1

We have a java web application running in Apache Tomact 8.0.36. HTTP port 80 is configured and HTTPS port 443 is configured. Redirection to HTTPS is configured in web.xml as below and it worked fine:

                 <security-constraint>
                         <web-resource-collection>
                         <web-resource-name>restricted methods</web-resource-name>
                             <url-pattern>/*</url-pattern>
                             <http-method>OPTIONS</http-method>
                             <http-method>DELETE</http-method>
                             <http-method>TRACE</http-method>
                          </web-resource-collection>
                          <auth-constraint/>
                </security-constraint>

Now, port 80 has been blocked in the server where the application deployed and redirection to HTTPS is not happening . Is there any way to make HTTPS redirection to work when HTTP port is blocked?

ANITI
  • 21
  • 2
  • 7
  • If you want to ALWAYS use HTTPS, you can use HSTS header to force clients to use HTTPS only. See https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security – Lennier Sep 25 '18 at 10:43
  • this post might be helpful for you, I think this is similar to what you are asking https://stackoverflow.com/questions/33208796/redirect-http-to-httpsport-in-tomcat – Afaq Ahmed Khan Sep 25 '18 at 10:47

2 Answers2

4

Is there any way to make HTTPS redirection to work when HTTP port is blocked?

I presume you mean blocked by a firewall in the server, or in front of it.

Basically, the answer is No.

In order for any form of HTTP redirection to work within the server, the server must be capable of getting the incoming connection HTTP request on port 80. (It would then send a 3xx response to tell the browser to try again with a different URL. That URL would be an HTTPS URL.)

If the HTTP request is blocked before the server gets it, naturally it can't do anything.

Furthermore, if you tried to do something clever like mapping port 80 to port 443 in the firewall, you would end up sending an HTTP request to an HTTPS server port. That would fail, because the HTTPS server is expecting the SSL / TLS negotiation stuff. It would probably just close the connection.

If you really need to support this, you would need to implement an HTTP / HTTPS proxy in front of the server, and have that send the redirect back to the user's browser. But this is kind of silly.

If you really want to force people to use HTTPS, do one of the following:

  • Get the network admins to open port 80 on the server and implement 3xx redirecting in the server the normal way.
  • Keep port 80 closed on the server and don't publish http:// URLs. If some user tries to use an http:// URL they would get either "Connection Refused" or "Connection Timed Out" ... or however the browser chooses to describe these scenarios to users.

If you are trying to evade a network block by admins who are not being helpful, I would advise not bothering. They presumably have their reasons.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
0

Have you tried it?

<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Huy Nguyen
  • 1,931
  • 1
  • 11
  • 11