I am using the below code in my server.xml file. It is working fine in firefox, where the response size was very much reduced. 200kb -> 25kb. But, not working in IE9. Any help or suggestion would be appreciated.
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"
maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" acceptCount="100"
disableUploadTimeout="true"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
/>
Compression only happens if the user-agent wants it in that way.
When a user-agent makes a request it need to send its preference of compress though Accept-Encoding header.
accept-encoding:gzip,deflate,sdch
Only when this header is sent as part of the web request the web server will enable compression for the content that is sent. You can test it using curl
curl -L http://localhost/index.jsp -H 'Accept-Encoding: gzip' -o - | gzip
The above will generate a compressed data which can be uncompressed using gzip.
Mostly in your case it looks like IE is not preferring to get the content of the page as compressed and not sure why this happens.
Related
I have Tomcat 8 installed in my server in port 8080 that I am exposing with a secured Apache (using Proxy Pass).
Here is my Apache configuration:
<VirtualHost *:443>
ServerName myserver.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /odata/ http://172.31.36.251:8080/
ProxyPassReverse /odata/ http://172.31.36.251:8080/
<Proxy *>
allow from all
</Proxy>
RequestHeader set X-Forwarded-Port 443
RequestHeader set X-Forwarded-Scheme https
</VirtualHost>
Here is the Tomcat server.xml configuration
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
address="172.31.36.251"
proxyName="myserver.com"
scheme="https" proxyPort="443" />
All works well until here. If I call my application:
https://myserver.com/odata/D3a1593adae89/odata.svc/
I get:
<service xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom" xml:base="https://myserver.com:443/D3a1593adae89/odata.svc/">
<workspace>
<atom:title>Default</atom:title>
<collection href="Maintables">
<atom:title>Maintables</atom:title>
</collection>
</workspace>
</service>
The problem: If you see the attribute xml:base in the result, Tomcat decorates the address with the port and I really don't know how to remove it. Also the address is wrong: It should be https://myserver.com:443/odata/D3a1593adae89/odata.svc/ . I been looking around and trying things like setting proxyPort to blank but nothing. I think this is related to broken links when using a reverse proxy as described at https://cwiki.apache.org/confluence/display/HTTPD/TomcatModProxyHTML . I tried some rewrites like:
ProxyHTMLURLMap http://172.31.33.105:8080 /odata
RewriteEngine On
RewriteRule ^/odata$ https://myserver.com/odata/ [R,L]
But I just cannot make it work. The xml:base should be https://myserver.com/odata/D3a1593adae89/odata.svc/
Any idea is appreciated
For the port thing, as you use ProxyPreserveHost On and you set X-Forwarded-* headers, you can use the RemoteIpValve:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" />
The connector will be simply:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
address="172.31.33.105"
/>
The valve detect the proto and will assume the connection is secured with the default port number (https://xxxxx/yyy).
For the location, you should deploy your application in the odata context so that you can use
ProxyPass /odata http://172.31.33.105:8080/odata
modifying the context on the proxy pass (from /odata/ to /) is somehow tricky as you would need to filter all text coming from your backend server to fix some url path. It can be really painful ( should I replace all "/xxx" with "/odata/xxx" ? )
We can configure OCSP in tomcat using,
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
secure="true" scheme="https"
SSLEnabled="true" SSLCertificateFile="/path/to/ocsp-cert.crt"
SSLCertificateKeyFile="/path/to/ocsp-cert.key"
SSLCACertificateFile="/path/to/ca.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
clientAuth="true"/>
As mentioned in tomcat documentation, https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Using_OCSP_Certificates
But from that documentation I didn't get where OCSP is performed whether on server side(For revocating client certificate) or client side(for revocating server certificate) ?
I'm trying to find out if anyone has succeeded in using the UrlRewriteFilter
availabe from http://tuckey.org/urlrewrite/ to do a 301 permanent redirect from
http to https in Apache Tomcat but I don't seem to be getting anywhere fast.
A number of people have asked the same question and AFAICS none have been answered
If I'm asking in the wrong place then maybe someone would be kind enough to 'redirect' me to the right place.
If it's not possible then perhaps someone could say so.
Thank you.
apache-tomcat-7.0.42
jdk1.8.0_77
CentOS Linux 7.2.1511
urlrewritefilter-4.0.3.jar
The 'standard' configuration as recommended by the tomcat docs is as follows
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure URLs</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
server.xml
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="443" maxThreads="150" scheme="https" secure="true"
SSLEnabled="true" keystoreFile="/opt/keys/tomcat.keystore"
keystorePass="*********" clientAuth="false" keyAlias="tomcat" sslProtocol="TLS" />
entering localhost in a browser results in redirection to https
checking this with curl we can see that this works as expected but we get 302 temporary redirect
root#sandbox:/tmp# curl -D /tmp/headers.txt -s http://localhost
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 GMT
Location: https://localhost/
Content-Length: 0
Date: Fri, 29 Apr 2016 18:24:47 GMT
However this is unnacceptable to Google who prefer a 301 permanent
Is it possible to use UrlRewriteFilter to achieve this end
The following rule results in a 302 even though I'm using to type="permanent-redirect"
everything else stays the same
<rule>
<name>seo redirect</name>
<condition name="host" operator="notequal">^www_example_com</condition>
<condition name="host" operator="notequal">^localhost</condition>
<from>^/(.*)</from>
<to type="permanent-redirect" last="true">https://www_example_com/$1</to>
</rule>
I have tried various different combinations with no luck presumably because Tomcat is redirecting after the filter has been applied
Has anyone actually got this to work so that we get a 301 instead of a 302
Thank You
I want to enable https on my website which is on a Windows Server 2008 and tomcat 7.
I have the following files from a certificate website: .ca, .crt, .pem, .csr, .pkcs
I know that i have to add in tomcat's server.xml the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/Tomcat/keystore.jks"
keystorePass="password" />
How to get that .jks from those files ?
Convert your .pem to a .jks: see https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html
If your using tomcat 7 newest version you can install the certificate to the windows secure keystore (cert manager) and refer it in the server.xml. In this way you don't need to worry about having the SSL certificate and the passphrase on the physical disk.
To install the cert to cert manager double click the certificate pfx file and follow the wizard steps. You can extract the pfx (refer https://www.sslshopper.com/article-most-common-openssl-commands.html?jn554906de).
This feature is available on tomcat version 7.0.52 or above.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<common name of the cert>"
keystoreFile=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
I am running httpd + mod_jk + 2 tomcat servers in Ubuntu. When I submit a form in a non-Latin language I get garbage in the DB.
If I submit the same form through Tomcat directly bypassing httpd everything looks good.
following is my configuration:
/etc/apache2/conf.d/charset:
AddDefaultCharset UTF-8
tomcat1:
< Connector port="8080" protocol="AJP/1.3" connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8" />
tomcat2:
< Connector port="9080" protocol="AJP/1.3" connectionTimeout="20000" redirectPort="9443" URIEncoding="UTF-8" />
JDBC connection:
jdbc:mysql://localhost:3306/myapp?useEncoding=true&characterEncoding=UTF-8
/etc/apache2/mods-available/jk.conf (the same file I set up my loadbalancer)
JkOptions +ForwardURICompatUnparsed
Am I missing something?
Thank You!
I found my problem, I mixed up the HTTP connector with the AJP connector which was declared twice in Tomcat's server.xml . The second declaration did not even include the attribute URIEncoding.
<Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" connectionTimeout="10000" keepAliveTimeout="10000" redirectPort="8443"/>
work fine for me