无法将 HTTP 重定向到 HTTPS。

huangapple go评论90阅读模式
英文:

Not able to redirect http to https

问题

请查看我的server.xml;我无法将端口8019重定向到https(端口443)。我尝试了网上的各种示例,但仍然无法使其正常工作。有人可以帮我看看我的server.xml有什么问题吗?

<Connector port="8019" protocol="HTTP/1.1"
           connectionTimeout="100000"
           redirectPort="443" />

<Connector port="443" maxHttpHeaderSize="8192" SSLEnabled="true"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true" clientAuth="false"
           keystoreFile="C:\zenfortecertificate_zensar_com.pfx" keystorePass="[我的密码]" keystoreType="PKCS12"
           sslEnabledProtocols="TLSv1.2" 
           ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,
           TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
           TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
           TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
           TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
           TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"/>

<Connector port="8019" protocol="AJP/1.3" redirectPort="443" />

<Engine name="Catalina" defaultHost="zenforte-stg.zensar.com">
  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">
    [...]
  </Host>
  <Host name="zenforte-stg.zensar.com"  appBase="zen_webapps"
        unpackWARs="true" autoDeploy="true"/> 
</Engine>
英文:

Please look into my server.xml;
I am not able to redirect port 8019 to https (port 443). I tried various examples on the web but I still cannot get it working. Could anyone help me with what is wrong with my server.xml?

&lt;Connector port=&quot;8019&quot; protocol=&quot;HTTP/1.1&quot;
           connectionTimeout=&quot;100000&quot;
           redirectPort=&quot;443&quot; /&gt;

&lt;Connector port=&quot;443&quot; maxHttpHeaderSize=&quot;8192&quot; SSLEnabled=&quot;true&quot;
enableLookups=&quot;false&quot; disableUploadTimeout=&quot;true&quot;
acceptCount=&quot;100&quot; scheme=&quot;https&quot; secure=&quot;true&quot; clientAuth=&quot;false&quot;
keystoreFile=&quot;C:\zenfortecertificate_zensar_com.pfx&quot; keystorePass=&quot;[my password]&quot; keystoreType=&quot;PKCS12&quot;
sslEnabledProtocols=&quot;TLSv1.2&quot; 
ciphers=&quot;TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384&quot;/&gt;

&lt;Connector port=&quot;8019&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;443&quot; /&gt;

&lt;Engine name=&quot;Catalina&quot; defaultHost=&quot;zenforte-stg.zensar.com&quot;&gt;
  &lt;Host name=&quot;localhost&quot;  appBase=&quot;webapps&quot;
        unpackWARs=&quot;true&quot; autoDeploy=&quot;true&quot;&gt;
    [...]
  &lt;/Host&gt;
  &lt;Host name=&quot;zenforte-stg.zensar.com&quot;  appBase=&quot;zen_webapps&quot;
        unpackWARs=&quot;true&quot; autoDeploy=&quot;true&quot;/&gt; 
&lt;/Engine&gt;

答案1

得分: 2

在你的 server.xml 中存在一些问题。其中一些与你的实际问题有关,另一些则是你可能要考虑的事情。

首先,在相同的端口(8019)上有两个 &lt;Connector&gt; 元素:

&lt;Connector port=&quot;8019&quot; protocol=&quot;HTTP/1.1&quot; connectionTimeout=&quot;100000&quot; redirectPort=&quot;443&quot; /&gt;

&lt;Connector port=&quot;8019&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;443&quot; /&gt;

所以首先要做的是选择一个连接器并删除另一个。如果你想在反向代理或负载均衡器中使用 AJP 协议,那么保留 AJP 连接器。否则,使用 HTTP 连接器。

将 HTTP 重定向到 HTTPS 的关键在于非安全 &lt;Connector&gt;(在你选择的 AJP/HTTP 中的端口 8019)中的 redirectPort。但是,重定向不会发生,除非你的应用程序要求重定向。为了做到这一点,你需要在应用程序的 WEB-INF/web.xml 中添加以下内容:

    &lt;security-constraint&gt;
      &lt;web-resource-collection&gt;
        &lt;web-resource-name&gt;Everything&lt;/web-resource-name&gt;
        &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
      &lt;/web-resource-collection&gt;
      &lt;user-data-constraint&gt;
        &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;
      &lt;/user-data-constraint&gt;
    &lt;/security-constraint&gt;

这告诉容器(Tomcat)应用程序期望“机密”通信,它会自动将任何非机密(即不安全)的请求重定向到另一个端口上的机密(即加密)协议(https/443)。

其他一些考虑事项:

  1. 你的 connectionTimeout 设置为 100 秒,这是很长的时间。你可能希望将其设置得更低,否则客户端可能会在不完成任何工作的情况下占用你的服务器。
  2. 你的 &lt;Connector&gt; 包含了所有安全配置。现代的 Tomcat 使用 &lt;SSLHostConfig&gt; 来进行所有的配置。这表明你使用了旧的配置在新的服务器上,或者更糟糕的是,在旧的服务器上。你应该尝试升级到最新的服务器,并使用最新的配置样式。较新的配置样式使你对配置拥有更大的控制权,并且可以更清楚地了解发生了什么。(例如,如果你想使用 RSA + ECDSA,使用 &lt;SSLHostConfig&gt; + &lt;Certificate&gt; 比仅仅指定密钥库并期望一切顺利更加明确。)
  3. 如果你在配置中没有使用“localhost” &lt;Host&gt;,请将其删除。更好的做法是,如果你没有定义任何其他的 &lt;Host&gt;,就只允许“localhost”覆盖所有内容。这使得你的配置不那么定制化,默认情况下需要维护的更改就更少了。
  4. 指定 disableUploadTimeout=&quot;true&quot; 不会生效,除非你还指定 connectionUploadTimeout
英文:

There are a few problems with your server.xml. Some of them have to do with your actual question, others are just things you might want to think about.

First, you have two &lt;Connector&gt; elements on the same port (8019):

&lt;Connector port=&quot;8019&quot; protocol=&quot;HTTP/1.1&quot; connectionTimeout=&quot;100000&quot; redirectPort=&quot;443&quot; /&gt;

and

&lt;Connector port=&quot;8019&quot; protocol=&quot;AJP/1.3&quot; redirectPort=&quot;443&quot; /&gt;

So the first thing to do is to pick a connector and remove the other one. If you want to use the AJP protocol with your reverse-proxy or load balancer, then keep the AJP one. Otherwise, use the HTTP one.

The key to redirecting HTTP -> HTTPS is the redirectPort in your non-secure &lt;Connector&gt; (on port 8019, whichever one AJP/HTTP you choose). But the redirect doesn't happen unless your application asks for it. In order to do that, you need this in your application's WEB-INF/web.xml:

    &lt;security-constraint&gt;
      &lt;web-resource-collection&gt;
        &lt;web-resource-name&gt;Everything&lt;/web-resource-name&gt;
        &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
      &lt;/web-resource-collection&gt;
      &lt;user-data-constraint&gt;
        &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;
      &lt;/user-data-constraint&gt;
    &lt;/security-constraint&gt;

This tells the container (Tomcat) that the application expects "confidential" communication and it will automatically redirect any non-confidential (i.e. insecure) requests to the confidential (i.e. encrypted) protocol on the other port (https/443).

Some other considerations:

  1. Your connectionTimeout of 100 seconds is a long time. You probably want that to be much lower otherwise clients can tie-up your server without accomplishing any work.
  2. Your &lt;Connector&gt; contains all of your secure configuration. Modern Tomcats use a &lt;SSLHostConfig&gt; for all that configuration. This suggests an old configuration with a new server or, worse, an old server. You should try to upgrade to the latest server and use the latest configuration style. The newer configuration style gives you greater control over the configuration and makes it clearer what is happening. (For example, if you want to use RSA + ECDSA, the configuration is more explicit using &lt;SSLHostConfig&gt; + &lt;Certificate&gt; than just specifying the keystore and hoping for the best.
  3. If you aren't using the "localhost" &lt;Host> in your configuration, remove it. Even better, if you don't have any other &lt;Host&gt;s defined, just allow the "localhost" one to cover everything. This makes your configuration less customized from the default, and therefore you have fewer changes to maintain from the stock server.xml.
  4. Specifying disableUploadTimeout=&quot;true&quot; doesn't have any effect unless you also specify connectionUploadTimeout

huangapple
  • 本文由 发表于 2020年7月27日 12:47:54
  • 转载请务必保留本文链接:https://go.coder-hub.com/63108852.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定