What's the redirect port for in Tomcat?

linux tomcat tomcat7

It's hard to make sense of tomcat documentation and looking at server.xml you will find a salad of ports that may be hard to understand because it's not really explained properly, or extensively, in the documentation.

For example, this line in the config file server.xml

<Connector port="8345" protocol="AJP/1.3" redirectPort="9875" />

And here you can find yet another redirect port:

<Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

I understand what the connector port does. In the first case you use that to create a worker in apache and send it there, in the second you open a port to access tomcat directly. However when it comes to the redirectport things become fuzzy.

Here is the explanation given by tomcat documentation for ajp port:

If this Connector is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, Catalina will automatically redirect the request to the port number specified here.

I always pick a random redirect port over 1024 and it works,

But when would this come into practice? How does it know when a request requires SSL transport?

I have a satellite server running a tomcat module. This module comes into effect by redirecting traffic to the ajp connector with apache from the main server and vice versa.

In the main server https is enforced in apache. Does this mean all requests are sent to the satellite server encrypted or in plain text? I know that if I access the satellite server via port 8080 it's not encrypted, but I am wondering if this applies to the traffic being redirected to the main server as well and where does this redirect port come into effect.


As it is defined in the documentation, the redirect port will come into picture when SSL request will come to the server and since http connector port cannot handle SSL requests it will redirect to the port defined. But their must be another section defined in server.xml file in which the defined redirect port will act as a connector port to handle SSL requests. For example, If you want http requests to be handled by port 80 and https request by port 443 the server.xml will look like this:

<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="/path/to/kestorefile" keystorePass="my_keystore_password"/>

Keystorefile is the ssl certificate of your website.

If you don't configure the other section with redirect port as a connector port your requests will not be redirected to that port. For example if the website do not support ssl requests and you try to send https request to that website an error like Secure Connection Failed will be shown on the browser.

Related

Why does tomcat7 log into both catalina.out and catalina.YYYY-MM-DD.log?
How do I create the identity certificate required to setup Mobile Device Management on an iOS device?
Curl: unable to get local issuer certificate. How to debug?
How many simultaneous requests can be handled by a medium class server on the average? [duplicate]
Iptables rule-set so that a docker container can access a service on a host IP
Multiple ssl certificates with one ip and same port but different host headers (IIS 8)
lsattr: Inappropriate ioctl for device While reading flags
Troubleshooting Windows Authentication problems (no challenge) in IIS 7.5?
What's the use of X-Powered-By, Server and other similar HTTP headers?
How to disable swap files in ESXi?
HALP! I've inherited a permissions nightmare for redirected folders/home directories
My DNS server is pushing 20mbps, why?