How do I disable port 80 for certain URLs

Hi all,

I'm Running Apachec Tomcat 5.5 and I'm wondering if it's possible to disable port 80 for certain URLs only - that is, not just commenting out the <Connector .... > for port 80 and thus disable it globally. My apache tomcat server hosts up a landing page (http://youarehere.domain). On this landing page there are two links - one to https://link1.domain/login.do, the other to https://link1.domain/loginhere.do. However, we see that we can still manually type in http://link1.domain/login.do and http://link1.domain/loginhere.do and they work as well. We want to disable HTTP for these links that we have the SSL certs applied to while at the same type, leaving the landing page as an http site. Is this possible?

If not, how do I do a redirect for these HTTP sites? I've managed to config the web.xml file to get http://link1.domain redirected https://link1.domain but it also tries to redirect the landing page as well, which we don't want. I think it's just a matter of getting the syntax correct for the <url-pattern> section but I can't seem to get it right.

Any info on this would be greatly appreciated.

Thanks everyone.

You cannot selectively disable a tcp/ip port. You can firewall it and you can suppress data coming in to the port, but as long as the port is open and listening, it will receive network traffic. A port is simply a place to send data to and has no inherent interest in what the format or content of that data is. Any URL filtering would have to be done by the receiving software.

It sounds like you're using Yet Another DIY security system and once again demonstrating why most people shouldn't attempt to do so. One of the most common ways to defeat DIY security systems is to simply ignore the expected URL sequences and directly request URLs that are past the security checkpoints.

As far as "authorized" URLs go, from the Tomcat server's point of view, there is no difference between a URL requested from a page link and a URL entered directly in a browser navigation bar. Only the client knows which it did, and generally speaking, the client software doesn't much care, either.

So you can block URLs using Tomcat valves, but if you do so, it will block them in all cases, not just in cases where users entered the URLs manually.

Thanks for the information Tim. I'm pretty new to Tomcat and this has been thrown my way. I'm more familiar with IIS (don't hate me for it )

I'll look into using Valves to block the http:// requests. That will most likely take care of what we want to accomplish.

Cheers!

Hi Tim,

Can you offer up and advise on what Valves to use? I've done some testing with different Valves and looked at the Tomcat documentation but I cannot find anything that is working for me.
Any information would be appreciated.

Thanks

Sorry. I front Tomcat with Apache and let Apache do that kind of stuff. I think you'd probably have to write a custom Valve otherwise.