You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yanhua Wusands <ya...@advance-auto.com> on 2022/08/31 15:10:28 UTC
RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
<Connector port="8080" protocol="HTTP/1.1"
acceptorThreadCount="2"
acceptCount="20"
maxConnections="200"
maxThreads="200"
minSpareThreads="10"
scheme="https"
proxyPort="443"
redirectPort="8443"
/>
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation. The default
SSLImplementation will depend on the presence of the APR/native
library and the useOpenSSL attribute of the
AprLifecycleListener.
Either JSSE or OpenSSL style configuration may be used regardless of
the SSLImplementation selected. JSSE style configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
This connector uses the APR/native implementation which always uses
OpenSSL for TLS.
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
configuration is used below.
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 11:03 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
On 31/08/2022 15:36, Yanhua Wusands wrote:
> We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team.
>
> We followed this note:
> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar
> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy
> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h
> TO4K-UbrvgSvSAepZe_e-U8$
>
> Changed $CATALINA_HOME/conf/web.xml
>
> With:
>
> <filter>
>
> <filter-name>httpHeaderSecurity</filter-name>
>
>
> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter-class>
>
> <async-supported>true</async-supported>
>
> <init-param>
>
> <param-name>hstsEnabled</param-name>
>
> <param-value>true</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>hstsMaxAgeSeconds</param-name>
>
> <param-value>31556927</param-value>
>
> </init-param>
>
> </filter>
>
> And uncommented:
> <filter-mapping>
> <filter-name>httpHeaderSecurity</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> </filter-mapping>
>
> After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd:
>
> curl -i -s
> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto
> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G
> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub
> rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
>
> I am reaching out to see if there is any additional steps need to be done for setting up this security flag.
Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
Posted by Yanhua Wusands <ya...@advance-auto.com>.
> Is it true that all traffic seen by Tomcat must have been sent over TLS between the user agent and AWS LB?
Yes, that is true, at least it is my understanding...
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 12:57 PM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
On 31/08/2022 17:39, Yanhua Wusands wrote:
> You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it is passed that, tomcat is set up to listen 8080.
> If I understand you correctly, we will need to setup SSL in TOMCAT as well in order to have HSTS working, is it right?
No. That is not correct.
There are several options at this point. We need more information to identify the best one.
Is it true that all traffic seen by Tomcat must have been sent over TLS between the user agent and AWS LB?
Mark
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, August 31, 2022 11:21 AM
> To: users@tomcat.apache.org
> Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in
> TOMCAT
>
> You don't have any TLS connectors configured so the HSTS filter isn't going to do anything.
>
> Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS.
>
> You need to configure HSTS wherever the TLS is being terminated.
>
> As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel.
>
> Mark
>
>
> On 31/08/2022 16:10, Yanhua Wusands wrote:
>> <Connector port="8080" protocol="HTTP/1.1"
>> acceptorThreadCount="2"
>> acceptCount="20"
>> maxConnections="200"
>> maxThreads="200"
>> minSpareThreads="10"
>> scheme="https"
>> proxyPort="443"
>> redirectPort="8443"
>> />
>>
>> <!-- A "Connector" using the shared thread pool-->
>> <!--
>> <Connector executor="tomcatThreadPool"
>> port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="8443" />
>> -->
>> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
>> This connector uses the NIO implementation. The default
>> SSLImplementation will depend on the presence of the APR/native
>> library and the useOpenSSL attribute of the
>> AprLifecycleListener.
>> Either JSSE or OpenSSL style configuration may be used regardless of
>> the SSLImplementation selected. JSSE style configuration is used below.
>> -->
>> <!--
>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true">
>> <SSLHostConfig>
>> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>> -->
>> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
>> This connector uses the APR/native implementation which always uses
>> OpenSSL for TLS.
>> Either JSSE or OpenSSL style configuration may be used. OpenSSL style
>> configuration is used below.
>> -->
>> <!--
>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true" >
>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>> <SSLHostConfig>
>> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
>> certificateFile="conf/localhost-rsa-cert.pem"
>> certificateChainFile="conf/localhost-rsa-chain.pem"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>> -->
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>> <!--
>> <Connector protocol="AJP/1.3"
>> address="::1"
>> port="8009"
>> redirectPort="8443" />
>> -->
>>
>>
>>
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Wednesday, August 31, 2022 11:03 AM
>> To: users@tomcat.apache.org
>> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in
>> TOMCAT
>>
>> On 31/08/2022 15:36, Yanhua Wusands wrote:
>>> We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team.
>>>
>>> We followed this note:
>>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/
>>> a
>>> r
>>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5
>>> i
>>> y
>>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe
>>> 5
>>> h
>>> TO4K-UbrvgSvSAepZe_e-U8$
>>>
>>> Changed $CATALINA_HOME/conf/web.xml
>>>
>>> With:
>>>
>>> <filter>
>>>
>>> <filter-name>httpHeaderSecurity</filter-name>
>>>
>>>
>>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</
>>> f
>>> i
>>> lter-class>
>>>
>>> <async-supported>true</async-supported>
>>>
>>> <init-param>
>>>
>>> <param-name>hstsEnabled</param-name>
>>>
>>> <param-value>true</param-value>
>>>
>>> </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>hstsMaxAgeSeconds</param-name>
>>>
>>> <param-value>31556927</param-value>
>>>
>>> </init-param>
>>>
>>> </filter>
>>>
>>> And uncommented:
>>> <filter-mapping>
>>> <filter-name>httpHeaderSecurity</filter-name>
>>> <url-pattern>/*</url-pattern>
>>> <dispatcher>REQUEST</dispatcher>
>>> </filter-mapping>
>>>
>>> After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd:
>>>
>>> curl -i -s
>>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceau
>>> t
>>> o
>>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
>>> G
>>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-
>>> U b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
>>>
>>> I am reaching out to see if there is any additional steps need to be done for setting up this security flag.
>>
>> Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
Posted by Mark Thomas <ma...@apache.org>.
On 31/08/2022 17:39, Yanhua Wusands wrote:
> You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it is passed that, tomcat is set up to listen 8080.
> If I understand you correctly, we will need to setup SSL in TOMCAT as well in order to have HSTS working, is it right?
No. That is not correct.
There are several options at this point. We need more information to
identify the best one.
Is it true that all traffic seen by Tomcat must have been sent over TLS
between the user agent and AWS LB?
Mark
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, August 31, 2022 11:21 AM
> To: users@tomcat.apache.org
> Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
>
> You don't have any TLS connectors configured so the HSTS filter isn't going to do anything.
>
> Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS.
>
> You need to configure HSTS wherever the TLS is being terminated.
>
> As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel.
>
> Mark
>
>
> On 31/08/2022 16:10, Yanhua Wusands wrote:
>> <Connector port="8080" protocol="HTTP/1.1"
>> acceptorThreadCount="2"
>> acceptCount="20"
>> maxConnections="200"
>> maxThreads="200"
>> minSpareThreads="10"
>> scheme="https"
>> proxyPort="443"
>> redirectPort="8443"
>> />
>>
>> <!-- A "Connector" using the shared thread pool-->
>> <!--
>> <Connector executor="tomcatThreadPool"
>> port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="8443" />
>> -->
>> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
>> This connector uses the NIO implementation. The default
>> SSLImplementation will depend on the presence of the APR/native
>> library and the useOpenSSL attribute of the
>> AprLifecycleListener.
>> Either JSSE or OpenSSL style configuration may be used regardless of
>> the SSLImplementation selected. JSSE style configuration is used below.
>> -->
>> <!--
>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true">
>> <SSLHostConfig>
>> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>> -->
>> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
>> This connector uses the APR/native implementation which always uses
>> OpenSSL for TLS.
>> Either JSSE or OpenSSL style configuration may be used. OpenSSL style
>> configuration is used below.
>> -->
>> <!--
>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="150" SSLEnabled="true" >
>> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>> <SSLHostConfig>
>> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
>> certificateFile="conf/localhost-rsa-cert.pem"
>> certificateChainFile="conf/localhost-rsa-chain.pem"
>> type="RSA" />
>> </SSLHostConfig>
>> </Connector>
>> -->
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>> <!--
>> <Connector protocol="AJP/1.3"
>> address="::1"
>> port="8009"
>> redirectPort="8443" />
>> -->
>>
>>
>>
>> -----Original Message-----
>> From: Mark Thomas <ma...@apache.org>
>> Sent: Wednesday, August 31, 2022 11:03 AM
>> To: users@tomcat.apache.org
>> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in
>> TOMCAT
>>
>> On 31/08/2022 15:36, Yanhua Wusands wrote:
>>> We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team.
>>>
>>> We followed this note:
>>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a
>>> r
>>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i
>>> y
>>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5
>>> h
>>> TO4K-UbrvgSvSAepZe_e-U8$
>>>
>>> Changed $CATALINA_HOME/conf/web.xml
>>>
>>> With:
>>>
>>> <filter>
>>>
>>> <filter-name>httpHeaderSecurity</filter-name>
>>>
>>>
>>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f
>>> i
>>> lter-class>
>>>
>>> <async-supported>true</async-supported>
>>>
>>> <init-param>
>>>
>>> <param-name>hstsEnabled</param-name>
>>>
>>> <param-value>true</param-value>
>>>
>>> </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>hstsMaxAgeSeconds</param-name>
>>>
>>> <param-value>31556927</param-value>
>>>
>>> </init-param>
>>>
>>> </filter>
>>>
>>> And uncommented:
>>> <filter-mapping>
>>> <filter-name>httpHeaderSecurity</filter-name>
>>> <url-pattern>/*</url-pattern>
>>> <dispatcher>REQUEST</dispatcher>
>>> </filter-mapping>
>>>
>>> After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd:
>>>
>>> curl -i -s
>>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut
>>> o
>>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
>>> G
>>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U
>>> b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
>>>
>>> I am reaching out to see if there is any additional steps need to be done for setting up this security flag.
>>
>> Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
Posted by Yanhua Wusands <ya...@advance-auto.com>.
You are right, tomcat is sitting behind AWS LB, where is ssl enabled, once it is passed that, tomcat is set up to listen 8080.
If I understand you correctly, we will need to setup SSL in TOMCAT as well in order to have HSTS working, is it right?
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, August 31, 2022 11:21 AM
To: users@tomcat.apache.org
Subject: Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
You don't have any TLS connectors configured so the HSTS filter isn't going to do anything.
Given you access the server via port 443 but Tomcat is only listening on port 8080 you must have a reverse proxy configured somewhere that is likely terminating the TLS.
You need to configure HSTS wherever the TLS is being terminated.
As an aside, you need to be *very* careful proxying secure traffic to an HTTP connector on Tomcat. I trust that you have the appropriate configuration in place (typically the RemoteIpValve) to ensure that Tomcat can correctly identify which traffic has been received via a secure channel and which via an insecure channel.
Mark
On 31/08/2022 16:10, Yanhua Wusands wrote:
> <Connector port="8080" protocol="HTTP/1.1"
> acceptorThreadCount="2"
> acceptCount="20"
> maxConnections="200"
> maxThreads="200"
> minSpareThreads="10"
> scheme="https"
> proxyPort="443"
> redirectPort="8443"
> />
>
> <!-- A "Connector" using the shared thread pool-->
> <!--
> <Connector executor="tomcatThreadPool"
> port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
> -->
> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
> This connector uses the NIO implementation. The default
> SSLImplementation will depend on the presence of the APR/native
> library and the useOpenSSL attribute of the
> AprLifecycleListener.
> Either JSSE or OpenSSL style configuration may be used regardless of
> the SSLImplementation selected. JSSE style configuration is used below.
> -->
> <!--
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true">
> <SSLHostConfig>
> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
> -->
> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
> This connector uses the APR/native implementation which always uses
> OpenSSL for TLS.
> Either JSSE or OpenSSL style configuration may be used. OpenSSL style
> configuration is used below.
> -->
> <!--
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" >
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig>
> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
> certificateFile="conf/localhost-rsa-cert.pem"
> certificateChainFile="conf/localhost-rsa-chain.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
> -->
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <!--
> <Connector protocol="AJP/1.3"
> address="::1"
> port="8009"
> redirectPort="8443" />
> -->
>
>
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, August 31, 2022 11:03 AM
> To: users@tomcat.apache.org
> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in
> TOMCAT
>
> On 31/08/2022 15:36, Yanhua Wusands wrote:
>> We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team.
>>
>> We followed this note:
>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/a
>> r
>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5i
>> y
>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5
>> h
>> TO4K-UbrvgSvSAepZe_e-U8$
>>
>> Changed $CATALINA_HOME/conf/web.xml
>>
>> With:
>>
>> <filter>
>>
>> <filter-name>httpHeaderSecurity</filter-name>
>>
>>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</f
>> i
>> lter-class>
>>
>> <async-supported>true</async-supported>
>>
>> <init-param>
>>
>> <param-name>hstsEnabled</param-name>
>>
>> <param-value>true</param-value>
>>
>> </init-param>
>>
>> <init-param>
>>
>> <param-name>hstsMaxAgeSeconds</param-name>
>>
>> <param-value>31556927</param-value>
>>
>> </init-param>
>>
>> </filter>
>>
>> And uncommented:
>> <filter-mapping>
>> <filter-name>httpHeaderSecurity</filter-name>
>> <url-pattern>/*</url-pattern>
>> <dispatcher>REQUEST</dispatcher>
>> </filter-mapping>
>>
>> After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd:
>>
>> curl -i -s
>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceaut
>> o
>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!
>> G
>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-U
>> b rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
>>
>> I am reaching out to see if there is any additional steps need to be done for setting up this security flag.
>
> Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
Posted by Mark Thomas <ma...@apache.org>.
You don't have any TLS connectors configured so the HSTS filter isn't
going to do anything.
Given you access the server via port 443 but Tomcat is only listening on
port 8080 you must have a reverse proxy configured somewhere that is
likely terminating the TLS.
You need to configure HSTS wherever the TLS is being terminated.
As an aside, you need to be *very* careful proxying secure traffic to an
HTTP connector on Tomcat. I trust that you have the appropriate
configuration in place (typically the RemoteIpValve) to ensure that
Tomcat can correctly identify which traffic has been received via a
secure channel and which via an insecure channel.
Mark
On 31/08/2022 16:10, Yanhua Wusands wrote:
> <Connector port="8080" protocol="HTTP/1.1"
> acceptorThreadCount="2"
> acceptCount="20"
> maxConnections="200"
> maxThreads="200"
> minSpareThreads="10"
> scheme="https"
> proxyPort="443"
> redirectPort="8443"
> />
>
> <!-- A "Connector" using the shared thread pool-->
> <!--
> <Connector executor="tomcatThreadPool"
> port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
> -->
> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
> This connector uses the NIO implementation. The default
> SSLImplementation will depend on the presence of the APR/native
> library and the useOpenSSL attribute of the
> AprLifecycleListener.
> Either JSSE or OpenSSL style configuration may be used regardless of
> the SSLImplementation selected. JSSE style configuration is used below.
> -->
> <!--
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true">
> <SSLHostConfig>
> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
> -->
> <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
> This connector uses the APR/native implementation which always uses
> OpenSSL for TLS.
> Either JSSE or OpenSSL style configuration may be used. OpenSSL style
> configuration is used below.
> -->
> <!--
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true" >
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig>
> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
> certificateFile="conf/localhost-rsa-cert.pem"
> certificateChainFile="conf/localhost-rsa-chain.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
> -->
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <!--
> <Connector protocol="AJP/1.3"
> address="::1"
> port="8009"
> redirectPort="8443" />
> -->
>
>
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, August 31, 2022 11:03 AM
> To: users@tomcat.apache.org
> Subject: [EXTERNAL] Re: How to setup Strict-Transport-Security in TOMCAT
>
> On 31/08/2022 15:36, Yanhua Wusands wrote:
>> We are using TOMCAT 9.0.40 on linux, and are trying setup Strict-Transport-Security per requirement from our security team.
>>
>> We followed this note:
>> https://urldefense.com/v3/__https://knowledge.broadcom.com/external/ar
>> ticle/226769/enable-http-strict-transport-security-hs.html__;!!Ec1O5iy
>> 8QcVh!GA40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5h
>> TO4K-UbrvgSvSAepZe_e-U8$
>>
>> Changed $CATALINA_HOME/conf/web.xml
>>
>> With:
>>
>> <filter>
>>
>> <filter-name>httpHeaderSecurity</filter-name>
>>
>>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
>> lter-class>
>>
>> <async-supported>true</async-supported>
>>
>> <init-param>
>>
>> <param-name>hstsEnabled</param-name>
>>
>> <param-value>true</param-value>
>>
>> </init-param>
>>
>> <init-param>
>>
>> <param-name>hstsMaxAgeSeconds</param-name>
>>
>> <param-value>31556927</param-value>
>>
>> </init-param>
>>
>> </filter>
>>
>> And uncommented:
>> <filter-mapping>
>> <filter-name>httpHeaderSecurity</filter-name>
>> <url-pattern>/*</url-pattern>
>> <dispatcher>REQUEST</dispatcher>
>> </filter-mapping>
>>
>> After we restarted TOMCAT APACHE, we still couldn't see Strict-Transport-Security using following curl cmd:
>>
>> curl -i -s
>> https://urldefense.com/v3/__https://finerp-apps-dev02.test.advanceauto
>> .cloud/ords/apex_ext/r/advance-supplier-portal/home__;!!Ec1O5iy8QcVh!G
>> A40DCbCXd3AheMXejlVBzoCrxjPpYuD5q1tH5L4QY01vfZAZ-F5iLprImL0Qe5hTO4K-Ub
>> rvgSvSAepLuScW-A$ | grep -i Strict-Transport-Security
>>
>> I am reaching out to see if there is any additional steps need to be done for setting up this security flag.
>
> Please provide the Connector element(s) (with sensitive data like passwords masked) from your $CATALINA_BASE/conf/server.xml file.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org