Understanding Tomcat’s redirectPort: SSL Redirection in AJP and HTTP Connectors Explained


1 views

The redirectPort parameter in Tomcat's connector configurations serves a specific security purpose. When configured, it enables automatic redirection of non-SSL requests to SSL when required by the application's security constraints.

Redirection occurs when:

  1. Your web application has <security-constraint> with <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  2. A client accesses the non-SSL port (HTTP or non-secure AJP)
  3. The request matches a secured URL pattern

Here's a sample web.xml configuration that would trigger redirection:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Area</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

The redirect behavior differs between protocols:

HTTP Connector Scenario

<Connector port="8080" protocol="HTTP/1.1"
           redirectPort="8443" />

When accessing http://example.com:8080/admin, Tomcat responds with 302 redirect to https://example.com:8443/admin

AJP Connector Scenario

<Connector port="8009" protocol="AJP/1.3"
           redirectPort="8443" />

The front-end web server (Apache/Nginx) should handle the SSL termination. Tomcat signals the need for SSL through special AJP packets.

In your specific setup:

  • If HTTPS is enforced at Apache level, all external requests are encrypted
  • The AJP connection between Apache and Tomcat can be either:
    • Plain text (typical default configuration)
    • Encrypted if you configured AJP with secret or network-level encryption
  • The redirectPort in AJP connector serves as fallback for misconfigured requests
  1. Always set redirectPort to your SSL port (typically 8443)
  2. Ensure the port isn't blocked by firewall
  3. For AJP, coordinate with front-end web server's SSL configuration
  4. Test with curl -v http://yourserver:8080/secure-page to verify redirection

Check these logs when troubleshooting:

# Tomcat access log for HTTP redirections
localhost_access_log.%yyyy-MM-dd%.log

# AJP packet debugging (add to logging.properties)
org.apache.coyote.ajp.level = FINE

The redirectPort attribute in Tomcat's connector configuration serves a specific security purpose: it handles automatic redirection when a non-SSL request needs to be upgraded to SSL. This typically occurs in two scenarios:

  1. When a <security-constraint> in web.xml requires SSL
  2. When the SSLEnabled attribute is true but the request comes through non-SSL

Consider this AJP connector configuration:

<Connector port="8345" protocol="AJP/1.3" redirectPort="9875" />

Here's what happens in practice:

  1. A request comes through the AJP port (8345)
  2. The application's security constraint requires HTTPS
  3. Tomcat responds with HTTP 302 redirect to the HTTPS port (9875)

A more common scenario with HTTP connector:

<Connector executor="tomcatThreadPool"
           port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

In this configuration:

  • HTTP requests on 8080 that require security get redirected to 8443
  • The actual SSL configuration would be on another connector listening on 8443

The decision to redirect comes from these sources:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

When transport-guarantee is set to CONFIDENTIAL or INTEGRAL, Tomcat will enforce SSL.

For your satellite server scenario with Apache frontend:

  1. If Apache terminates SSL before AJP:
    • Traffic between Apache and Tomcat is plain text
    • Set scheme="https" secure="true" in Apache config
  2. If SSL is terminated at Tomcat:
    • All traffic remains encrypted end-to-end
    • Requires proper SSL configuration on Tomcat

Example Apache configuration preserving SSL info:

ProxyPass / ajp://backend:8345
ProxyPassReverse / ajp://backend:8345
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

Problem: Redirect loops when both connectors use same port
Solution: Ensure your SSL connector has SSLEnabled="true" properly configured

Problem: AJP requests not recognizing SSL requirement
Solution: Add to Apache config:

ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"

Complete SSL redirection setup with both HTTP and AJP:

<!-- HTTP Connector -->
<Connector port="8080" protocol="HTTP/1.1"
           redirectPort="8443" />

<!-- HTTPS Connector -->
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="conf/keystore.jks"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

<!-- AJP Connector -->
<Connector port="8345" protocol="AJP/1.3"
           redirectPort="8443" />