You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Smith <to...@gmail.com> on 2014/07/24 21:11:17 UTC
TC7 and SSL Questions
TC 7.0.54 / JDK 1.7.0_60 / RHEL 6
My webapp is the only one on my TC install. It's in webapps/ROOT. Iptables
routes 80 to 8080 and I'm using the NIO connector. There are two physical
servers with that same webapp, using session replication. Everything works
great.
There's a subdirectory "/admin" in the webapp that has some admin tools
that we've been using behind our firewall and under BASIC authentication. I
want to put just the /admin directory under SSL and have a user/hashed-pass
in the database do the login and authentication instead of having them in
tomcat-users.xml.
Questions:
1. Can I specify /admin/* as a security constraint url pattern so that only
that directory runs under SSL?
2. The NIO connector is accepted for JSSE, since I'm using it already, is
there any point in not using it as my SSL connector?
3. Any known issues with routing 443 to 8443 in Iptables?
4. The admin tools share underlying classes with the rest of the web
application, which is why it makes sense to have it just as a subdirectory
in the same webapp. But would I be better off migrating the admin tools to
their own webapp for the purposes of SSL?
Apologies if I've missed any of this in the docs. Any additional
info/advice appreciated.
Thanks in Advance,
John
Re: TC7 and SSL Questions
Posted by John Smith <to...@gmail.com>.
On Thu, Jul 24, 2014 at 6:24 PM, Ognjen Blagojevic <
ognjen.d.blagojevic@gmail.com> wrote:
> John,
>
>
> On 24.7.2014 21:11, John Smith wrote:
>
>> 1. Can I specify /admin/* as a security constraint url pattern so that
>> only
>> that directory runs under SSL?
>>
>
> Yes, you can.
>
>
>
> 2. The NIO connector is accepted for JSSE, since I'm using it already, is
>> there any point in not using it as my SSL connector?
>>
>
> If /admin has low traffic, then I would say, there is no need to use
> anything else. For high traffic TLS/SSL applications you may want to do
> some performance measurements of different Tomcat connectors, simulating
> your traffic patterns.
>
>
>
> 3. Any known issues with routing 443 to 8443 in Iptables?
>>
>
> I recommend using JSVC instead of iptables redirect. I had issues with
> redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support
> redirect, either.
>
>
>
> 4. The admin tools share underlying classes with the rest of the web
>> application, which is why it makes sense to have it just as a subdirectory
>> in the same webapp. But would I be better off migrating the admin tools to
>> their own webapp for the purposes of SSL?
>>
>
> Yes, I think so. From the security standpoint, that is way better. It will
> be much easier to apply IP address filtering, move it to another port /
> server, to isolate admin and user privileges, and so on.
>
> -Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Thanks for the info.
Best,
John
Re: TC7 and SSL Questions
Posted by Ognjen Blagojevic <og...@gmail.com>.
John,
On 24.7.2014 21:11, John Smith wrote:
> 1. Can I specify /admin/* as a security constraint url pattern so that only
> that directory runs under SSL?
Yes, you can.
> 2. The NIO connector is accepted for JSSE, since I'm using it already, is
> there any point in not using it as my SSL connector?
If /admin has low traffic, then I would say, there is no need to use
anything else. For high traffic TLS/SSL applications you may want to do
some performance measurements of different Tomcat connectors, simulating
your traffic patterns.
> 3. Any known issues with routing 443 to 8443 in Iptables?
I recommend using JSVC instead of iptables redirect. I had issues with
redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support
redirect, either.
> 4. The admin tools share underlying classes with the rest of the web
> application, which is why it makes sense to have it just as a subdirectory
> in the same webapp. But would I be better off migrating the admin tools to
> their own webapp for the purposes of SSL?
Yes, I think so. From the security standpoint, that is way better. It
will be much easier to apply IP address filtering, move it to another
port / server, to isolate admin and user privileges, and so on.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org