0

We currently have an Ubuntu server running Tomcat 8.5 that hosts two websites from different domains. It's a weird situation but long story short, we need to disable SSL for one of the two sites and keep SSL functioning for the other site. This server currently has one IP address. The two site names are structured as follows:

site1.a.net
site2.a.com

We'd like to disable SSL for site1.a.net and keep SSL enabled for site2.a.com. Is this possible in Tomcat 8.5?

CacheMoney
  • 25
  • 5
  • 1
    Since port 443 will be open, it will always be possible to open `https://site2.example.com`. What behavior are you expecting from the server? It can serve a self-signed certificate and return a 404 error. – Piotr P. Karwasz Apr 22 '21 at 20:54
  • @PiotrP.Karwasz, we would like for SSL to be disabled on site1.a.net. SSL should remain enabled for site2.a.com. Someone navigating to site1.a.net should not get redirected to the HTTPS version of the site and if someone explicitly specifies 'https' in the URL, it should 'redirect' to http. – CacheMoney Apr 23 '21 at 12:34

1 Answers1

1

[In order not to use any registered domains let's use site1.example.net and site2.example.com], which are reserved for documentation purposes.]

Redirection from HTTPS to HTTP works just the same as redirection from HTTP to HTTPS with a twitch: when a client opens https://site1.example.net, the server must present a trusted TLS certificate for site1.example.net before any redirection is possible. Failing to do that will result in a security warning in the browser. I would use a Let's Encrypt certificate for that.

Otherwise you just need to configure two <Host>s in your <Engine> and two <Certificate>s in your <Connector>. Your site1.example.com host needs a RewriteValve to perform the redirect:

<Service name="Catalina">
    <!-- HTTP connector -->
    <Connector port="80" redirectPort="443"/>
    <!-- HTTPS connector -->
    <!-- If the client does not use SNI it ends up with site1.example.net certificate -->
    <Connector port="443" SSLEnabled="true" scheme="https" secure="true"
               defaultSSLHostConfigName="site1.example.net">
        <SSLHostConfig hostName="site1.example.net">
            <Certificate certificateFile="conf/site1.example.net.crt" certificateKeyFile="conf/site1.example.net.key" />
        </SSLHostConfig>
        <SSLHostConfig hostName="site2.example.com">
            <Certificate certificateFile="conf/site2.example.com.crt" certificateKeyFile="conf/site2.example.com.key" />
        </SSLHostConfig>
    </Connector>
    <!-- If a client doesn't send a Host: header or puts the IP in the Host: header it ends up on site1.example.net -->
    <Engine defaultHost="site1.example.net" name="Catalina">
        <Host appBase="webapps/site2.example.com" name="site2.example.com">
            ...
        </Host>
        <Host appBase="webapps/site1.example.net" name="site1.example.net">
            <!-- We need it for the redirect -->
            <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
        </Host>
    </Engine>
</Service>

In order to configure the RewriteValve you just need to create a file conf/Catalina/site1.example.net/rewrite.config with content

# If the client connected through HTTPS
RewriteCond %{HTTPS} on
# Temporarily redirect to the HTTP version
RewriteRule ^ http://site1.example.net%{REQUEST_PATH} [R,L]
Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20