My server is Tomcat, and I have configured the certificate and HSTS. My HTTPS port is 8443. I want to access the browser via http://domain:8443 and eventually redirect to https://domain:8443. However, when I actually try to access it, the browser returns a ‘Bad Request: This combination of host and port requires TLS.’ error. How can I resolve this issue?
tomcat conf/server.xml configuration is as follows:
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" sslProtocol="TLS" secure="true" clientAuth="false"
keystoreFile="conf/tomcat.keystore"
keystorePass="changeit"
>
</Connector>
tomcat conf/web.xml configuration is as follows:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>https://localhost:8443/ssm</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<!-- Enable HSTS Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- for Redirect from HTTP to HTTPS -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This issue comes from https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/insecure-http-usage/
I also tried configuring RewriteValve to enforce HTTPS in Tomcat.
server.xml configuration is as follows:
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/>
<Context path="/ssm" docBase="ssm.war">
<Parameter name="rewrite.config" value="conf/rewrite.config" />
</Context>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log" suffix=".txt"/>
</Host>
conf/rewrite.config configuration is as follows:
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
But this configuration still has no effect.
You need to sign in to view this answers