4 Replies Latest reply on Jul 11, 2013 11:46 AM by wagnbeu0

    Disable HTTP on Port 8080, only allow HTTPS

    wagnbeu0 Newbie

      Hello,

       

      I´m running JBOSS 4.2.3 for a couple of years. Now we have the security recommendation, that only https is allowed. I´ve change my configuration to this in the server.xml:

       

      <Connector Port="8080" protocol="HTTP/1.1" SSLEnabled="true

      maxthreads="150" scheme="https" secure="true"

      clientAuth="false"

      strategy="ms"

      adress="${jboss.bind.addrress}"

      keystoreFile="{jboss.server.home.dir}/conf/ssl/server.keystore"

      keystorePass="****"

      truststoreFile={jboss.server.home.dir}/conf/ssl/server.keystore"

      truststorePass="****"

      sslProtocol="TLS" />

       

      Unfortunately the server is now lisgtening both on HTTP and HTTPS on Port 8080.

       

      What do I need to setup that the HTTP Port is not available and/or does not answer to http-requests, and only the HTTPS Connector is open?

        • 1. Re: Disable HTTP on Port 8080, only allow HTTPS
          erasmo2 marciano2 Master

          Hi

           

          you should have alone this tag

           

          <Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443"

          address="${jboss.bind.address}" scheme="https" secure="true"

          clientAuth="true"

          keystoreFile="${jboss.server.home.dir}/conf/server.keystore"

          keystorePass="server-keystore-pass"

          truststoreFile="${jboss.server.home.dir}/conf/server.truststore"

          truststorePass="server-truststore-pass"

          sslProtocol="TLS" /

           


           

          Your connect is  ready for listen in https

           

           

          Are you sure that  Jboss listens in http e in https listens on the same port.

           

           

          I think that you should have an error message Bindind Exception

          • 2. Re: Disable HTTP on Port 8080, only allow HTTPS
            wagnbeu0 Newbie

            Hm, if I change the value clientAuth="false" to "true", then the webserver is not available

            • 3. Re: Disable HTTP on Port 8080, only allow HTTPS
              erasmo2 marciano2 Master

              ClientAuth

               

              Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.

              Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented.

              A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

              See the SSL HowTo for an example. That SSL HowTo also contains tips on using per-user or per-session certificate-based clientAuth.

               

              I 'm not  sure  this way is correctly

               

               


              • 4. Re: Disable HTTP on Port 8080, only allow HTTPS
                wagnbeu0 Newbie

                Hi, I changed my configuration now to this one:

                      <!-- A HTTP/1.1 Connector on port 8080
                      <Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}"
                               connectionTimeout="20000" redirectPort="8443" />
                   -->
                  
                   <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                  maxThreads="150" scheme="https" secure="true"
                  clientAuth="false"
                  strategy="ms"
                  address="${jboss.bind.address}"
                  keystoreFile="${jboss.server.home.dir}/conf/ssl/server.keystore"
                  keystorePass="CHANGEIT"
                  truststoreFile="${jboss.server.home.dir}/conf/ssl/server.truststore"
                  truststorePass="CHANGEIT"
                  sslProtocol="TLS"/>

                 

                Now the HTTP Port is not available, only HTTPS Requesst are valid. Thanks for your help.