I have developed a proxy servlet under Tomcat, the servlet receive the request from client and and forward to another proxy server, before forwarding, it will authenticate with the proxy server. Now it can process the HTTP request very well but can not receive the HTTPS request. So this proxy servlet is not perfect.
I have searched google and read many posts in this forum, esp this one:
Developing a proxy servlet that can handle HTTPS connections
I configured the Tomcat to listen on port 8443, as follows:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" redirectPort="8080"/>
I deployed the servlet within eclipse, locally, and I set the browser proxy to 127.0.0.1:8080, but bypass it for localhost.
When I browse https:// localhost:8443/ I can see the https request received in servlet log(by calling request.getScheme() and request.isSecure()). But if i browse https://www.google.com, it can not get connected and my proxy servlet didn't catch the request.
I also override the service() method and print the request.getMethod() and still failed to catch the HTTPS request.
What should I do?
All I want is get the HTTPS request and add the authentication and forward to the next proxy server.
Thanks
That's not the way SSL proxies work. If you set your HTTPS proxy to localhost:8080, then your browser will dutifully connect to localhost:8080 and use the CONNECT verb to tunnel SSL traffic through the HTTP proxy connection. Without doing this, SSL wouldn't be particularly secure and any proxy server administrator could trivially read one's credit card details next time someone decided to buy something from Amazon or check their bank balance or sign up for a recurring-payment adult entertainment web site or whatever it is that people do that requires SSL these days.
It doesn't appear that you've told your browser anything about this new SSL proxy on port 8443, so I'm not sure why you think it would be used. It won't. You may be able to tell your browser to use an SSL-based proxy server - ie, set your proxy ashttps://localhost:8443, but even then it will use CONNECT-based SSL tunneling, so there's really no point except still slower connections.
If all you really need to do is forward this request on to another proxy, you need to forward the CONNECT method to the upstream proxy and include the appropriate authentication information.
Related
I have a java web application that supplies a REST-API for which I want to implement client certificate authentication. I am using Tomcat 9 Web Server to deploy the application as a warfile.
I only want this validation for the REST API and not for other applications deployed on the same server or other requests (for example the user interface).
Requests without a certificate or without a valid certificate should therefore not be blocked by my Web Server so I can verify the client certificate in my application code.
If I do not configure Tomcat for client certification, I cannot retrieve the certificate within my application code.
I have tried to use the following configuration:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keyAlias="tthserver" keystoreFile="C:\Temp\keystore\keystore.jks" keystorePass="PW"
truststoreFile="C:\Temp\keystore\truststore.jks" trustStorePass="PW"
clientAuth="want" sslProtocol="TLS" />
This however blocks requests with an invalid client certificate.
You will need to add the CLIENT-CERT login-configuration in the web.xml of the webapplication deployed in tomcat that needs client authentication. Other, web applications need not have this configuration, so when client access resources of other web application, the client authentication will not take place.
For more details you may refer to the link below: -
https://users.tomcat.apache.narkive.com/C1hxh39a/tomcat-and-client-certificates
I have secured apache reverse proxy configured in front of my websphere 8 application server. I have set generic JVM arguments -Dhttps.proxyHost and -Dhttps.proxyPort but the requests on response.sendRedirect are not directed to peoxy server. It is directed to defualt port 9080.
How to solve this issue ?
I have solved this issue on Tomcat & Jboss by modifying my connector port as follows
connector name="http" protocol="HTTP/1.1" socket-binding="http" scheme="https" proxy-name=" 192.168.1.1 " proxy-port="443" secure="true"
How do I solve this for Websphere ?
I assume that you are using like below
response.sendRedirect(request.getContextPath() +
"/my/main.jsp");
Here - request.getContextPath gives the proxied server info.
As a quick fix I resolved it using the proxy server values from properties files.
response.sendRedirect("get proxy server name from prop file" +
"/my/main.jsp");
Solved this problem by following below steps.
Add following in Apache web server's virtual host tag . What you actually need is to forward along the protocol that was used to access the server.
VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
….
/VirtualHost>
For more explanation refer site
https://www.nczonline.net/blog/2012/08/08/setting-up-apache-as-a-ssl-front-end-for-play/
Following properties needs be added in Websphere webcontainer properties through admin console.
Go to Application servers > server1 > Web container > Custom properties
Add Following properties
httpsIndicatorHeader -
X-Forwarded-Proto (Request header value set in web server (in our case it is https) )
com.ibm.ws.webcontainer.extractHostHeaderPort -
true (To obey request port no)
trusthostheaderport -
true (To obey request port no)
Refered the below site for this settings
http://www-01.ibm.com/support/docview.wss?uid=swg21569667
http://129.33.205.81/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.iseries.doc/ae/rweb_custom_props.html
In our case (Websphere Liberty 21.0.0.9), we simply added a couple of directives in the corresponding Apache virtual host configuration:
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On`
These directives are valid only from Apache 2.3.3 on
Both are mentioned in the article mentioned below by #Darshan Shah
I'm working with tomcat with a front load balancer. The load balancer take my requests in HTTPS and forward them to tomcat over HTTP. So my tomcat has no SSL configuration and it's working fine so.
My problem is that I've got a response wrapper that does encode redirect some URLs, all my URLs are relative and when I encode redirect my URLs the resulting redirect URL is in HTTP. I'd like it to be HTTPS. I believe this is because tomcat is not in HTTPS, is it possible to enforce HTTPS when doing encode redirect without configuring tomcat with a SSL connector ?
Configure Tomcat to use the RemoteIPValve. This will take the headers that AWS ELB uses to communication the original TLS connection information to the back-end server and wire it into the request object.
This will get you the proper redirect protocol plus you'll also get the original client's IP address when you ask for it, instead of the IP address of the proxy (which is pretty much useless).
I have page which can be requested as HTTP and HTTPS. The problem is that if user request page as HTTPS, images are still loaded from HTTP location.
How to setup <portlet:resourceURL> in JSP to output HTTPS url?
If you request in https, <portlet:resourceURL/> will use https as well - works for me.
I guess you might have an Apache in front and forward requests with mod_proxy on http? This way Apache terminates the https connection and Tomcat/Liferay does not have any idea that you're using https between the browser and Apache. mod_proxy has some options to forward that information as well. I personally favor mod_jk, this will automatically forward all the relevant information and works quite well.
If I remember correctly, you can also configure the tomcat connector (e.g. 8080) to assume that it's served through https always. It might be secure="true" in the Connector element in server.xml, but I've not tested, just remembered vaguely
I'm having regarding a java web app running on apache.
One of the pages is invoking an applet which code is an external server.
The company responsible of the applet told us to use HTTPS when invoking the page showing the applet as we had problems when we invoked the page using HTTP.
The problem is that when I browse the page in HTTPS , I have an ssl_error_rx_record_too_long error.
The address I want to browse looks like :
https://www.myurl.com:8084/myWebApp/pageContainingApplet.jsp?parameter1=value1¶meter2=value2
I looked for the server.xml file under /conf and added this tag:
<Connector port="8084" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Still nothing
Error code: ssl_error_rx_record_too_long
This usually means the implementation of SSL on your server is not correct. The error is usually caused by a server side problem which the server administrator will need to investigate. Below are some things we recommend trying.
Ensure that port 443 is open and enabled on your server. This is the
standard port for https communications.
If SSL is using a non-standard port then FireFox 3 can sometimes give
this error. Ensure SSL is running on port 443.
If using Apache2 check that you are using port 443 for SSL. This can
be done by setting the ports.conf file as follows
Listen 80 Listen 443 https Make sure you do not have more than one
SSL certificate sharing the same IP. Please ensure that all SSL
certificates utilise their own dedicated IP.
If using Apache2 check your vhost config. Some users have reported
changing to default resolved the error.
Make sure that your SSL certificate is not expired
Try to specify the Cipher:
SSLCipherSuite
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:+SSLv3
Also check this : https://support.servertastic.com/error-code-ssl-error-rx-record-too-long/