This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Tomcat HTTP to HTTPS redirect with VIP issue Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat HTTP to HTTPS redirect with VIP issue" Watch "Tomcat HTTP to HTTPS redirect with VIP issue" New topic
Author

Tomcat HTTP to HTTPS redirect with VIP issue

PankajKumar jaiswal
Greenhorn

Joined: Aug 13, 2006
Posts: 17
Hi Friends,

We have one VIP server that redirects the request to one of the two Tomcat instances. Now we have to automatically redirect HTTP requests to HTTPS. So I searched online and configured security constraint in tomcat web.xml file. Now the issue is that its working fine if we hit tomcat server directly but not through VIP.

VIP Configuration:

htttp://vip.abc.com > redirects it to one of the two instances 8080 (Both tomcat are on different servers)

htttps://vip.abc.com > redirects it to one of the two instances 8443 (Both tomcat are on different servers)

Now the problem is that when we hit htttp://vip.abc.com, it hit one of the tomcat instances that redirect it to port 8443 and URL changes to htttps://vip.abc.com:8443 but since it's not configured to forward it to any of the tomcat, its not working.

Resolution: The simple resolution can be to change the forward ports to 443 in Tomcat, so that it will hit the htttps://vip.abc.com and work fine but we are not allowed to use this default port. Is there any other work around for this issue?

If somehow we can redirect to htttps://vip.abc.com rather than port 443 then the problem will be solved. Any help will be appreciated.

Regards,
Pankaj
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

This is one of those questions that I don't fully understand, but I'll throw out some general information in the hopes that it will help.

First, an observation: If you have traffic coming in on the "http" protocol, it's unencrypted, and therefore unsecure. That means that anyone along the route from client to server can use simple diagnostic tools to see both what's being sent and what's being received. It's far more common to use HTTPS on the outside and HTTP on the inside than the other way around.

I'm not familiar with VIP. However if it's anything like the load-balancing systems I'm familiar with, you should be able to set up a pair of rules, one of which distributes traffic coming in on Port 80 and forwards to one of several URLs which would presumably be something like "tomcat1:8080", "tomcat2:8080", and so forth. Likewise a second rule for forwarding traffic on Port 443 to "tomcat1:8443" and so forth.

Note that whether or not you explicitly code a port shouldn't matter, since anything you code an HTTP URL and don't give a port number, it's going to route it to the destination server's Port 80 and anytime you code an HTTPS URL and don't give a port number, it's going to route it to port 443. The only time that this is likely to be a problem is in cases where something's matching on a character-by-character basis instead of intelligently matching the URL. And even then, unless you're not including the protocol ID ("http:", "https:") there's no ambiguity.


Customer surveys are for companies who didn't pay proper attention to begin with.
PankajKumar jaiswal
Greenhorn

Joined: Aug 13, 2006
Posts: 17
Hi Tim,

VIP is a kind of load balancer tool and I fully understand that if we can redirect it to 443 then the problem will get resolved but we don't have permission to use 443 port (some other apps are using that). Also the team managing VIP servers will take time to do this mapping (redirecting 8443 requests to tomcat 8443 ports), so I was thinking for any alternative through tomcat to redirect all the HTTP requests automatically to VIP HTTPS port rather than redirecting it to some other port.

The question is still open, any help appreciated.

Regards,
Pankaj
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10145
    
165


Now the problem is that when we hit htttp://vip.abc.com, it hit one of the tomcat instances that redirect it to port 8443 and URL changes to htttps://vip.abc.com:8443 but since it's not configured to forward it to any of the tomcat, its not working.

Resolution: The simple resolution can be to change the forward ports to 443 in Tomcat, so that it will hit the htttps://vip.abc.com and work fine but we are not allowed to use this default port. Is there any other work around for this issue?

If somehow we can redirect to htttps://vip.abc.com rather than port 443 then the problem will be solved. Any help will be appreciated.


I am not sure I understand this completely. You say, the problem will be resolved if instead of Tomcat redirecting the request to 8443 would instead redirect it to 443. And a few sentences later, you say that you are not allowed to use 443.

By the way, check the description "redirectPort" in the Tomcat Connector documentation. That might be what you are looking for.

[My Blog] [JavaRanch Journal]
PankajKumar jaiswal
Greenhorn

Joined: Aug 13, 2006
Posts: 17
Hi Jaikiran,

As I mentioned earlier that we can't use port 443 in our tomcat servers otherwise the problem would have been resolved itself.

Let me explain the flow, when any request comes on VIP server (default port 80) it redirects it to one of the tomcat servers 8080 but because of security options we are redirecting it to 8443 so the same request is sent to VIP server 8443 port that is not configured for any redirect and hence the error message.

Now if we were able to forward it to 443 instead of 8443, it would have used the existing forwarding logic of VIP and forwarded it to one of the servers and worked fine.

New redirect mapping in VIP is one solution but it will take time, so I am looking for an alternative.

As an alternative if we can forward all the HTTP requests on port 8080 of tomcat server to the HTTPS URL of VIP, it will solve the problem.

I hope the things will be clear now.
Manjay Dasaundhi
Greenhorn

Joined: Mar 08, 2013
Posts: 1
Hi Pankaj,

I am having same kind of issue with IIS server. Actually my issue is users are giving VIP a HTTPS request https://Vip/default.aspx. But user is getting response in HTTP.

Issue might be beause vip and boxes under vip are communicating Via http and response are coming in http from boxes ..

And I can't make any change in VIP . So can you please suggest some solution without changing anything in VIP.

Thanks in advance.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16095
    
  21

Welcome to the JavaRanch, Manjay!

We would prefer that instead of resurrecting long-dead threads that you start your own new thread. It makes it easier for people to tell what's going on.

Actually, thinking about this sort of problem (again), I realized that unless Tomcat is also receiving direct Internet requests, there's no point in doing both HTTP and HTTPS. If your intranet is secure, you can do HTTP between the VIP proxy server - I'm assuming that VIP is doing a proxy/load-balance sort of thing. If you are truly paranoid, set up VIP to only use HTTPS to the Tomcat server. Or an encrypted VPN channel or something like that.

For major Internet webapps, Tomcat better not connected straight the the Internet. In order to listen on Port 80 on most OS's, Tomcat would have to be running under a privileged user ID, which is a security risk. So the more common practice is to route to Tomcat via some sort of proxy service such as Apache HTTP or VIP.
 
GeeCON Prague 2014
 
subject: Tomcat HTTP to HTTPS redirect with VIP issue