Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat HTTP to HTTPS redirect with VIP issue

 
PankajKumar jaiswal
Greenhorn
Posts: 17
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Friends,

We have one VIP server that redirects the request to one of the two Tomcat instances. Now we have to automatically redirect HTTP requests to HTTPS. So I searched online and configured security constraint in tomcat web.xml file. Now the issue is that its working fine if we hit tomcat server directly but not through VIP.

VIP Configuration:

htttp://vip.abc.com > redirects it to one of the two instances 8080 (Both tomcat are on different servers)

htttps://vip.abc.com > redirects it to one of the two instances 8443 (Both tomcat are on different servers)

Now the problem is that when we hit htttp://vip.abc.com, it hit one of the tomcat instances that redirect it to port 8443 and URL changes to htttps://vip.abc.com:8443 but since it's not configured to forward it to any of the tomcat, its not working.

Resolution: The simple resolution can be to change the forward ports to 443 in Tomcat, so that it will hit the htttps://vip.abc.com and work fine but we are not allowed to use this default port. Is there any other work around for this issue?

If somehow we can redirect to htttps://vip.abc.com rather than port 443 then the problem will be solved. Any help will be appreciated.

Regards,
Pankaj
 
Tim Holloway
Saloon Keeper
Pie
Posts: 17628
39
Android Eclipse IDE Linux
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is one of those questions that I don't fully understand, but I'll throw out some general information in the hopes that it will help.

First, an observation: If you have traffic coming in on the "http" protocol, it's unencrypted, and therefore unsecure. That means that anyone along the route from client to server can use simple diagnostic tools to see both what's being sent and what's being received. It's far more common to use HTTPS on the outside and HTTP on the inside than the other way around.

I'm not familiar with VIP. However if it's anything like the load-balancing systems I'm familiar with, you should be able to set up a pair of rules, one of which distributes traffic coming in on Port 80 and forwards to one of several URLs which would presumably be something like "tomcat1:8080", "tomcat2:8080", and so forth. Likewise a second rule for forwarding traffic on Port 443 to "tomcat1:8443" and so forth.

Note that whether or not you explicitly code a port shouldn't matter, since anything you code an HTTP URL and don't give a port number, it's going to route it to the destination server's Port 80 and anytime you code an HTTPS URL and don't give a port number, it's going to route it to port 443. The only time that this is likely to be a problem is in cases where something's matching on a character-by-character basis instead of intelligently matching the URL. And even then, unless you're not including the protocol ID ("http:", "https:") there's no ambiguity.
 
PankajKumar jaiswal
Greenhorn
Posts: 17
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

VIP is a kind of load balancer tool and I fully understand that if we can redirect it to 443 then the problem will get resolved but we don't have permission to use 443 port (some other apps are using that). Also the team managing VIP servers will take time to do this mapping (redirecting 8443 requests to tomcat 8443 ports), so I was thinking for any alternative through tomcat to redirect all the HTTP requests automatically to VIP HTTPS port rather than redirecting it to some other port.

The question is still open, any help appreciated.

Regards,
Pankaj
 
Jaikiran Pai
Marshal
Pie
Posts: 10444
227
IntelliJ IDE Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Now the problem is that when we hit htttp://vip.abc.com, it hit one of the tomcat instances that redirect it to port 8443 and URL changes to htttps://vip.abc.com:8443 but since it's not configured to forward it to any of the tomcat, its not working.

Resolution: The simple resolution can be to change the forward ports to 443 in Tomcat, so that it will hit the htttps://vip.abc.com and work fine but we are not allowed to use this default port. Is there any other work around for this issue?

If somehow we can redirect to htttps://vip.abc.com rather than port 443 then the problem will be solved. Any help will be appreciated.


I am not sure I understand this completely. You say, the problem will be resolved if instead of Tomcat redirecting the request to 8443 would instead redirect it to 443. And a few sentences later, you say that you are not allowed to use 443.

By the way, check the description "redirectPort" in the Tomcat Connector documentation. That might be what you are looking for.
 
PankajKumar jaiswal
Greenhorn
Posts: 17
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jaikiran,

As I mentioned earlier that we can't use port 443 in our tomcat servers otherwise the problem would have been resolved itself.

Let me explain the flow, when any request comes on VIP server (default port 80) it redirects it to one of the tomcat servers 8080 but because of security options we are redirecting it to 8443 so the same request is sent to VIP server 8443 port that is not configured for any redirect and hence the error message.

Now if we were able to forward it to 443 instead of 8443, it would have used the existing forwarding logic of VIP and forwarded it to one of the servers and worked fine.

New redirect mapping in VIP is one solution but it will take time, so I am looking for an alternative.

As an alternative if we can forward all the HTTP requests on port 8080 of tomcat server to the HTTPS URL of VIP, it will solve the problem.

I hope the things will be clear now.
 
Manjay Dasaundhi
Greenhorn
Posts: 1
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Pankaj,

I am having same kind of issue with IIS server. Actually my issue is users are giving VIP a HTTPS request https://Vip/default.aspx. But user is getting response in HTTP.

Issue might be beause vip and boxes under vip are communicating Via http and response are coming in http from boxes ..

And I can't make any change in VIP . So can you please suggest some solution without changing anything in VIP.

Thanks in advance.
 
Tim Holloway
Saloon Keeper
Pie
Posts: 17628
39
Android Eclipse IDE Linux
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the JavaRanch, Manjay!

We would prefer that instead of resurrecting long-dead threads that you start your own new thread. It makes it easier for people to tell what's going on.

Actually, thinking about this sort of problem (again), I realized that unless Tomcat is also receiving direct Internet requests, there's no point in doing both HTTP and HTTPS. If your intranet is secure, you can do HTTP between the VIP proxy server - I'm assuming that VIP is doing a proxy/load-balance sort of thing. If you are truly paranoid, set up VIP to only use HTTPS to the Tomcat server. Or an encrypted VPN channel or something like that.

For major Internet webapps, Tomcat better not connected straight the the Internet. In order to listen on Port 80 on most OS's, Tomcat would have to be running under a privileged user ID, which is a security risk. So the more common practice is to route to Tomcat via some sort of proxy service such as Apache HTTP or VIP.
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic