You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Deepti Sharma S <de...@ericsson.com.INVALID> on 2023/01/16 05:57:53 UTC
Query: HSTS | Tomcat 9.0.50
Hello Team,
Can you please help us for below query:
Query : How to enable HSTS in Apache Tomcat on non-default ports?
We have custom ports for http and https and we want to enable HSTS on those custom ports.
Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports.
Regards,
Deepti Sharma
PMP(r) & ITIL
Re: Query: HSTS | Tomcat 9.0.50
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Deepti,
On 1/16/23 23:00, Deepti Sharma S wrote:
> 1. There is no reverse proxy in between tomcat and UA in my use case.
> 2. In Tomcat/conf/server.xml I have below connector settings :
>
> <Connector executor="tomcatThreadPool"
> port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
>
>
>
> When I configure HSTS in Tomcat/conf/web.xml and try to access
> website via HTTPS https://[domain]:8443, HSTS header is returned but
> ignored
If the HSTS header is returned, that's all Tomcat can do.
> as in when I change URL to http://[domain]:8080 URL is not changed to secured URL.
>
> 3. When I change conf/server.xml with below connector settings along with HSTS :
>
> <Connector executor="tomcatThreadPool"
> port="80" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
>
> Try to access website via HTTPS https://[domain]:433 URL is changed
> to https://[domain], HSTS header is returned and honoured as in when
> I change URL to http://[domain]:80 URL is changed to secured URL
> https://[domain].
>
> So my query is how to configure HSTS on explicit custom ports(like in
> my case mentioned in point 2 8080/8443) or what is the
> recommendation, please suggest?
I wonder if browsers are not sensitive to the port number being used for
HTTPS. The HSTS header is intended to tell the browser "only use HTTPS
on this site" but it does allow a port number to be specified. The
browser *could* retain the port number as well, but that might not be
correct or it may not be a part of the spec.
I'm sorry, I'm not familiar enough with the spec to know whether this
could be a problem or not, but it seems plausible.
But if Tomcat is returning the HSTS header as expected, there isn't
really any more that you can do.
Thanks,
-chris
> -----Original Message-----
> From: Olaf Kock <to...@olafkock.de>
> Sent: 16 January 2023 13:56
> To: users@tomcat.apache.org
> Subject: Re: Query: HSTS | Tomcat 9.0.50
>
>
> On 16.01.23 06:57, Deepti Sharma S wrote:
>> Hello Team,
>>
>> Can you please help us for below query:
>>
>> Query : How to enable HSTS in Apache Tomcat on non-default ports?
>> We have custom ports for http and https and we want to enable HSTS on those custom ports.
>>
>> Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports.
>>
> In order to "work", HSTS *must* be on https, by specification.
>
> When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser.
>
> Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working.
>
> If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting.
>
> Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http.
>
> Olaf
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Query: HSTS | Tomcat 9.0.50
Posted by Olaf Kock <to...@olafkock.de>.
On 17.01.23 13:09, Olaf Kock wrote:
>
> On 17.01.23 11:45, Deepti Sharma S wrote:
>> Hello,
>>
>> I have tried with both Chrome and Mozilla in private window where
>> information is not cached. HSTS is not working on custom ports.
>>
> I'm not confident that HSTS is among those cached values that are not
> shared between normal and incognito mode.
>
> Try curl -v
>
> As far as I know, curl does not save any HSTS state anywhere.
>
> Thomas' suggestion makes the most sense: Once your browser knows
> positively that it absolutely must connect through https on port 443,
> I can easily imagine it never even to attempt to try 8080.
I should have edited ^ this after adding the specs from RFC 6797: Once
the browser knows that it *must* use https for this host, it will not
connect through http, no matter which port. The browser keeps records of
this by domain name, not by name/port.
> Also, according to the specs: The browser will - under no
> circumstances - connect to your host through http.
>
> The specs say:
>
> |The UA MUST replace the URI scheme with "https" [RFC2818], and if the
> URI contains an explicit port component of "80", then the UA MUST
> convert the port component to be "443", or>> if the URI contains an
> explicit port component that is not equal to "80", the port component
> value MUST be preserved; otherwise, if the URI does not contain an
> explicit port component, the UA MUST NOT add one. NOTE: These steps
> ensure that the HSTS Policy applies to HTTP over any TCP port of an
> HSTS Host.|
>
> So, if you connect to 8080 from your browser, your browser would try
> to speak https to port 8080 if it has already seen the HSTS header
> before.
>
>
> Olaf
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Query: HSTS | Tomcat 9.0.50
Posted by Olaf Kock <to...@olafkock.de>.
On 17.01.23 11:45, Deepti Sharma S wrote:
> Hello,
>
> I have tried with both Chrome and Mozilla in private window where information is not cached. HSTS is not working on custom ports.
>
I'm not confident that HSTS is among those cached values that are not
shared between normal and incognito mode.
Try curl -v
As far as I know, curl does not save any HSTS state anywhere.
Thomas' suggestion makes the most sense: Once your browser knows
positively that it absolutely must connect through https on port 443, I
can easily imagine it never even to attempt to try 8080.
Also, according to the specs: The browser will - under no circumstances
- connect to your host through http.
The specs say:
|The UA MUST replace the URI scheme with "https" [RFC2818], and if the
URI contains an explicit port component of "80", then the UA MUST
convert the port component to be "443", or>> if the URI contains an
explicit port component that is not equal to "80", the port component
value MUST be preserved; otherwise, if the URI does not contain an
explicit port component, the UA MUST NOT add one. NOTE: These steps
ensure that the HSTS Policy applies to HTTP over any TCP port of an HSTS
Host.|
So, if you connect to 8080 from your browser, your browser would try to
speak https to port 8080 if it has already seen the HSTS header before.
Olaf
RE: Query: HSTS | Tomcat 9.0.50
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello,
I have tried with both Chrome and Mozilla in private window where information is not cached. HSTS is not working on custom ports.
Regards,
Deepti Sharma
PMP(r) & ITIL
-----Original Message-----
From: Thomas Hoffmann (Speed4Trade GmbH) <Th...@speed4trade.com.INVALID>
Sent: 17 January 2023 15:40
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: AW: Query: HSTS | Tomcat 9.0.50
Hello,
Which browser are you using?
Can you clear the hsts information in the browser after changing the port in your configuration?
I think browsers cache the hsts and port Informationen and don't switch to other ports with hsts.
Greetings, Thomas
________________________________
Von: Deepti Sharma S <de...@ericsson.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 05:00:35
An: Tomcat Users List
Betreff: RE: Query: HSTS | Tomcat 9.0.50
Hi Olaf,
Let me explain more on my use-case :
1. There is no reverse proxy in between tomcat and UA in my use case.
2. In Tomcat/conf/server.xml I have below connector settings :
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
When I configure HSTS in Tomcat/conf/web.xml and try to access website via HTTPS https://[domain]:8443, HSTS header is returned but ignored as in when I change URL to http://[domain]:8080 URL is not changed to secured URL.
3. When I change conf/server.xml with below connector settings along with HSTS :
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Try to access website via HTTPS https://[domain]:433 URL is changed to https://[domain], HSTS header is returned and honoured as in when I change URL to http://[domain]:80 URL is changed to secured URL https://[domain].
So my query is how to configure HSTS on explicit custom ports(like in my case mentioned in point 2 8080/8443) or what is the recommendation, please suggest?
Regards,
Deepti Sharma
PMP(r) & ITIL
-----Original Message-----
From: Olaf Kock <to...@olafkock.de>
Sent: 16 January 2023 13:56
To: users@tomcat.apache.org
Subject: Re: Query: HSTS | Tomcat 9.0.50
On 16.01.23 06:57, Deepti Sharma S wrote:
> Hello Team,
>
> Can you please help us for below query:
>
> Query : How to enable HSTS in Apache Tomcat on non-default ports?
> We have custom ports for http and https and we want to enable HSTS on those custom ports.
>
> Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports.
>
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser.
Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working.
If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting.
Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Query: HSTS | Tomcat 9.0.50
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
Which browser are you using?
Can you clear the hsts information in the browser after changing the port in your configuration?
I think browsers cache the hsts and port Informationen and don't switch to other ports with hsts.
Greetings, Thomas
________________________________
Von: Deepti Sharma S <de...@ericsson.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 05:00:35
An: Tomcat Users List
Betreff: RE: Query: HSTS | Tomcat 9.0.50
Hi Olaf,
Let me explain more on my use-case :
1. There is no reverse proxy in between tomcat and UA in my use case.
2. In Tomcat/conf/server.xml I have below connector settings :
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
When I configure HSTS in Tomcat/conf/web.xml and try to access website via HTTPS https://[domain]:8443, HSTS header is returned but ignored
as in when I change URL to http://[domain]:8080 URL is not changed to secured URL.
3. When I change conf/server.xml with below connector settings along with HSTS :
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Try to access website via HTTPS https://[domain]:433 URL is changed to https://[domain],
HSTS header is returned and honoured as in when I change URL to http://[domain]:80 URL is changed to secured URL https://[domain].
So my query is how to configure HSTS on explicit custom ports(like in my case mentioned in point 2 8080/8443) or what is the recommendation, please suggest?
Regards,
Deepti Sharma
PMPĀ® & ITIL
-----Original Message-----
From: Olaf Kock <to...@olafkock.de>
Sent: 16 January 2023 13:56
To: users@tomcat.apache.org
Subject: Re: Query: HSTS | Tomcat 9.0.50
On 16.01.23 06:57, Deepti Sharma S wrote:
> Hello Team,
>
> Can you please help us for below query:
>
> Query : How to enable HSTS in Apache Tomcat on non-default ports?
> We have custom ports for http and https and we want to enable HSTS on those custom ports.
>
> Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports.
>
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser.
Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working.
If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting.
Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Query: HSTS | Tomcat 9.0.50
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hi Olaf,
Let me explain more on my use-case :
1. There is no reverse proxy in between tomcat and UA in my use case.
2. In Tomcat/conf/server.xml I have below connector settings :
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
When I configure HSTS in Tomcat/conf/web.xml and try to access website via HTTPS https://[domain]:8443, HSTS header is returned but ignored
as in when I change URL to http://[domain]:8080 URL is not changed to secured URL.
3. When I change conf/server.xml with below connector settings along with HSTS :
<Connector executor="tomcatThreadPool"
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Try to access website via HTTPS https://[domain]:433 URL is changed to https://[domain],
HSTS header is returned and honoured as in when I change URL to http://[domain]:80 URL is changed to secured URL https://[domain].
So my query is how to configure HSTS on explicit custom ports(like in my case mentioned in point 2 8080/8443) or what is the recommendation, please suggest?
Regards,
Deepti Sharma
PMPĀ® & ITIL
-----Original Message-----
From: Olaf Kock <to...@olafkock.de>
Sent: 16 January 2023 13:56
To: users@tomcat.apache.org
Subject: Re: Query: HSTS | Tomcat 9.0.50
On 16.01.23 06:57, Deepti Sharma S wrote:
> Hello Team,
>
> Can you please help us for below query:
>
> Query : How to enable HSTS in Apache Tomcat on non-default ports?
> We have custom ports for http and https and we want to enable HSTS on those custom ports.
>
> Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports.
>
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see the headers, but it's not working. Most likely the header is ignored by the browser.
Whereever you handle your https termination - that might be on Tomcat, or on a reverse proxy that sees traffic before Tomcat does - you'll best do the HSTS handling. /That/ server knows it's serving https. And there the header actually is valid and working.
If you try to configure a http (not https) connector on Tomcat for adding the HSTS headers, it's well within the specification to ignore that setting.
Technically you can do some trickery around that, but to make that sensible and safely would take more than a quick answer. And leave room for misinterpretation and configuration mistakes. So: Configure it anyhwere you terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Query: HSTS | Tomcat 9.0.50
Posted by Olaf Kock <to...@olafkock.de>.
On 16.01.23 06:57, Deepti Sharma S wrote:
> Hello Team,
>
> Can you please help us for below query:
>
> Query : How to enable HSTS in Apache Tomcat on non-default ports?
> We have custom ports for http and https and we want to enable HSTS on those custom ports.
>
> Note: We could see HSTS is working with default ports 80/443 though it's not working on other custom ports, please let us know if there are different steps to enable HSTS on non-default ports.
>
In order to "work", HSTS *must* be on https, by specification.
When you say you got it working on 80/443, you haven't. You might see
the headers, but it's not working. Most likely the header is ignored by
the browser.
Whereever you handle your https termination - that might be on Tomcat,
or on a reverse proxy that sees traffic before Tomcat does - you'll best
do the HSTS handling. /That/ server knows it's serving https. And there
the header actually is valid and working.
If you try to configure a http (not https) connector on Tomcat for
adding the HSTS headers, it's well within the specification to ignore
that setting.
Technically you can do some trickery around that, but to make that
sensible and safely would take more than a quick answer. And leave room
for misinterpretation and configuration mistakes. So: Configure it
anyhwere you terminate https, and ignore it on http.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org