tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <kpreis...@apache.org>
Subject RE: iis isapi redirect problem
Date Thu, 23 Jul 2015 18:01:03 GMT
Hi,

> -----Original Message-----
> From: Andrew Geery [mailto:andrew.geery@gmail.com]
> Sent: Saturday, July 18, 2015 3:16 PM
> To: users@tomcat.apache.org
> Subject: iis isapi redirect problem
> 
> I have successfully gotten Tomcat 8 to work with IIS 8.5 using these
> directions: https://tomcat.apache.org/connectors-doc/reference/iis.html
> 
> IIS correctly forwards requests to Tomcat to handle and Tomcat correctly
> hands the response back to IIS to return to the client.  This works over
> http and over https.
> 
> Now there is a requirement that all traffic should go over ssl, so in IIS I
> added the following redirect to C:\inetpub\httproot:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <configuration>
>     <system.webServer>
>         <httpRedirect enabled="true" destination="<https location of the
> site>" exactDestination="false" httpResponseStatus="Found" />
>     </system.webServer>
> </configuration>
> 
> The effect of this is that when a client requests a page over http, the
> server sends a redirect (302) to the same page over https.  This works for
> other, non-Tomcat related pages on the site.  However, it does not work for
> pages that use the ISAPI redirector.  When a Tomcat page is requested, the
> URL that is returned is
> 
> https://<website>/jakarta/isapi_redirect.dll
> 
> That is, what seems to be happening is that rather having the ISAPI handler
> render the page, the extension_uri value from the registry entry is being
> returned to the client.
> 
> My questions are:
> 1) is there a better way to force http -> https in IIS? or
> 2) if not, is there a way to get IIS/ISAPI to work with a redirect (301 or
> 302)?


I don't have much knowledge about ISAPI but I think this URL is returned because the Tomcat
ISAPI Redirector DLL first acts as a ISAPI Filter to rewrite the URL to itself, so that in
the next step it can act as a ISAPI Extension to actually forward the request to Tomcat.

I don't know about the <httpRedirect> element in IIS, but with IIS you can also use
a HttpModule that redirect non-HTTPS requests. Note that when redirecting HTTP to HTTPS, you
normally would use HSTS (HTTP Strict Transport Security) [1] so that the client knows that
every request to this host should go over HTTPS.

Without HSTS a MITM attacker could simply strip out the redirect and SSL/TLS when the user
wants to visit the page, because when the user enters "www.example.com" the browser usually
would make a request to "http://www.example.com/" instead of "https://www.example.com".
With HSTS, only the first request is "vulnerable" (as long as you don't add the website to
the HSTS preload list [2]), but for subsequent requests the browser automatically replaces
http://... with https://... for that host, so without HSTS the users would not really be protected.


To implement a permanent (301) redirect and add a HSTS header, you could use a HTTP module
like the following in IIS 7+:

[[[
using System;
using System.Web;

namespace Webapp.Code.Utils {
    /// <summary>
    /// A module that redirects HTTP requests to HTTPS ones, adding a HSTS header.
    /// </summary>
    public class SslAndHstsModule : IHttpModule {

        public void Init(HttpApplication context) {
            context.BeginRequest += context_BeginRequest;
        }

        private void context_BeginRequest(object sender, EventArgs e) {
            HttpApplication app = (HttpApplication)sender;
            HttpRequest request = app.Request;
            HttpResponse response = app.Response;
            
            if (request.IsSecureConnection) {
                // Add a HSTS header
                response.AppendHeader("Strict-Transport-Security", "max-age=63072000");
            } else { 
                // Permanently redirect a HTTP request to HTTPS
                string path = "https://" + request.ServerVariables["SERVER_NAME"] + request.ServerVariables["UNENCODED_URL"];
                response.RedirectPermanent(path, false);
                app.CompleteRequest();
            } 
        }

        public void Dispose() {
            // Do nothing
        }
        
    }
}
]]]


To use it, you can put the code into a text file with the extension ".cs" and place it into
the "App_Code" directory in your IIS web application directory. Then you can enable the module
by adding it to the web.config file in the configuration/system.webServer/modules section:


<configuration>
  <system.webServer>
    <modules>
      <!-- Redirect HTTP requests to HTTPS and add a HSTS header -->
      <add name="SslAndHstsModule" type="Webapp.Code.Utils.SslAndHstsModule"/>
    </modules>
  </system.webServer>
</configuration>



Regards,
Konstantin Preißer


[1] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
[2] https://hstspreload.appspot.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message