Redirect HTTP to HTTPS with App Engine Flex Custom Rumtime and Tomcat

Question

I have an application that I'm running on App Engine Flex Custom Runtime. This application is a Java WAR Package that runs on top of a tomcat 8 (java 8). In order to run on App Engine Flex Custom Runtime I created an docker image:

FROM tomcat:alpine
USER root

WORKDIR /root

RUN rm -rf /usr/local/tomcat/webapps/*

COPY ROOT.war /usr/local/tomcat/webapps/ROOT.war
#RUN chmod +x /root/env.sh

RUN rm -f /usr/local/tomcat/conf/server.xml
RUN rm -f /usr/local/tomcat/conf/web.xml

COPY app.jks /usr/local/tomcat/conf/app.jks
COPY server.xml /usr/local/tomcat/conf/server.xml
COPY web.xml /usr/local/tomcat/conf/web.xml


#Set properly time zone
RUN apk --update add tzdata && \
cp /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime && echo "America/Sao_Paulo" > /etc/timezone && \
apk del tzdata

I read that with flex and custom runtime it's impossible to configure app engine to redirect, this must be done in my application, so I modified the server.xml and web.xml from my tomcat as follows:

server.xml:

    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
    <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/usr/local/tomcat/conf/app.jks" keystorePass="my_password"
           clientAuth="false" sslProtocol="TLS"/>

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

and my app.yaml:

runtime: custom
env: flex
network:
  session_affinity: true
  forwarded_ports:
    - 443:8443
    - 80:8080
resources:
  cpu: 1
  memory_gb: 2
  disk_size_gb: 10
manual_scaling:
  instances: 1
beta_settings:
  cloud_sql_instances: path-db

It seems as there is something between my application and the "internet" because everytime that I try to access it, it keeps looping as if when it arrives at my docker container it is always HTTP never HTTPS. Some one can spot what is my mistake? Why I'm not beeing able to do this redirect using the app engine?

When I test it locally using docker on my machine everything goes smoothly.

Thanks in advance!

Answer 1

In App Engine Flexible you have to use Strict-Transport-Security to force HTTPS connections. Follow the next steps:

1) Add the following filter in your web.xml:

<filter>
    <filter-name>HTTPSFilter</filter-name>
    <filter-class>security.HTTPSFilter</filter-class>
</filter>

2) Create a filter in your app to use the Strict-Transport-Security header:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HTTPSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (!req.isSecure()) # if it's not secure, make it secure
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}

Please let me know if it works for you.