将HTTP重定向到Tomcat中的HTTPS:端口

时间:2022-05-16 15:15:25

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:

我有一个运行的tomcat应用程序,它已经有以下从HTTP到HTTPs的重定向规则:

<Connector executor="tomcatThreadPool"
               port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

Is it possible to add an exception/rule, that a specific HTTPrequest (http://www.example.com), will be redirected to another specific address , with a port specified (say https://www.example.com:8443/test), without changing/removing the above Connector ?

是否可以添加一个异常/规则,一个特定的HTTPrequest (http://www.example.com)将被重定向到另一个特定的地址,并指定一个端口(例如https://www.example.com:8443/test),而不更改/删除上面的连接器?

5 个解决方案

#1


8  

The connector configuration you shown does not redirect a specific URL in the way you suppose.

您所展示的连接器配置不会按照您所设想的方式重定向特定的URL。

That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.

如果您为servlet容器内的web应用程序配置了机密传输保证,则该配置将执行。

I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:

我的意思是,如果你在那个连接器上部署了任何应用,它的网络。xml描述符有如下安全约束:

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    ...

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

</security-constraint>

Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.

然后,Tomcat将将任何匹配的url模式重定向到配置的端口,以便在传输中使用HTTPS作为保密性的保证书。

So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.

因此,如果要重定向特定的URL,必须使用特定的应用程序配置来补充连接器的配置。

Edit

As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.

正如您在评论中建议的那样,这可能是使配置工作的另一个步骤。如所示配置好http连接器之后,然后按照我告诉您的那样配置应用程序,您只需要确保Tomcat服务器配置了HTTPS连接器,否则重定向将不起作用。

To configure this HTTPS connector, you can use a configuration as following:

要配置此HTTPS连接器,可以使用以下配置:

<Connector connectionTimeout="20000"
    acceptCount="100" scheme="https" secure="true"
    port="443" clientAuth="false" sslProtocol="TLS"  
    keystoreFile="PATH_TO_KEY_STORE"  
    keystorePass="KEY_STORE_PASS"  
    keyAlias="KEY_STORE_ALIAS"/>  

This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.

这是一个示例配置,我没有将一些对您非常重要的属性作为线程吸引器、执行器等等。

The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.

最重要的是您需要为HTTPS连接提供的密钥存储配置。这里有准备Tomcat的java密钥存储库以服务HTTPS的官方文档。

#2


7  

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:

我有一个运行的tomcat应用程序,它已经有以下从HTTP到HTTPs的重定向规则:

As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.

正如malaguna所回答的,连接器配置不是重定向规则。它只是在执行由 <传输-保证> 机密 触发的重定向时使用的设置。

There is no way to overwrite that setting on per-application basis.

没有办法在每个应用程序的基础上覆盖该设置。

If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.

如果您需要更好地控制这种重定向,您需要实现自己的过滤器,该过滤器将实现重定向(If (!request.isSecure()) {response.sendRedirect(…);}),或者配置第三方重定向。

// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.

//技术上,在当前的Tomcat 8代码中,传输保证触发的重定向由org.apache.catalina.realm.RealmBase.hasUserDataPermission(…)方法执行。

#3


2  

You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:

您可以在tomcat_dir/conf/web.xml的末尾添加到部署到tomcat的每个应用程序:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- auth-constraint goes here if you requre authentication -->
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

So you don't have to change it on the web.xml of your webapp.

所以你不需要在网上修改。xml应用。

That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:

假设您已经在另一个端口(通常是443)上使用了https,那么这应该是可行的。如果没有,请确保您的tomcat_dir/conf/server。xml是这样的:

<!-- Default tomcat connector, changed the redirectPortport from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
    <SSLHostConfig>
        <Certificate certificateKeyFile="/your/own/privkey.pem"
            certificateFile="/eyour/own/cert.pem"
            certificateChainFile="/your/own/chain.pem"
            type="RSA" />
    </SSLHostConfig>
</Connector>

#4


0  

If you use tomcat with httpd, you can use RewriteEngine.

如果使用tomcat和httpd,可以使用RewriteEngine。

With port specified is like the followings in the http.conf:

对于指定的端口,类似于http.conf中的以下内容:

NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/
</VirtualHost>

See: RewriteHTTPToHTTPS and Redirect Request to SSL

参见:RewriteHTTPToHTTPS并将请求重定向到SSL。

#5


0  

        <Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>

        <Connector port="443" 
               SSLEnabled="true" 
               acceptCount="100" 
               disableUploadTimeout="true" 
               enableLookups="false" 
               maxHttpHeaderSize="8192" 
               maxThreads="550" 
               minSpareThreads="25"  
               scheme="https" 
               secure="true" 
               compression="on"
               protocol="org.apache.coyote.http11.Http11NioProtocol" 
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
                   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> 
                   <SSLHostConfig protocols="TLSv1.2" 
                                  certificateVerification="none" 
                                  ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
                                        <Certificate type="RSA" 
                                                     certificateKeystoreFile="/ssl/self-signed/your-keystore.jks" 
                                                     certificateKeystorePassword="123456" 
                                                     certificateKeyAlias="your-alias" /> 
                    </SSLHostConfig>
        </Connector>

#1


8  

The connector configuration you shown does not redirect a specific URL in the way you suppose.

您所展示的连接器配置不会按照您所设想的方式重定向特定的URL。

That configuration acts if you have configured a CONFIDENTIAL transport guarantee for a web application inside that servlet container.

如果您为servlet容器内的web应用程序配置了机密传输保证,则该配置将执行。

I mean, if you have deployed any application on that connector, where its web.xml descriptor has a security-constraint as follows:

我的意思是,如果你在那个连接器上部署了任何应用,它的网络。xml描述符有如下安全约束:

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    ...

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

</security-constraint>

Then, Tomcat will redirect any matching url-pattern to the configured port in order to use HTTPS as guarantor of confidentiality in transport.

然后,Tomcat将将任何匹配的url模式重定向到配置的端口,以便在传输中使用HTTPS作为保密性的保证书。

So, if you want to redirect a specific URL, you have to complement connector's configuration with specific application configuration.

因此,如果要重定向特定的URL,必须使用特定的应用程序配置来补充连接器的配置。

Edit

As you suggest in your comment, it could be another step to get this configuration working. Once you have configured http connector as shown, and then configured app as I told you, you only to ensure that your Tomcat server has an HTTPS connector configured, other way redirection won't work.

正如您在评论中建议的那样,这可能是使配置工作的另一个步骤。如所示配置好http连接器之后,然后按照我告诉您的那样配置应用程序,您只需要确保Tomcat服务器配置了HTTPS连接器,否则重定向将不起作用。

To configure this HTTPS connector, you can use a configuration as following:

要配置此HTTPS连接器,可以使用以下配置:

<Connector connectionTimeout="20000"
    acceptCount="100" scheme="https" secure="true"
    port="443" clientAuth="false" sslProtocol="TLS"  
    keystoreFile="PATH_TO_KEY_STORE"  
    keystorePass="KEY_STORE_PASS"  
    keyAlias="KEY_STORE_ALIAS"/>  

This is a sample configuration where I didn't put some attributes that can be important for you as threads attrs, executors, and so on.

这是一个示例配置,我没有将一些对您非常重要的属性作为线程吸引器、执行器等等。

The most important thing is the KeyStore configuration that you need to serve HTTPS connections. Here you have the official documentation to prepare a java KeyStore for Tomcat to serve HTTPS.

最重要的是您需要为HTTPS连接提供的密钥存储配置。这里有准备Tomcat的java密钥存储库以服务HTTPS的官方文档。

#2


7  

I have a running tomcat application that already have the following redirection rule from HTTP to HTTPs:

我有一个运行的tomcat应用程序,它已经有以下从HTTP到HTTPs的重定向规则:

As malaguna answered, that Connector configuration is not a redirection rule. It is just a setting that is used when performing redirection triggered by <transport-guarantee>CONFIDENTIAL</transport-guarantee>.

正如malaguna所回答的,连接器配置不是重定向规则。它只是在执行由 <传输-保证> 机密 触发的重定向时使用的设置。

There is no way to overwrite that setting on per-application basis.

没有办法在每个应用程序的基础上覆盖该设置。

If you need better control over such redirection, you need to implement your own Filter that will implement a redirection (if (!request.isSecure()) { response.sendRedirect(...);}), or configure a 3rd party one.

如果您需要更好地控制这种重定向,您需要实现自己的过滤器,该过滤器将实现重定向(If (!request.isSecure()) {response.sendRedirect(…);}),或者配置第三方重定向。

// Technically, in current Tomcat 8 code the redirection triggered by transport-guarantee is performed by org.apache.catalina.realm.RealmBase.hasUserDataPermission(...) method.

//技术上,在当前的Tomcat 8代码中,传输保证触发的重定向由org.apache.catalina.realm.RealmBase.hasUserDataPermission(…)方法执行。

#3


2  

You can do it to every app deployed to tomcat by adding this to the end of tomcat_dir/conf/web.xml:

您可以在tomcat_dir/conf/web.xml的末尾添加到部署到tomcat的每个应用程序:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- auth-constraint goes here if you requre authentication -->
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

So you don't have to change it on the web.xml of your webapp.

所以你不需要在网上修改。xml应用。

That should work, assuming you already have https working in another port (usually 443). If you don't, make sure your tomcat_dir/conf/server.xml looks like this:

假设您已经在另一个端口(通常是443)上使用了https,那么这应该是可行的。如果没有,请确保您的tomcat_dir/conf/server。xml是这样的:

<!-- Default tomcat connector, changed the redirectPortport from 8443 to 443 -->
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

<!-- To make https work on port 443 -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
    <SSLHostConfig>
        <Certificate certificateKeyFile="/your/own/privkey.pem"
            certificateFile="/eyour/own/cert.pem"
            certificateChainFile="/your/own/chain.pem"
            type="RSA" />
    </SSLHostConfig>
</Connector>

#4


0  

If you use tomcat with httpd, you can use RewriteEngine.

如果使用tomcat和httpd,可以使用RewriteEngine。

With port specified is like the followings in the http.conf:

对于指定的端口,类似于http.conf中的以下内容:

NameVirtualHost *:8443 #your specified port
<VirtualHost *:8443>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/
</VirtualHost>

See: RewriteHTTPToHTTPS and Redirect Request to SSL

参见:RewriteHTTPToHTTPS并将请求重定向到SSL。

#5


0  

        <Connector connectionTimeout="20000" port="8081" protocol="HTTP/1.1" redirectPort="443"/>

        <Connector port="443" 
               SSLEnabled="true" 
               acceptCount="100" 
               disableUploadTimeout="true" 
               enableLookups="false" 
               maxHttpHeaderSize="8192" 
               maxThreads="550" 
               minSpareThreads="25"  
               scheme="https" 
               secure="true" 
               compression="on"
               protocol="org.apache.coyote.http11.Http11NioProtocol" 
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
                   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> 
                   <SSLHostConfig protocols="TLSv1.2" 
                                  certificateVerification="none" 
                                  ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA">
                                        <Certificate type="RSA" 
                                                     certificateKeystoreFile="/ssl/self-signed/your-keystore.jks" 
                                                     certificateKeystorePassword="123456" 
                                                     certificateKeyAlias="your-alias" /> 
                    </SSLHostConfig>
        </Connector>