Force https with Tomcat

This describes how to make Tomcat to force all traffic to be over https.

1. On the Tomcat node edit the web.xml file and add the following in the <web-app *> section.


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Context</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <!-- auth-constraint goes here if you require authentication -->
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

With this, Tomcat will attempt to redirect any http request to the context to the https Connector, and will never serve it under http.

 

2. Make Tomcat Understand X-Forwarded-Proto by adding the following text in the Tomcat server.xml  <Engine> section. You only need to change this if you are using the shared Jelastic SSL certificate or if you are using a load balancer.


    <Valve className="org.apache.catalina.valves.RemoteIpValve"
    remoteIpHeader="x-forwarded-for"
    protocolHeader="x-forwarded-proto"
    protocolHeaderHttpsValue="https" />

3. Adjust the redirectPort in the connector: it should redirect users to 443 (not 8443 - 8443 is the internal port Tomcat listens on, but the Jelastic resolver pushes traffic to 443 and it's translated onto the correct Tomcat port for you automatically: so 443 is the correct port for HTTPS user requests to use).

Edit the server.xml file and change the connector redirect to port 443 if required.


    <Connector port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="443" />

 

4. Restart the Tomcat node and it is done.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

1 comment
  • Hello Joachim,

     

    Many thanks. It worked for me. Awesome!

    Good summary.

    0
    Comment actions Permalink

Please sign in to leave a comment.