Instead of disabling HTTP, redirect it to HTTPS

letsencrypt-tomcat.xsl

@@ -2,6 +2,9 @@
 
     <xsl:output method="xml" indent="yes"/>
 
+    <xsl:param name="https.port" select="8443"/>
+    <xsl:param name="https.maxThreads" select="150"/>
+    <xsl:param name="https.clientAuth" select="'want'"/>
     <xsl:param name="letsencrypt.keystoreFile"/>
     <xsl:param name="letsencrypt.keystorePass"/>
     <xsl:param name="letsencrypt.keyAlias"/>
@@ -13,20 +16,26 @@
         </xsl:copy>
     </xsl:template>
 
-    <!-- disable HTTP -->
-    <xsl:template match="Connector[@protocol = 'HTTP/1.1']"/>
+    <!-- redirect HTTP to HTTPS-->
+    <!-- @redirectPort requires security-constraint in web.xml: https://tomcat.apache.org/tomcat-8.0-doc/config/http.html -->
+    <xsl:template match="Connector[@protocol = 'HTTP/1.1']">
+        <xsl:copy>
+	    <xsl:attribute name="redirectPort" value="{$https.port}"/>
+            <xsl:apply-templates select="@*|node()"/>
+        </xsl:copy>
+    </xsl:template>
 
     <!-- enable HTTPS if it's not already enabled -->
     <xsl:template match="Service[not(Connector/@protocol = 'org.apache.coyote.http11.Http11NioProtocol')]/*[last()]">
         <xsl:copy>
             <xsl:apply-templates select="@*|node()"/>
         </xsl:copy>
 
-        <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
-                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+        <Connector port="{$https.port}" protocol="org.apache.coyote.http11.Http11NioProtocol"
+                   maxThreads="{$https.maxThreads}" SSLEnabled="true" scheme="https" secure="true"
                    keystoreFile="{$letsencrypt.keystoreFile}" keystorePass="{$letsencrypt.keystorePass}"
                    keyAlias="{$letsencrypt.keyAlias}" keyPass="{$letsencrypt.keyPass}"
-                   clientAuth="want" sslProtocol="TLS" />
+                   clientAuth="{$https.clientAuth}" sslProtocol="TLS" />
     </xsl:template>
 
 </xsl:stylesheet>