Charles S
Charles S

Reputation: 314

Tomcat SSL Redirection for External IPs Only

I am having trouble setting up tomcat redirection properly. I am trying to setup tomcat for a webapp, currently I have it so that all requests to port 8080 are being redirected to the SSL port on 8443. This is working well for anyone connecting externally. It also works for anyone connecting internally just so long they are using the domain name instead of the local IP.

The problem is I have a few utilities that need to connect to this webapp over the LAN. Currently they are all doing so by communicating with localIP:8080. When tomcat redirection happens they are redirected to https://localIP:8443 and run into invalid cert issues.

I am wondering if it is possible to redirect to SSL for all requests coming from an external IP and allow LAN IPs to connect to non-ssl port 8080.

server.xml

<Connector port="8080" protocol="HTTP/1.1"
           address="0.0.0.0"
               connectionTimeout="20000"
               redirectPort="8443" />

web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>App_nmae</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Upvotes: 0

Views: 361

Answers (1)

Christopher Schultz
Christopher Schultz

Reputation: 20882

A couple of ideas:

  1. Always use the proper hostname for the service, and allow TLS as usual. This would be the best practice IMO.
  2. Fix the clients, since you have complete control. Just have them ignore hostname mismatches as long as the certificate is (otherwise) valid. This is a bit of a hack, but should be pretty easy to accomplish.
  3. Set up an additional connector that fixes everything through hand-wavy magic, and point your "trusted" applications to http://localIP:8081:

    <Connector port="8081" secure="true" />

Now, it's important that you restrict access to that port. The best way to do it is probably using a firewall, but you could double-up on your security by adding a RemoveAddressFilter to your configuration.

Upvotes: 1

Related Questions