How to redirect the traffic from http to https port in tomcat while using OpenShift ?

Solution Verified - Updated -

Environment

  • OpenShift Online (OSO)
  • OpenShift Enterprise (OSE)
    • 2.0

Issue

  • How to redirect the traffic from http to https port in tomcat while using OpenShift ?
  • How to restrict to SSL only in openshift.
  • How to allow a server to listen on port 443 or 8443 only.
  • Redirect loop when setting redirect to 443 port

Resolution

Use security-constraint directives in web.xml file to force HTTPS connectivity. Follow below steps :

Update repo/.openshift/config/server.xml file's Connector to look like:


<Connector address="${OPENSHIFT_JBOSSEWS_IP}" port="${OPENSHIFT_JBOSSEWS_HTTP_PORT}" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443"/>

Then add a Valve directive to repo/.openshift/config/context.xml file like:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
       protocolHeader="x-forwarded-proto"
       internalProxies="169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172.16.\d{1,2}.\d{1,3}"></Valve>

A sample security-constraint directive in repo/src/main/webapp/WEB-INF/web.xml looks like:


<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

Note : Remember that it is internal http to https port-forwarding by the container. There is no need to add any certificates or keystore here.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments