This is another follow-up to a now out-of-date earlier walkthrough.
The first follow-up is here: Jetty 11 Secure Connections
(So, yes, this is a follow-up to a follow-up.)
In this note I look at how to replace my custom Jetty server configuration with two Javalin plug-ins:
- the community-provided SSL plugin
- a bundled plugin which enables redirection of requests from an insecure
httpconnection to a secure
The SSL plugin has various well-documented options - but here is a simple set-up:
When Javalin starts, you will see log messages similar to the following:
And, prior to that, more detailed Jetty messages - one for the insecure (
http) connector, and one for the secure (
One point to note: That
h2c protocol for the insecure connector represents HTTP/2 “cleartext”.
You can control much more than just the attributes shown above - check the Javadoc and tutorial.
Patching an Existing Jetty Server
The SSL plugin supports patching an existing instance of your Jetty server:
The Jetty server can be created however you need - similar to the example shown here - but without the logic which creates connectors, since those are now created by the SSL plugin.
You can therefore customize your Jetty server however you wish, manually - but then use the SSL plugin to handle creation of the Jetty connectors.
Important: In this situation, you no longer need to register the SSL plugin:
Acknowledgements - A very big thank you to the creator of the SSL plugin for helping me to understand how to use the SSL plugin.
For insecure-to-secure redirection, there is a separate bundled plugin:
That takes care of routing
http traffic to
https - but with a couple of caveats:
- no redirection is performed for
- only the protocol is changed (
https) - so if you are using non-standard ports (something other than 80 and 443) then those will not be changed.
You can see the source code here.
It’s a straightforward approach. You could write your own version, if needed.
A Note on HSTS
HSTS (HTTP Strict Transport Security) configurations used by your browser may interfere with your attempts to manage
https connections and reroutes.
One symptom of this is if your browser navigation bar inexplicably insists on changing a valid url such as:
…to an invalid one such as:
Note the protocol has changed but the port number is still
There are plenty of articles discussing ways to fix this. Here is one:
Or, try a different port number.