I have page which can be requested as HTTP and HTTPS. The problem is that if user request page as HTTPS, images are still loaded from HTTP location.
How to setup <portlet:resourceURL> in JSP to output HTTPS url?
If you request in https, <portlet:resourceURL/> will use https as well - works for me.
I guess you might have an Apache in front and forward requests with mod_proxy on http? This way Apache terminates the https connection and Tomcat/Liferay does not have any idea that you're using https between the browser and Apache. mod_proxy has some options to forward that information as well. I personally favor mod_jk, this will automatically forward all the relevant information and works quite well.
If I remember correctly, you can also configure the tomcat connector (e.g. 8080) to assume that it's served through https always. It might be secure="true" in the Connector element in server.xml, but I've not tested, just remembered vaguely
Related
I am setting up my tomcat 8 server to use a SSL connection and the application is working fine - the redirect from HTTP to HTTPS is good, but I need to find a way to allow HTTP for some pages (API calls).
Why do I need that? because those API calls are trying to upload/download something to/from the server and because the connection is secure, those files are firstly - encrypted, secondly - decrypted and finally - used. And because the CPU has low performance, the upload/download speed is very poor.
I've tried to change configuration from conf/web.xml file, with no success.
If I change the parameter from CONFIDENTIAL to NONE, but both connection types (HTTP /HTTPS) will be enabled - and this is not what I need.
Any help in this direction is appreciated.
Thank you,
If you are using the Linux system like Ubuntu, then, instead of setting up an SSL connection setup in Tomcat, you will use the Nginx server. Use the following link for installation. In the Nginx server configuration file, nginx.conf, you can define a location inside the server name setting and then you can filter the APIs that you do not want to enable as HTTPS.
For setting SSL in Nginx, you have to use the ssl_certificate & ssl_certificate_key setting.
I developed an application. In that some modules are exist on cloud server which are accessible to using https protocol and some modules are in my local server which are accessible to using http protocol.
So when i request http protocol to https protocol, it is working fine and i'm getting data also without any problem.
But once i redirect to https protocol than i want to access my another module which is on local server e.g. http protocol, So when i hit url or call to access local module that time i'm getting this error.
Mixed Content: The page at
'https://here is my url https machine ' was loaded over HTTPS,
but requested an insecure form action 'http:// here is my local url'.
This request has been blocked; the content must be served over HTTPS.
and it is not redirecting to http protocol.
How to solve this problem?
Anybody can help on this.
Thank you...
I'm working with tomcat with a front load balancer. The load balancer take my requests in HTTPS and forward them to tomcat over HTTP. So my tomcat has no SSL configuration and it's working fine so.
My problem is that I've got a response wrapper that does encode redirect some URLs, all my URLs are relative and when I encode redirect my URLs the resulting redirect URL is in HTTP. I'd like it to be HTTPS. I believe this is because tomcat is not in HTTPS, is it possible to enforce HTTPS when doing encode redirect without configuring tomcat with a SSL connector ?
Configure Tomcat to use the RemoteIPValve. This will take the headers that AWS ELB uses to communication the original TLS connection information to the back-end server and wire it into the request object.
This will get you the proper redirect protocol plus you'll also get the original client's IP address when you ask for it, instead of the IP address of the proxy (which is pretty much useless).
I have developed a proxy servlet under Tomcat, the servlet receive the request from client and and forward to another proxy server, before forwarding, it will authenticate with the proxy server. Now it can process the HTTP request very well but can not receive the HTTPS request. So this proxy servlet is not perfect.
I have searched google and read many posts in this forum, esp this one:
Developing a proxy servlet that can handle HTTPS connections
I configured the Tomcat to listen on port 8443, as follows:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" redirectPort="8080"/>
I deployed the servlet within eclipse, locally, and I set the browser proxy to 127.0.0.1:8080, but bypass it for localhost.
When I browse https:// localhost:8443/ I can see the https request received in servlet log(by calling request.getScheme() and request.isSecure()). But if i browse https://www.google.com, it can not get connected and my proxy servlet didn't catch the request.
I also override the service() method and print the request.getMethod() and still failed to catch the HTTPS request.
What should I do?
All I want is get the HTTPS request and add the authentication and forward to the next proxy server.
Thanks
That's not the way SSL proxies work. If you set your HTTPS proxy to localhost:8080, then your browser will dutifully connect to localhost:8080 and use the CONNECT verb to tunnel SSL traffic through the HTTP proxy connection. Without doing this, SSL wouldn't be particularly secure and any proxy server administrator could trivially read one's credit card details next time someone decided to buy something from Amazon or check their bank balance or sign up for a recurring-payment adult entertainment web site or whatever it is that people do that requires SSL these days.
It doesn't appear that you've told your browser anything about this new SSL proxy on port 8443, so I'm not sure why you think it would be used. It won't. You may be able to tell your browser to use an SSL-based proxy server - ie, set your proxy ashttps://localhost:8443, but even then it will use CONNECT-based SSL tunneling, so there's really no point except still slower connections.
If all you really need to do is forward this request on to another proxy, you need to forward the CONNECT method to the upstream proxy and include the appropriate authentication information.
I would like to run a servlet in Jetty on an HTTPS site that requires a client certificate for only part of the site (specific URLs). For example:
https://example.com/someservlet/public - no client cert required
https://example.com/someservlet/protected - client cert required
In Apache I can accomplish this by specifying SSLVerifyClient require inside a <Directory> or <Location> which forces Apache to renegotiate the SSL connection after the request is made.
I do not want to run Jetty embedded in anything else, just standalone. Is this possible? Can a Servlet cause this directly somehow? Can it be done via configuration?
As far as I know you can only specify the SSL options on a per-port basis.
Even if you could the configuration you are trying to achieve is problematic, as it needs the SSLRenegotiation which has been changed about a year ago because of a security vulnerability. The new method for performing an SSLRenogitiation is therefore only supported by newer clients and sometimes even if it is supported it does not work because of bugs.
My recommendation for an easy workaround: Configure Jetty to listen on two SSL ports:
For example on 443 without HTTPS Client auth and on 8443 with HTTPS client auth required. Then make your protected servlet only available on 8443. This is not a nice solution but 100% robust, works with Jetty and with all clients.