Forcing HTTPS redirect on Wildfly 10.0 directs to

2019-09-19 14:53发布

I am having a very challenging time forcing HTTPS on a Bitnami Ubutnu Wildfly 10 install.

The HTTPS works fine (e.g. https://example.com works great)

I have tried many different things with no result. Here are some highlights of what I've done:

I modified my web.xml to add this (note MYWEBNAME was replaced with my war file name):

<security-constraint>
    <web-resource-collection>
        <web-resource-name>MYWEBNAME</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>          

I modified /opt/bitnami/apache2/conf/bitnami/bitnami.conf (as per https://docs.bitnami.com/aws/components/apache/):

        <VirtualHost _default_:80>
              DocumentRoot /opt/bitnami/apache2/htdocs"
ADD:          RewriteEngine On
ADD:          RewriteCond %{HTTPS} !=on
ADD:          RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
          ...
        </VirtualHost>

I modified standalone.xml

     <management-interfaces>
        <http-interface security-realm="ApplicationRealm" http-upgrade-enabled="true">
            <socket-binding https="management-https"/>
        </http-interface>
    </management-interfaces>

I modified my root index.html to redirect to:

<SCRIPT>document.location="https://example.com";</SCRIPT>

As per Wildfly 9 http to https, I tried this:

    <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
        <socket interface="management" secure-port="${jboss.management.http.port:9990}"/>
    </http-interface>

this resulted in a 503 error and wildfly to die, so I removed it.

What I have now, is http://example.com redirecting to https://localhost:8443

So I think it's close, I just cannot figure out how to make it redirect to https://example.com:8443 instead

2条回答
疯言疯语
2楼-- · 2019-09-19 15:08

For others looking for a solution, here's a summary of what I did - all in one spot. This is a summary of the links located in this thread, so h/t to those authors who answered the question. The credit belongs to them, this is just a summary of what worked for me.

1. Add an IPTABLES routing rule to route port 443 to 8443.

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Hint: to see what rules you already have in place, use:

sudo iptables -t nat -L -n -v

2. Add a Rewrite Filter and a Predicate to the configuration. Add the entries shown on line 10 and 24 of the snippet.

<subsystem xmlns="urn:jboss:domain:undertow:3.0">
    <buffer-cache name="default"/>
    <server name="default-server">
        <http-listener name="default" socket-binding="http" redirect-socket="https"/>
        <https-listener name="default-ssl" security-realm="ApplicationRealm" socket-binding="https"/>
        <host name="default-host" default-web-module="YOURWARFILENAMEHERE.war" alias="localhost">
            <location name="/" handler="welcome-content"/>
            <filter-ref name="server-header"/>
            <filter-ref name="x-powered-by-header"/>
            <filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
            <!-- ADD THE filter-ref ENTRY ABOVE -->
        </host>
    </server>
    <servlet-container name="default">
        <jsp-config/>
        <websockets/>
    </servlet-container>
    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>
    <filters>
        <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
        <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
        <rewrite name="http-to-https" redirect="true" target="https://DOMAINNAMEHERE:8443%U"/>
        <!-- ADD THE rewrite ENTRY ABOVE, BE SURE TO SUBSTITUTE YOUR DOMAIN NAME -->
    </filters>
</subsystem>

Note: I wondered if adding an iptables reroute from 8080 to 8443 using the command in step 1 would be sufficient and eliminate the need for step 2. But step 2 worked for me so I went with it. I'll leave trying that option up to the reader if they want.

3. Modify The Management Interfaces section of the standalone.xml.

<management-interfaces>
    <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
        <socket-binding https="management-https"/>
    </http-interface>
</management-interfaces>

Note that this replaced the binding to http. Also note this step may not be directly related to the forwarding of HTTP to HTTPS but rather just a step in the HTTPS setup.

4. Restart your Wildfly instance.

查看更多
家丑人穷心不美
3楼-- · 2019-09-19 15:21

I m not using Apache proxing Wildfly. But in my setup, all request on port 80 or 8080 (http://example.com or http://example.com:8080) is redirected to port 443 (https://example.com). It is done making iptables to redirect traffic from 80 to 8080 and 443 to 8443 and than wildfly redirects CONFIDENTIAL transport requests to port 443 instead 8443. Please see if it is helpful: make wildfly listen on port 443 not 8443

By the way, use javascript or any other client side script to redirect to SSL is not safe enough once the responsability of the redirection is in the client side.

查看更多
登录 后发表回答