1

This question is related to How to have Jetty redirect http to https and Jetty 9 - redirect http to https but not answered in either location.

Basically, we run our app at some port, say 8085. We have generally used HTTP to access this app. We've upgraded to requiring HTTPS now. We want a user accessing 8085 with HTTP to be redirected to 8085 with HTTPS. i.e. http://host:8085 -> https://host:8085

I understand that the normal process is to run HTTP and HTTPS on different ports, but we aren't going to be running HTTP at all.

Here is some of our configuration which is not working atm. After trying everything that I can, I can't get the server to respond to http://host:8085 at all.

Is this due to only one connector (HTTP or HTTPS) being able to listen to the port at one time?

Is there any other way to do this?

Thank you.

<Configure class="org.eclipse.jetty.webapp.WebAppContext"> <Get name="sessionHandler"> <Get name="sessionManager"> <Set name="usingCookies" type="boolean">true</Set> </Get> </Get> <Set name="securityHandler"> <New class="org.eclipse.jetty.security.ConstraintSecurityHandler"> <Call name="addConstraintMapping"> <Arg> <New class="org.eclipse.jetty.security.ConstraintMapping"> <Set name="pathSpec">/*</Set> <Set name="constraint"> <New class="org.eclipse.jetty.util.security.Constraint"> <!-- 2 means CONFIDENTIAL. 1 means INTEGRITY --> <Set name="dataConstraint">2</Set> </New> </Set> </New> </Arg> </Call> </New> </Set> </Configure>

<security-constraint> <web-resource-collection> <web-resource-name>Everything</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> 

  <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
      <!-- This says Redirect to https://host:8085 if server returns "NOT SECURE" error -->
      <Set name="secureScheme">https</Set>
      <Set name="securePort"><Property name="jetty.secure.port" default="8085" /></Set>

      <Set name="outputBufferSize"><Property name="jetty.output.buffer.size" default="32768" /></Set>
      <Set name="requestHeaderSize"><Property name="jetty.request.header.size" default="8192" /></Set>
      <Set name="responseHeaderSize"><Property name="jetty.response.header.size" default="8192" /></Set>
      <Set name="sendServerVersion"><Property name="jetty.send.server.version" default="true" /></Set>
      <Set name="sendDateHeader"><Property name="jetty.send.date.header" default="false" /></Set>
      <Set name="headerCacheSize">512</Set>
      <!-- Uncomment to enable handling of X-Forwarded- style headers -->
      <Call name="addCustomizer">
        <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
      </Call>
      <Call name="addCustomizer">
    <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer" /></Arg>
      </Call>
    </New>


<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.base" default="/opt/app" />/<Property name="jetty.keystore" default="https/JettyKeyStore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/>*******</Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.base" default="/opt/app" />/<Property name="jetty.truststore" default="https/JettyKeyStore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>

</Configure>

<Call id="httpsConnector" name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.SslConnectionFactory"> <Arg name="next">http/1.1</Arg> <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg> </New> </Item> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="sslHttpConfig"/></Arg> </New> </Item> </Array> </Arg> <Set name="host"><Property name="jetty.host" />localhost</Set> <Set name="port"><Property name="https.port" default="8085" /></Set> <Set name="idleTimeout"><Property name="https.timeout" default="30000"/></Set> <Set name="name">standardConnection</Set> </New> </Arg> </Call>

<Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="httpConfig" /></Arg> </New> </Item> </Array> </Arg> <Set name="host"><Property name="jetty.host" />localhost</Set> <Set name="port"><Property name="jetty.port" default="8085" /></Set> <Set name="idleTimeout"><Property name="http.timeout" default="30000"/></Set> <Set name="name">standardConnection</Set> <Set name="confidentialPort">8085</Set> </New> </Arg> </Call>

Community
  • 1
Splaktar
  • 111
  • 1
  • 5
  • This question on StackOverflow (that should be on ServerFault): http://stackoverflow.com/questions/11182192/how-do-i-serve-https-and-http-for-jetty-from-one-port seems to indicate that this is not possible without writing your own application server code. – Splaktar Mar 10 '14 at 15:55
  • 1
    I don't think this is possible to have a connector listening on HTTP on some port and another for https on the same port. You can use https://github.com/yrutschle/sslh to perform some black magic upstream. Or recode that in java. Happy fiddling ! – Oct Mar 10 '14 at 15:56
  • Did you eventually work it around ? – Victor Mar 06 '20 at 09:28

0 Answers0