I have configured SSL into my application running on Tomcat using the standard procedures. I have modified the server.xml file and web.xml to enforce the use of https in every request. I am supposed to do one of the 2 things.
1) The redirection that is taking place is a 302 redirect. How can I make this as a 301 redirect? This 302 redirect is not allowing Google robots to crawl my site
OR
2) Use a mechanism wherein the urls that I require to be http, are redirected from https to http.
I know Tomcat cannot automatically redirect from https to http once it is re-directed to http. I have added the following entry in web.xml to enable http access for the url that I require
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>UnsecureConnection</web-resource-name>
<url-pattern>/Market/browseMarket.htm</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
However once Tomcat is redirected to https using the first block, it is unable to redirect back to http even though the second block exists.
I read in some articles to use URLRedirectFilter in the application to achieve. To achieve that, I added the following in web.xml
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I have placed the urlrewrite.xml under WEB-INF, the contents of which are:
<urlrewrite>
<rule>
<from>Market/browseMarket.htm</from>
<to>http://%{server-name}%{request-uri}</to>
</rule>
</urlrewrite>
However, this doesn't seem to work and I still end up with https on that page.
Can someone help me with one of the above issues with a solution?
Related
So I have an Azure Web Service and an Azure CDN. My web service is running on ASP.Net Core
I make a request for my Website's index.html, which starts downloading assets from the CDN. All the assets get loaded, except for the font files.
Here's the error:
Access to Font at 'https://CDN.azureedge.net/68.0.3/styles/ui-grid.woff' from origin 'https://WebApp.azurewebsites.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://WebApp.azurewebsites.net' is therefore not allowed access.
Here's what one of the requests looks like:
So what I understand is:
Download index.html from Web Server
index.html -> download .css from CDN
.css -> download font from CDN
Blocked?? It seems like the browser is blocking the request, not the CDN, is that correct? If so why? Just because it's a font file request?
If using Azure Blob Storage as Origin for your CDN endpoint, the problem could be the CORS configuration in the Storage Account.
I initially had all my domains in a separate row under Allowed Origins and received the same errors as the OP.
Turns out you can/must place all domains (that should have the same CORS configuration) on the same row, separated by , like this:
In my case, IIS blocks .woff since mimeType is not set, hence you can set that in web.config (and optionally CORS if required) as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
<staticContent>
<remove fileExtension=".woff" /> <!-- In case IIS already has this mime type -->
<mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
<remove fileExtension=".woff2" />
<!-- In case IIS already has this mime type -->
<mimeMap fileExtension=".woff2" mimeType="application/x-font-woff2" />
</staticContent>
</system.webServer>
</configuration>
You can't pull fonts from CDN without proper config - it's a different domain, so browser can't trust this files without proper headers.
You have only one option - set properly header in CDN. If you have access to Apache or NGINX you can set:
Apache
<FilesMatch ".(eot|ttf|otf|woff)">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
NGINX
if ($filename ~* ^.*?\.(eot)|(ttf)|(woff)$){
add_header Access-Control-Allow-Origin *;
}
If you don't have access to server settings you can't use fonts from CDN.
If you are using the Verizon Premium SKU of Azure CDN, you can also set the CORS headers via the CDN instead of the origin server.
https://learn.microsoft.com/en-us/azure/cdn/cdn-cors
Status: tomcat8, redirect from apache2 via ajp
Apache2 VirtualHost directive contains:
ProxyPass / ajp://localhost:8009/SecureMain/
ProxyPassReverse / ajp://localhost:8009/SecureMain/
Tomcat8 server.xml contains:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
When servlet runs, header contains JSESSIONID, but getAttribute returns null.
When running the same servlet directly via tomcat8 port 8080, session content is availalble.
Any help would be appreciated.
I would say the use of StickySession attribute on ProxyPass should do. This question on ServerFault gives an idea about how to configure ajp.
stickysession=JSESSIONID|jsessionid
Let us suppose we have a website http://www.example.com and we do not have any website where we dont have any secure site so no such site exist https://www.example.com
Some How it is possible someone else can use same domain name which i have and run parallel https://www.example.com
EDIT:-
Now see one live example
Please open this link https://www.lpu.in/frmLoginAccounts.aspx and main website is http://www.lpu.in/index.php
Can someone tell me https used in this website is fraud or someone hacked this website?
No someone else can not take your reserved domain(A-Record), but you can run virtual hosts on your apache server, one that listens to HTTPS(Port 443) and one that listens to HTTP(Port 80). Both can refer to the same directory on your webserver, whereas the HTTPS host configures certificates additionally.
Here is a link to that: https://httpd.apache.org/docs/2.2/vhosts/examples.html
Do you have a SSL purchased on your hosting? if you have you can just install and configure on the server and then add an htaccess on the root directory of site with the following code:
FOR Linux based Hosting:
htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Windows & Plesk:
Using the following code in your web.config file automatically redirects visitors to the HTTPS version of your site:
<configuration><system.webServer><rewrite> <rules><rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /></conditions> <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" /></rule> </rules></rewrite></system.webServer></configuration>
No they dont hacked you. Do you have a webhoster or is this your own server? If you have a webhoster, then they provide you HTTPS with a trustworthy certificate, because my browser says that the certificate is trustworhy, so the Certificate Authority(CA) confirmed the servers identitiy.Otherwise deactivate the HTTPS-Service on your webserver, while you close the listening port(f.e 443).
I hope this helps :-)
Its seems like you have a broken SSL on your site. it is not hacked in my point of view. domain name server cannot be hacked at all. please check check you htaccess file if you using Linux hosting or check webconfig file if you are on windows hosting. there will any rule defile there so you site is running in both cases. either with https:// but it is not showing any content of the site so it is broke. or without https:// that is good so it is showing site contents.
No, it's totally not possible. The domain name (www.example.com) is resolved to an IP address before the HTTP/HTTPS request, therefore they both point to the same Web server.
EDIT after original question was edited
when you try to reach www.lpu.in, the first thing your OS does is resolving its domain name in a numeric IP address:
$ host www.lpu.in
www.lpu.in has address 173.244.171.162
there's absolutely no difference in trying to reach the machine with HTTP or HTTPS protocol.
Therefore, i'm confident that someone hacked into your server.
The behaviour you report is possible because Apache has two separate configuration for HTTP and HTTPS, and serves different pages from each if one (you or an hacker) configures it for this purpose.
You should look at the Apache configuration, HTTPS section in particular, to understand what's the DocumentRoot for https virtualhosts.
Trying to use AAR as a reverse proxy in front of several back end IIS servers.
One public ip address assigned to the server running IIS/AAR
Then outbound URL rewrite rules are setup to redirect to one of
several back end servers depending on hostname.
Works somewhat, but always returns the back end servers default site (not the one mapped to a hostname) so it looks like the host name (HTTP_HOST) is not getting passed from the proxy server to the back end server.
(I've verified bypassing the reverse proxy by editing hosts and the back end server returns the correct site bound to the host header)
This is an example of the rule (192.168.0.99 is the internal server, site.myco.com is the hostname)
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://192.168.1.99/{R:1}" />
</rule>
</rules>
</rewrite>
Have tried putting sever variables so
<!-- Guessing server.myco.com is hard coded -->
<serverVariables>
<set name="HTTP_HOST" value="server.myco.com" />
</serverVariables>
<!-- Guessing picked up dynamically from incoming request host header -->
<serverVariables>
<set name="HTTP_HOST" value="{HTTP_HOST}" />
</serverVariables>
But alas always returns the default binding - any ideas?
This post has the answer - Modifying headers with IIS7 Application Request Routing
Need to enable preserveHostHeader - can't see how you do that in the UI but this works
Run this from command line to update Machine/webroot/apphost config
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost
You can do this with GUI. While on the root server click configuration editor, go to System.webServer -> proxy and set preserveProxyHeader to true.
My guess would be that your server doesn't allow you to change the server variable HTTP_HOST when you rewrite the URL.
At the level of the website where the URL rewrite is applied:
Then click the Add... link on the right tab and add your HTTP_HOST variable:
How should I configure the URL Rewrite Rule in IIS7 to redirect my aditional domains ( domain.net, domain.org, domain.info) to the principal .com domain?
In IIS7, you can use the new command “appcmd.exe” to enable redirection as following:
%windir%\system32\inetsrv\appcmd set config "Default Web Site/" -section:system.webServer/httpRedirect -enabled:true -destination:"http://domain.com"
This tells IIS to redirect all request sending to the virtual application “/” to “http://domain.com”. The actual result is that appcmd.exe adds the following section to the web.config file for “/”:
web.config of your domain.net
<system.webServer>
<httpRedirect enabled="true" destination="http://domain.com" httpResponseStatus="Permanent"/>
</system.webServer>