You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Reynir Hübner <re...@hugsmidjan.is> on 2002/07/17 13:28:58 UTC
RE: Redireceting HTTP -> HTTPS
This is strange, why are you sending requests with my name (in the from address of this email)?
-reynir@hugsmidjan.is
> -----Original Message-----
> From: Reynir Hübner [mailto:packsf@excite.com]
> Sent: 17. júlí 2002 11:27
> To: tomcat-user@jakarta.apache.org
> Subject: Redireceting HTTP -> HTTPS
>
>
>
> Hello all,
>
> Have any of you experienced Tomcat changing the *domain name*
> of the request to "localhost" when you're trying to
> automatically redirect from HTTP to HTTPS? We know that it's
> supposed to change the protocol and the port, but the domain as well?
>
> Here's the situation:
> I have a directory ("db") on my site (for the sake of this
> email, "www.mysite.com") that I want to protect using SSL.
> Additionally, I need any wayward HTTP requests to this
> directory to be automatically redirected to HTTPS to ensure
> that they are SSL-encrypted.
>
> To set this up, I followed the SSL Configuration How-To,
> created the keystore, and generated a private key. I then
> edited /conf/server.xml and /WEB-INF/web.xml (details below)
> to automatically redirect those certain HTTP requests over to
> HTTPS. Finally, I restarted Tomcat.
>
> Now when I reference my HTTPS URL *directly*, SSL kicks in,
> the browser padlock is locked, and everything works great:
> https://www.mysite.com:8443/db/index.jsp
>
> As I stated, however, I've configured the HTTP request:
> http://www.mysite.com:8080/db/index.jsp
>
> To automatically redirect to that HTTPS URL from above:
> https://www.mysite.com:8443/db/index.jsp
>
> BUT, for some reason, Tomcat is changing the domain to LOCALHOST:
> https://localhost:8443/db/index.jsp
>
> So... basically, Tomcat's got it about 80% right. The
> protocol and port were succesfully redirected (http 8080 ->
> https 8443), but the domain was changed. This instance of
> Tomcat is on a remote machine, *NOT* my local machine, so
> localhost fails. My question -- why would Tomcat be changing
> the server name in such a way?
>
>
> FYI, here is the relevant code from conf/server.xml:
> ---------------------------------
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------
>
>
> Here is the relevant code from web.xml:
> ---------------------------------
>
>
> Secure SSL Access
> /db/*
>
>
> CONFIDENTIAL
>
>
> ---------------------------------
>
> Note that I have:
> * uncommented the SSL connector
> * properly set the HTTP connector's redirectPort to SSL's 8443
> * changed the Engine's defaulthost to www.mysite.com
> * changed the Host's name to www.mysite.com
> * set the url-pattern match to /db/* in web.xml
> * added the CONFIDENTIAL transport-guarantee
>
> Nothing really extraordinary here. Moreover, a grep for
> "localhost" in both of these files returns zero results. I'm
> just not sure where it's coming from ... especially when
> Tomcat seems to be doing everything *else* correctly here.
>
> Any ideas? Thanks in advance!!
>
> -Steve Baker
>
>
> p.s. Performing a brute force solution such as:
> --------------------
> if (request.getScheme().equals("http")) {
> // oops! response.Redirect() to the https URL instead.
> }
> --------------------
> ... at the top of every .jsp in my HTTPS-only directory isn't
> going to be the right choice for this particular project. I
> will eventually employ that as a backup to ensure security,
> but I don't wish to go with that as my first line of defense...
>
>
>
>
>
>
> ------------------------------------------------
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>