You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by mateo-jl <ma...@orange.fr> on 2009/04/01 14:42:35 UTC

re: redirection

Hi,

i think, the best way is to use the mod_jk module. So, in a firewall environment, you can have your web server (Apache) in the non-protected area and apache will redirect all requests (http:// ....:80 or nothing) at your Tomcat server (http:// ....:8080) within the protected one. 
Take a look at the connectors documentation
http://tomcat.apache.org/connectors-doc/

JL

> Message du 31/03/09 18:59
> De : "Melanie Pfefer" 
> A : users@tomcat.apache.org
> Copie à : 
> Objet : redirection
> 
> 
> 
> Hello
> 
> I have a tomcat server running on port 8080.
> 
> users need to create a dns alias which is on port 80. redirection cannot be done on DNS level of course.
> 
> do you have any idea how to achieve this in tomcat. For example:
> 
> http://siroe redirects to http://machineX:8080 that is a tomcat application?
> 
> thank you 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
>

RE: redirection

Posted by mateo-jl <ma...@orange.fr>.

Indeed the topic of this discussion is not to have 8080 as the main port of Tomcat.
I've just emitted one solution among many others: mod_jk. 
Some of my customers have opted for this one because of the simplicity of writing url, of performance (load-balancing), 
of security too (No-using 80 port for Tomcat was a security directive in some cases)



> Message du 01/04/09 15:47
> De : "Caldarale, Charles R" 
> A : "Tomcat Users List" 
> Copie à : 
> Objet : RE: redirection
> 
> > From: mateo-jl [mailto:mateo-jl@orange.fr]
> > Subject: re: redirection
> > 
> > i think, the best way is to use the mod_jk module. So, in a firewall
> > environment, you can have your web server (Apache) in the non-protected
> > area and apache will redirect all requests (http:// ....:80 or nothing)
> > at your Tomcat server (http:// ....:8080) within the protected one.
> 
> In what way would that improve security? Since all requests would be forwarded to Tomcat, adding httpd accomplishes nothing except additional overhead and complexity. It's silly to place *anything* in a completely unprotected area; you would still have a firewall in place restricting access to just ports 80 and 443, even if httpd were handling those ports. Might as well have Tomcat handle those ports directly.
> 
> - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
> 
>

[OT] RE: redirection

Posted by Peter Crowther <Pe...@melandra.com>.

> From: Gregor Schneider [mailto:rc46fi@googlemail.com]
> See, I believe in the statement that the more components you're adding
> to an environment, the more possibilities there are for a
> security-hole. However, to believe is not to know...

It's clear that a naïve "more components => less secure" argument doesn't work in computer security, as I think few people on this list would argue with the following: "A Tomcat server with a dedicated firewall in front will be more secure than the same Tomcat with no dedicated firewall in front."  Here, more components - and the assumption of fitness for purpose and correct configuration - lead to an assumption of higher rather than lower security.

So we're then into a discussion of how well httpd + mod_security + { mod_proxy, mod_jk} would serve for the purpose - a discussion of the *quality* of the components, rather than just the *quantity*.  And that's why I'd love to see the hard data because, like you, I don't know :-).

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: redirection

Posted by Mark Thomas <ma...@apache.org>.

Martin Gainty wrote:
> Gregor
> 
> can you elucidate any documented security holes in Apache HTTPD?

Martin - did you even bother to look?

http://httpd.apache.org/security_report.html

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: redirection

Posted by Gregor Schneider <rc...@googlemail.com>.

Martin,

On Wed, Apr 1, 2009 at 6:53 PM, Martin Gainty <mg...@hotmail.com> wrote:
>
> Gregor
>
> can you elucidate any documented security holes in Apache HTTPD?
>

Most of them are fixed, but it proofs that there are quite some, and I
bet there will be some full disclosure in future.

For a start:

http://www.google.de/search?q=full+disclosure+apache+httpd&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a

Rgds

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: redirection

Posted by Martin Gainty <mg...@hotmail.com>.

Gregor

can you elucidate any documented security holes in Apache HTTPD?

Martin 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung / Disclaimer and confidentiality note 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
This message is confidential and may be privileged. If you are not the intended recipient, we kindly ask you to  please inform the sender. Any unauthorised dissemination or copying hereof is prohibited. This message serves for information purposes only and shall not have any legally binding effect. Given that e-mails can easily be subject to manipulation, we can not accept any liability for the content provided.

> Date: Wed, 1 Apr 2009 17:31:34 +0200
> Subject: Re: redirection
> From: rc46fi@googlemail.com
> To: users@tomcat.apache.org
> 
> Peter,
> 
> On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther
> <Pe...@melandra.com> wrote:
> 
> > And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
> >
> > I'd also be very interested to see the evidence (either way) on that.
> >
> See, I believe in the statement that the more components you're adding
> to an environment, the more possibilities there are for a
> security-hole. However, to believe is not to know...
> 
> However, when I check full-disclosure and other security-lists, I see
> few issues referring to Tomcat, but I see quite some issues referring
> to HTTPD and it's modules.
> 
> I guess if you're once able to break HTTPD and found your way into the
> box, harm is on it's way. I further /believe/ that from this point it
> makes sense to use as few components as possible.
> 
> Anyhow, that's what I believe, not what I know.
> 
> Cheers
> 
> Gregor
> -- 
> just because your paranoid, doesn't mean they're not after you...
> gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
> gpgp-key available
> @ http://pgpkeys.pca.dfn.de:11371
> @ http://pgp.mit.edu:11371/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Rediscover Hotmail®: Get quick friend updates right in your inbox. 
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Updates1_042009

Re: redirection

Posted by Gregor Schneider <rc...@googlemail.com>.

Peter,

On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther
<Pe...@melandra.com> wrote:

> And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
>
> I'd also be very interested to see the evidence (either way) on that.
>
See, I believe in the statement that the more components you're adding
to an environment, the more possibilities there are for a
security-hole. However, to believe is not to know...

However, when I check full-disclosure and other security-lists, I see
few issues referring to Tomcat, but I see quite some issues referring
to HTTPD and it's modules.

I guess if you're once able to break HTTPD and found your way into the
box, harm is on it's way. I further /believe/ that from this point it
makes sense to use as few components as possible.

Anyhow, that's what I believe, not what I know.

Cheers

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: redirection

Posted by Peter Crowther <Pe...@melandra.com>.

> From: Gregor Schneider [mailto:rc46fi@googlemail.com]
> On Wed, Apr 1, 2009 at 4:22 PM, Peter Crowther
> <Pe...@melandra.com> wrote:
> >
> > And, indeed, that Apache + mod_security + mod_jk + Tomcat
> has fewer vulnerabilities than just Tomcat.
> >
>
> Since I'm interested on hard data, too, hand over the facts, please.

Quite.  If you look at the full original quote...

-- snip --
> From: fredk2 [mailto:fredk2@gmail.com]
[...]
> (assuming you do not use a WAF firewall).

And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
-- snip --

... I was re-using the "assuming" from the previous poster's brackets.  Sorry - I should have made that more explicit.  Here's the re-stated version:

And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.

I'd also be very interested to see the evidence (either way) on that.

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: redirection

Posted by Gregor Schneider <rc...@googlemail.com>.

On Wed, Apr 1, 2009 at 4:22 PM, Peter Crowther
<Pe...@melandra.com> wrote:
>
> And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
>

Since I'm interested on hard data, too, hand over the facts, please.

It's just that I'm curious...

Rgds

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: redirection

Posted by Peter Crowther <Pe...@melandra.com>.

> From: fredk2 [mailto:fredk2@gmail.com]
> I would be better...The apache httpd web server is more
> versatile

Irrelevant to this problem.

> and its vulnerabilities are better researched.

References for that assertion?  I'm not disagreeing, I'd just be interested in the hard data.

> You can also add
> mod_security and
> other modules to further protect the Tomcat against common
> attacks (assuming you do not use a WAF firewall).

And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.

> Furthermore you can add more Tomcats and
> balance when needed...

Irrelevant to this problem, though I agree with you in the general case.

> also on unix if you do not use jsvc or
> iptable you
> need to run tomcat as root for port 80 which is not a good
> idea...etc...

True, but that's like saying "if you do not have a lock on your front door, your front door will not be locked which is not a good idea."  Why would anyone *not* run using jsvc or iptables?

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: redirection

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: fredk2 [mailto:fredk2@gmail.com]
> Subject: RE: redirection
> 
> The apache httpd web server is more versatile 

Additional versatility is worthless if not needed; from a security perspective it merely provides more opportunities for abuse.

> its vulnerabilities are better researched

Evidence, please?  Just because httpd has been around longer does not necessarily mean it is more secure.  Besides, since the previously suggested arrangement was to forward all requests to Tomcat, httpd security is of no interest.

> (assuming you do not use a WAF firewall)

If you're not using a firewall, you're simply asking for trouble.

> Furthermore you can add more Tomcats and balance when needed

Performance was not a topic of discussion; even if it were, there are much superior load balancers available (although they do have a cost).

> on unix if you do not use jsvc or iptable you need to run 
> tomcat as root for port 80 which is not a good idea

No one ever suggested running Tomcat as root.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: redirection

Posted by fredk2 <fr...@gmail.com>.

I would be better...The apache httpd web server is more versatile and its
vulnerabilities are better researched. You can also add mod_security and
other modules to further protect the Tomcat against common attacks (assuming
you do not use a WAF firewall).  Furthermore you can add more Tomcats and
balance when needed... also on unix if you do not use jsvc or iptable you
need to run tomcat as root for port 80 which is not a good idea...etc...

Rgds - Fred

Caldarale, Charles R wrote:
> 
>> From: mateo-jl [mailto:mateo-jl@orange.fr]
>> Subject: re: redirection
>> 
>> i think, the best way is to use the mod_jk module. So, in a firewall
>> environment, you can have your web server (Apache) in the non-protected
>> area and apache will redirect all requests (http:// ....:80 or nothing)
>> at your Tomcat server (http:// ....:8080) within the protected one.
> 
> In what way would that improve security?  Since all requests would be
> forwarded to Tomcat, adding httpd accomplishes nothing except additional
> overhead and complexity.  It's silly to place *anything* in a completely
> unprotected area; you would still have a firewall in place restricting
> access to just ports 80 and 443, even if httpd were handling those ports. 
> Might as well have Tomcat handle those ports directly.
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/redirection-tp22809932p22827189.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: redirection

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: mateo-jl [mailto:mateo-jl@orange.fr]
> Subject: re: redirection
> 
> i think, the best way is to use the mod_jk module. So, in a firewall
> environment, you can have your web server (Apache) in the non-protected
> area and apache will redirect all requests (http:// ....:80 or nothing)
> at your Tomcat server (http:// ....:8080) within the protected one.

In what way would that improve security?  Since all requests would be forwarded to Tomcat, adding httpd accomplishes nothing except additional overhead and complexity.  It's silly to place *anything* in a completely unprotected area; you would still have a firewall in place restricting access to just ports 80 and 443, even if httpd were handling those ports.  Might as well have Tomcat handle those ports directly.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.