tomcat 7: automatically redirect https requests to port 8443

Question

On tomcat7, our web application is running through https over port 8443 and works fine except that we are unable to redirect https default port (443) to 8443 so as a consequence the ':8443' has to be included in the URL whenever we have to access the application. I include some parts of our server.xml file. What should be done in order to be able to load our pages without having to enter port information in the URL?

 <Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           enableLookups="false"
           redirectPort="8443" />

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           enableLookups="false"
           redirectPort="8443" />

<Connector port="443" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           enableLookups="false"
           redirectPort="8443" />
...

<Connector port="8443"
            maxHttpHeaderSize="65536"
            scheme="https"
            secure="true"
            SSLEnabled="true"
            clientAuth="false"
            enableLookups="true"
            acceptCount="100"
            disableUploadTimeout="true"
            maxThreads="200"
            sslProtocol="TLS"
            keystoreFile="/toto/has/a/certificate.jks"
            keystorePass="totohasapassword"
            protocol="org.apache.coyote.http11.Http11NioProtocol" />

found a simple solution on coderanch using iptables: http://www.coderanch.com/t/601907/Tomcat/SSL-work Here is the line to enter: iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 — jon, Jul 14 '14 at 12:50
is it possible that port number remains the same and only it redirects to https? — shzyincu, Apr 05 '17 at 09:38

score 18 · Accepted Answer · edited Jan 18 '16 at 15:57

18

I found a simple solution on coderanch using iptables: http://coderanch.com/t/601907/Tomcat/SSL-work

Here is the line to enter:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

New edit

Here is my complete answer now. We had a problem with the previous answer as when we were calling the url from http, the redirection was ok but was always adding ':8443' at the end which was not very nice.

So in terms of iptable, here is what we wrote:

sudo iptables -t nat -I PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -A OUTPUT -p tcp -d <your_ip_address>,<your_ip_address>  --dport 80 -j  REDIRECT --to-port 8080
sudo iptables -t nat -I PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 8443

Now also important is to add redirections in tomcat conf file server.xml:

<Connector port="8080"
           enableLookups="false"
           redirectPort="443" />

<Connector port="443" protocol="HTTP/1.1"
           enableLookups="false"
           redirectPort="8443" />

That's it, restart tomcat and all should be working. I'm not an expert in iptable configurations so please validate with sysadmins before modifying any existing config in production.

edited Jan 18 '16 at 15:57

ROMANIA_engineer

54,432
29
203
199

answered Jul 14 '14 at 18:33

jon

910
3
12
34

@engineer not sure i understand what you're asking. Protocol is "org.apache.coyote.http11.Http11NioProtocol" and this value is still right for me at least. – jon Jan 18 '16 at 15:10
again, i'm not a tomcat expert so don't take my answer as final. The firsts connectors are only there to redirect tomcat to 8443 no matter what and the default protocol for a normal connector is HTTP/1.1 (indeed HTTP/ was not the default and probably wrong). Once you enable SSL, it won't work with HTTP/1.1 and protocol Http11NioProtocol will work and be able to understand the tls communication – jon Jan 18 '16 at 17:22
2

Did anyone actually test the iptables ruleset? Why is "your_ip_address" in there twice? Also, why can't we redirect port 80 to say, 8443 in iptables and then have only one connector in Tomcat? Does Tomcat need a non-ssl connector? – mr.zog Feb 11 '16 at 19:10
is it possible that port number remains the same and only it redirects to https? – shzyincu Apr 05 '17 at 09:39

tomcat 7: automatically redirect https requests to port 8443

1 Answers1

New edit

Linked