My requirements are,
1. Application URL should have http, domain name/ipaddress, no port number
2. Application need to redirected to https
3. And again port number should not be visible
4. All need to be doe in wildfly
Application URL should have http, domain name/ipaddress, no port number
Try configuring apache before JBoss instance
Application need to redirected to https
add redirect-port="443" to http connector as follows :
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
Configure https connectory in configuration file(standalone.xml/domain.xml)
Related
I am running a keycloak:12.0.4 container (which uses Wildfly as the web server).
I would like to set all outbound cookies from Keycloak to have a customer header (samesite=lax).
Following the answer here I add
<filter-ref name="samesite-cookie"/> and <respone-header name="samesite-cookie" header-name="SameSite" header-value="lax"/> to the appropriate places in standalone-ha.xml on the server and restart. However, this only adds the header to the HTTP Response from Keycloak, and not the actual cookies themselves.
I have created a web site in IIS and hosted a ASP.NET webservice on this site. The requests to the webservice will be send by a 3rd party application to the following URL:
https://www.mywebsite.com/MyWebservice/api/dosomething
When I set the HTTPS binding for my website to default port 443 everything works fine (no certificate problems or anything else).
But because the default port 443 may be blocked by other software I want to move to another port (for example 7443). Changing the calling URL to add the correct port is no option, because the port may be differ from customer to customer (could happen, that we have to move to port 6443 or 8443).
First question:
Do I have to change my HTTPS binding to port 7443 or leave it on port 443? I think I have to change it to port 7443.
Second question:
I installed the module "URL Rewrite" and create a rule in applicationHost.config with the GUI of IIS. But everytime a request comes in I will get an error "net::ERR_CONNECTION_REFUSED". I've created an incoming firewall rule to enable port 7443 for incoming traffic, but no success.
My rule in applicationHost.config looks like following:
<rewrite>
<globalRules>
<rule name="Redirect to port 7443" stopProcessing="true">
<match url="www.mywebsite.com/(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{SERVER_PORT}" pattern="^7443$" negate="true" />
</conditions>
<action type="Redirect" url="https://www.mywebsite.com:7443/{R:1}" />
</rule>
</globalRules>
</rewrite>
I found the rule in this question: How do I redirect a specific port in the IIS server to an other port
I also used the rule in the answer to the above question, but without success.
If I enter the blank URL of my website (https://www.mywebsite.com) the browser told me, that the website is not reachable. If I extend the port ((https://www.mywebsite.com:7443) the browser shows by "Hello world" index.html.
Third question: On which level do I have to add the "URL Rewrite" rule (applicationHost.config, web.config of web site or web.config of webservice)? I just want to redirect the requests to my web site / webservice to a different port.
I hope someone could help me with this problem.
Best Regards
Michael
Do I have to change my HTTPS binding to port 7443 or leave it on port 443? I think I have to change it to port 7443.
As lex says, we could bind multiple domain to the same 443 port. The IIS will check the domain when the request come to the server, then it will redirect the request to the right application. In my opinion, there is no need to use the new port.
To achieve this, you should add the domain in the IIS site binding's host name textbox.
I installed the module "URL Rewrite" and create a rule in applicationHost.config with the GUI of IIS. But everytime a request comes in I will get an error "net::ERR_CONNECTION_REFUSED". I've created an incoming firewall rule to enable port 7443 for incoming traffic, but no success.
I found your url rewrite rule match url value is wrong, it will not match anything. The match url part will only match pattern of the url not the domain.
Besides, if you use the site binding, there is no need to add the url rewrite rule.
On which level do I have to add the "URL Rewrite" rule (applicationHost.config, web.config of web site or web.config of webservice)? I just want to redirect the requests to my web site / webservice to a different port.
In my opinion, you could add the url rewrite rule into the web.config. For example, if you want to redirect the url from 443 port to 7743. You could add the url rewrite rule into the 443's application web.config file.
We have a load-balancer sitting in front of two wildfly servers. The load-balancer handles the SSL handshake and forces all traffic over https (http requests are redirected to https requests), the wildfly nodes do not have certificates on them and traffic between load balancer and servers is unencrypted, the wildfly nodes know nothing about the SSL.
When a user hits a protected page the wildfly presents them with a login page. User enters credentials and submits the login form. The wildfly logs user in and then sends a redirect to the user to send them to the desired page. The redirect sent by the wildfly is an HTTP redirect. This gets grabbed by the load-balancer and redirected to HTTPS but I really want to avoid that second redirect. How can I tell the wildfly to return HTTPS redirect after login instead of HTTP?
I followed link but not sure how to deal same between wildlfy undertow load-balancer and wildfly server.
I followed this link also but didn't get any luck.
Below is the detailed solution explanation for the above problem:
We have a load-balancer sitting in front of two wildfly servers. The load-balancer handles the SSL handshake and forces all traffic over https , the wildfly nodes do not have certificates on them and traffic between load balancer and servers is unencrypted, the wildfly nodes know nothing about the SSL.The communication between load balancer and wildfly nodes is via http protocol.
When a user hits a protected page e.g. https://someip/app
Request flow is as below:
Client browser to load balancer via https
Load balancer to wildlfy nodes via http protocol .
It worked after adding proxy-address-forwarding="true" in wildlfy server node's http
listener .
Our application runs in a JBoss EAP 6.4. Our development setup provides JBoss instance running in HTTP mode on port 8080 and a reverse proxy with both HTTP (port 9090) and HTTPS (port 9443) endpoints to help test different scenarios.
A problem arises when I try to use "current" URL by injecting the UriInfo into my request handlers. The scheme part of the URI inside is always dependent on the scheme attribute of the connector setting in the standalone.xml and not on the actual used scheme. So for example, if I call https://localhost:9443 and http://localhost:9090 when connector's scheme is set to https, both URLs are converted to HTTPS, i.e. https://localhost:9443 but also https://localhost:9090. If I switch connector's scheme to http, both URLs change to HTTP. Needless to say, X-Forwarded-Proto is also ignored.
Is there a way to make JBoss behave more like most other application servers, i.e. without making any assumptions about used environment and especially reverse proxies and load balancers?
RemoteIpValve should do everything you need.
Source code from the JBossWeb 7.5.20 (EAP 6.4.20):
http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_7_5_20_FINAL/src/main/java/org/apache/catalina/valves/RemoteIpValve.java
Here's more readable documentation at the upstream Apache Tomcat 7.0 project website:
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
The minimum config in your case would be the following global valve configuration in the web subsystem:
<valve name="remoteip-valve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteIpValve">
<param param-name="protocolHeader" param-value="X-Forwarded-Proto"/>
</valve>
This would set the scheme based on the value of the X-Forwarded-Proto header.
For https it would also set the secure flag to true and port to 443.
Since you seem to require the HTTPS port to be set to 9443, you can do it via additional httpsServerPort parameter (and I think you'll also need to set the httpServerPort to 9090 as you mention above, because the RemoteIpValve would override it to 80 otherwise), e.g.
<valve name="remoteip-valve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteIpValve">
<param param-name="protocolHeader" param-value="X-Forwarded-Proto"/>
<param param-name="httpServerPort" param-value="9090"/>
<param param-name="httpsServerPort" param-value="9443"/>
</valve>
And you can do more with that valve if you need, just check the documentation for more details.
It's also briefly described for example here (RH login required): https://access.redhat.com/solutions/629863
BTW If you'd be able to use the AJP protocol (from the proxy to the app. server) instead, this wouldn't be needed as AJP is designed for these cases and all the required information should be transferred to the app. server pretty much transparently.
Environment: WebSphere App Server / WebSphere Portal 7, fronted by IBM IHS/Apache httpd using was_ap20_module / mod_was_ap20_http.
I have a servlet or JSP page with a redirect like
response.sendRedirect("/wps/myportal/....")
The generated HTTP ends up with the right host and port for the IHS/Apache endpoint but the wrong protocol. It is http instead of https.
For example, if IHS/Apache is listening on https://myserver.com and WAS is on http://192.168.12.34:12345 (all ports/hosts fake), then my redirect comes back as http://myserver.com - correct host and port but wrong protocol.
How does WebSphere figure out the right host/port to use but not the protocol? How can I force the desired behavior?
Add Apache mod_headers to add a custom header before the request is forwarded to websphere, in websphere, set the httpsIndicatorHeader to that custom header, then websphere will know to switch to https
http://www.ibmconnections.org/wordpress/index.php/tag/was-ssl-http-https/
http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Frweb_custom_props.html