 2020 à 21:45, Christopher Schultz <
chris@christopherschultz.net> a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 2/25/20 14:34, Mark Thomas wrote:
> > On 25/02/2020 15:53, Felix Schumacher wrote:
> >> Hi all,
> >>
> >> as more and more browsers are marking http as unsecure, we
> >> should redirect all http requests to tomcat.apache.org to https.
> >
> > I really don't like this.
> >
> > I'm happy to support https for those people that want to use it but
> > I see no need to require https for everybody for
> > tomcat.apache.org.
> >
> > We should not be dictating to our users what security / privacy /
> > caching / performance / etc. trade-offs are appropriate for them.
> > We should support as many options as possible and let our users
> > decided.
> >
> > I'm not quite -1 on this but I am close.
>
> https://www.troyhunt.com/heres-why-your-static-website-needs-https/
>
> - -chris
>
> >> We can enable that by adding a rewrite rule to the .htaccess file
> >> in the xdocs folder of our site repo.
> >>
> >> For JMeter we used the following fragment:
> >>
> >> RewriteEngine On
> >>
> >> # Redirect http to https # From Cordova PMC Member raphinesse #
> >> https://s.apache.org/An8s
> >>
> >> # If we receive a forwarded http request from a proxy...
> >> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
> >>
> >> # ...or just a plain old http request directly from the client
> >> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS}
> >> !=on
> >>
> >> # Redirect to https version RewriteRule ^
> >> https://%{HTTP_HOST}%{REQUEST_URI} [L]
> >>
> >> Anything against adding this to our .htaccess file?
> >
> >
> >>
> >> Felix
> >>
> >>
> >> ---------------------------------------------------------------------
> >>
> >>
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: dev-help@tomcat.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> >
> >
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vh3kACgkQHPApP6U8
> pFgktRAAh34aN6pyZaMz2n/Bha81mbNjglrMcxkrEswqMCJM0/8Wbw8hgB+3JArQ
> dfIYipA2KTtjEzRgGU74qGcvDnEpTcoWi+csvmU7nwExt2RClmMF/5KqvYi67QZZ
> l0klgHATRjNPrPOkvZy8Op0fFS6/bnXzvESS/lusz6aLrqiXRxqDVyDgCiBxzrXr
> m2VLdE/re1CyFzcNcNmHUAUNs37/0E2WB1d11OvblE3I9eRb1Vk+FHtsfkDmNEoX
> 0RE7sQlr12ElMQ3OYOHsErxrxgTD2J/+CXqbMra8sWQ4pgEZPMX/7k5bGyr3IpTh
> sOiSR9KNShfJtjKXp2ngJJKbEgDpr4SOYAh5FwGyUKmxflw+nqbc/Zd5bA6H4GNH
> 27p0Ec2ArCSDM4vlIeYbtBo8xqAuq2ArVywyUVrWog4mk0Hita2OHnp6Y8CFcZwR
> hVv2fuFzd9/zueHG1TvLpB86Mr40MS8j2OelAACixECkV8CAo+64hXLLELgl5XXd
> wu6J60tKXXgTlcQcoa0h9nm27D3YKLBUnH6CuOxjUGxVHwH6Bmc2OdR5l+FRNHkl
> 35MEkqCXThXc62/G/sBW4/Kd7bF/A0wYXT8dKYb6p/s4GXZ9yM3sgjQr9N/b0sP0
> RukK+6i6vgtsY7xf8eSVtUAgYNyV4ndxpQyYBiyRHVh06nfGgHQ=
> =qS1l
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 2/25/20 14:34, Mark Thomas wrote:
> On 25/02/2020 15:53, Felix Schumacher wrote:
>> Hi all,
>>
>> as more and more browsers are marking http as unsecure, we
>> should redirect all http requests to tomcat.apache.org to https.
>
> I really don't like this.
>
> I'm happy to support https for those people that want to use it but
> I see no need to require https for everybody for
> tomcat.apache.org.
>
> We should not be dictating to our users what security / privacy /
> caching / performance / etc. trade-offs are appropriate for them.
> We should support as many options as possible and let our users
> decided.
>
> I'm not quite -1 on this but I am close.
https://www.troyhunt.com/heres-why-your-static-website-needs-https/
- -chris
>> We can enable that by adding a rewrite rule to the .htaccess file
>> in the xdocs folder of our site repo.
>>
>> For JMeter we used the following fragment:
>>
>> RewriteEngine On
>>
>> # Redirect http to https # From Cordova PMC Member raphinesse #
>> https://s.apache.org/An8s
>>
>> # If we receive a forwarded http request from a proxy...
>> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
>>
>> # ...or just a plain old http request directly from the client
>> RewriteCond %{HTTP:X-Forwarded-Proto} ="" RewriteCond %{HTTPS}
>> !=on
>>
>> # Redirect to https version RewriteRule ^
>> https://%{HTTP_HOST}%{REQUEST_URI} [L]
>>
>> Anything against adding this to our .htaccess file?
>
>
>>
>> Felix
>>
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vh3kACgkQHPApP6U8
pFgktRAAh34aN6pyZaMz2n/Bha81mbNjglrMcxkrEswqMCJM0/8Wbw8hgB+3JArQ
dfIYipA2KTtjEzRgGU74qGcvDnEpTcoWi+csvmU7nwExt2RClmMF/5KqvYi67QZZ
l0klgHATRjNPrPOkvZy8Op0fFS6/bnXzvESS/lusz6aLrqiXRxqDVyDgCiBxzrXr
m2VLdE/re1CyFzcNcNmHUAUNs37/0E2WB1d11OvblE3I9eRb1Vk+FHtsfkDmNEoX
0RE7sQlr12ElMQ3OYOHsErxrxgTD2J/+CXqbMra8sWQ4pgEZPMX/7k5bGyr3IpTh
sOiSR9KNShfJtjKXp2ngJJKbEgDpr4SOYAh5FwGyUKmxflw+nqbc/Zd5bA6H4GNH
27p0Ec2ArCSDM4vlIeYbtBo8xqAuq2ArVywyUVrWog4mk0Hita2OHnp6Y8CFcZwR
hVv2fuFzd9/zueHG1TvLpB86Mr40MS8j2OelAACixECkV8CAo+64hXLLELgl5XXd
wu6J60tKXXgTlcQcoa0h9nm27D3YKLBUnH6CuOxjUGxVHwH6Bmc2OdR5l+FRNHkl
35MEkqCXThXc62/G/sBW4/Kd7bF/A0wYXT8dKYb6p/s4GXZ9yM3sgjQr9N/b0sP0
RukK+6i6vgtsY7xf8eSVtUAgYNyV4ndxpQyYBiyRHVh06nfGgHQ=
=qS1l
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Enabling http to https redirects for tomcat.apache.org
Posted by Mark Thomas <ma...@apache.org>.
On 25/02/2020 15:53, Felix Schumacher wrote:
> Hi all,
>
> as more and more browsers are marking http as unsecure, we should
> redirect all http requests to tomcat.apache.org to https.
I really don't like this.
I'm happy to support https for those people that want to use it but I
see no need to require https for everybody for tomcat.apache.org.
We should not be dictating to our users what security / privacy /
caching / performance / etc. trade-offs are appropriate for them. We
should support as many options as possible and let our users decided.
I'm not quite -1 on this but I am close.
Mark
> We can enable that by adding a rewrite rule to the .htaccess file in the
> xdocs folder of our site repo.
>
> For JMeter we used the following fragment:
>
> RewriteEngine On
>
> # Redirect http to https
> # From Cordova PMC Member raphinesse
> # https://s.apache.org/An8s
>
> # If we receive a forwarded http request from a proxy...
> RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
>
> # ...or just a plain old http request directly from the client
> RewriteCond %{HTTP:X-Forwarded-Proto} =""
> RewriteCond %{HTTPS} !=on
>
> # Redirect to https version
> RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L]
>
> Anything against adding this to our .htaccess file?
>
> Felix
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org