4 Replies Latest reply on Jul 11, 2013 11:46 AM by wagnbeu0

Disable HTTP on Port 8080, only allow HTTPS

wagnbeu0 Nov 7, 2012 3:26 AM

Hello,

I´m running JBOSS 4.2.3 for a couple of years. Now we have the security recommendation, that only https is allowed. I´ve change my configuration to this in the server.xml:

<Connector Port="8080" protocol="HTTP/1.1" SSLEnabled="true

maxthreads="150" scheme="https" secure="true"

clientAuth="false"

strategy="ms"

adress="${jboss.bind.addrress}"

keystoreFile="{jboss.server.home.dir}/conf/ssl/server.keystore"

keystorePass="****"

truststoreFile={jboss.server.home.dir}/conf/ssl/server.keystore"

truststorePass="****"

sslProtocol="TLS" />

Unfortunately the server is now lisgtening both on HTTP and HTTPS on Port 8080.

What do I need to setup that the HTTP Port is not available and/or does not answer to http-requests, and only the HTTPS Connector is open?

1. Re: Disable HTTP on Port 8080, only allow HTTPS

erasmomarciano Nov 7, 2012 4:23 AM (in response to wagnbeu0)

Hi

you should have alone this tag

<Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443"
address="${jboss.bind.address}" scheme="https" secure="true"
clientAuth="true"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="server-keystore-pass"
truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
truststorePass="server-truststore-pass"
sslProtocol="TLS" /

Your connect is ready for listen in https

Are you sure that Jboss listens in http e in https listens on the same port.

I think that you should have an error message Bindind Exception
Actions
2. Re: Disable HTTP on Port 8080, only allow HTTPS

wagnbeu0 Nov 7, 2012 4:35 AM (in response to erasmomarciano)

Hm, if I change the value clientAuth="false" to "true", then the webserver is not available
Actions
3. Re: Disable HTTP on Port 8080, only allow HTTPS

erasmomarciano Nov 7, 2012 4:44 AM (in response to wagnbeu0)

ClientAuth

Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.
Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented.
A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
See the SSL HowTo for an example. That SSL HowTo also contains tips on using per-user or per-session certificate-based clientAuth.

I 'm not sure this way is correctly
Actions
4. Re: Disable HTTP on Port 8080, only allow HTTPS

wagnbeu0 Jul 11, 2013 11:46 AM (in response to erasmomarciano)

Hi, I changed my configuration now to this one:
      

   <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
strategy="ms"
address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/ssl/server.keystore"
keystorePass="CHANGEIT"
truststoreFile="${jboss.server.home.dir}/conf/ssl/server.truststore"
truststorePass="CHANGEIT"
sslProtocol="TLS"/>

Now the HTTP Port is not available, only HTTPS Requesst are valid. Thanks for your help.
Actions

Go to original post