Disabling SSL for one site/domain in Tomcat 8.5

ssl tomcat8

We currently have an Ubuntu server running Tomcat 8.5 that hosts two websites from different domains. It's a weird situation but long story short, we need to disable SSL for one of the two sites and keep SSL functioning for the other site. This server currently has one IP address. The two site names are structured as follows:

site1.a.net
site2.a.com

We'd like to disable SSL for site1.a.net and keep SSL enabled for site2.a.com. Is this possible in Tomcat 8.5?


[In order not to use any registered domains let's use site1.example.net and site2.example.com], which are reserved for documentation purposes.]

Redirection from HTTPS to HTTP works just the same as redirection from HTTP to HTTPS with a twitch: when a client opens https://site1.example.net, the server must present a trusted TLS certificate for site1.example.net before any redirection is possible. Failing to do that will result in a security warning in the browser. I would use a Let's Encrypt certificate for that.

Otherwise you just need to configure two <Host>s in your <Engine> and two <Certificate>s in your <Connector>. Your site1.example.com host needs a RewriteValve to perform the redirect:

<Service name="Catalina">
    <!-- HTTP connector -->
    <Connector port="80" redirectPort="443"/>
    <!-- HTTPS connector -->
    <!-- If the client does not use SNI it ends up with site1.example.net certificate -->
    <Connector port="443" SSLEnabled="true" scheme="https" secure="true"
               defaultSSLHostConfigName="site1.example.net">
        <SSLHostConfig hostName="site1.example.net">
            <Certificate certificateFile="conf/site1.example.net.crt" certificateKeyFile="conf/site1.example.net.key" />
        </SSLHostConfig>
        <SSLHostConfig hostName="site2.example.com">
            <Certificate certificateFile="conf/site2.example.com.crt" certificateKeyFile="conf/site2.example.com.key" />
        </SSLHostConfig>
    </Connector>
    <!-- If a client doesn't send a Host: header or puts the IP in the Host: header it ends up on site1.example.net -->
    <Engine defaultHost="site1.example.net" name="Catalina">
        <Host appBase="webapps/site2.example.com" name="site2.example.com">
            ...
        </Host>
        <Host appBase="webapps/site1.example.net" name="site1.example.net">
            <!-- We need it for the redirect -->
            <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
        </Host>
    </Engine>
</Service>

In order to configure the RewriteValve you just need to create a file conf/Catalina/site1.example.net/rewrite.config with content

# If the client connected through HTTPS
RewriteCond %{HTTPS} on
# Temporarily redirect to the HTTP version
RewriteRule ^ http://site1.example.net%{REQUEST_PATH} [R,L]

Related

ssh operation timed out on ec2 instance
Schedule RDS upgrades/downgrades
GKE - network is not ready: Kubenet does not have netConfig
Does IPTable/Netfilter eat up ephemeral ports
IneligibleDataPartition - S2D not starting - error 2
Change location where LDAP data is stored
Shared storage between VMs
Equipment required for AWS outpost
Separate color from black-and-white pages for printing
sysctl not sticking after reboot
GRE tunneling using Open vSwitch
Restricting AWS resources to same AZ connections