You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Melanie Pfefer <me...@yahoo.co.uk> on 2009/03/31 18:58:42 UTC
redirection
Hello
I have a tomcat server running on port 8080.
users need to create a dns alias which is on port 80. redirection cannot be done on DNS level of course.
do you have any idea how to achieve this in tomcat. For example:
http://siroe redirects to http://machineX:8080 that is a tomcat application?
thank you
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by mateo-jl <ma...@orange.fr>.
Indeed the topic of this discussion is not to have 8080 as the main port of Tomcat.
I've just emitted one solution among many others: mod_jk.
Some of my customers have opted for this one because of the simplicity of writing url, of performance (load-balancing),
of security too (No-using 80 port for Tomcat was a security directive in some cases)
> Message du 01/04/09 15:47
> De : "Caldarale, Charles R"
> A : "Tomcat Users List"
> Copie à :
> Objet : RE: redirection
>
> > From: mateo-jl [mailto:mateo-jl@orange.fr]
> > Subject: re: redirection
> >
> > i think, the best way is to use the mod_jk module. So, in a firewall
> > environment, you can have your web server (Apache) in the non-protected
> > area and apache will redirect all requests (http:// ....:80 or nothing)
> > at your Tomcat server (http:// ....:8080) within the protected one.
>
> In what way would that improve security? Since all requests would be forwarded to Tomcat, adding httpd accomplishes nothing except additional overhead and complexity. It's silly to place *anything* in a completely unprotected area; you would still have a firewall in place restricting access to just ports 80 and 443, even if httpd were handling those ports. Might as well have Tomcat handle those ports directly.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
RE: redirection
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: fredk2 [mailto:fredk2@gmail.com]
> Subject: RE: redirection
>
> The apache httpd web server is more versatile
Additional versatility is worthless if not needed; from a security perspective it merely provides more opportunities for abuse.
> its vulnerabilities are better researched
Evidence, please? Just because httpd has been around longer does not necessarily mean it is more secure. Besides, since the previously suggested arrangement was to forward all requests to Tomcat, httpd security is of no interest.
> (assuming you do not use a WAF firewall)
If you're not using a firewall, you're simply asking for trouble.
> Furthermore you can add more Tomcats and balance when needed
Performance was not a topic of discussion; even if it were, there are much superior load balancers available (although they do have a cost).
> on unix if you do not use jsvc or iptable you need to run
> tomcat as root for port 80 which is not a good idea
No one ever suggested running Tomcat as root.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] RE: redirection
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Gregor Schneider [mailto:rc46fi@googlemail.com]
> See, I believe in the statement that the more components you're adding
> to an environment, the more possibilities there are for a
> security-hole. However, to believe is not to know...
It's clear that a naïve "more components => less secure" argument doesn't work in computer security, as I think few people on this list would argue with the following: "A Tomcat server with a dedicated firewall in front will be more secure than the same Tomcat with no dedicated firewall in front." Here, more components - and the assumption of fitness for purpose and correct configuration - lead to an assumption of higher rather than lower security.
So we're then into a discussion of how well httpd + mod_security + { mod_proxy, mod_jk} would serve for the purpose - a discussion of the *quality* of the components, rather than just the *quantity*. And that's why I'd love to see the hard data because, like you, I don't know :-).
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: redirection
Posted by Mark Thomas <ma...@apache.org>.
Martin Gainty wrote:
> Gregor
>
> can you elucidate any documented security holes in Apache HTTPD?
Martin - did you even bother to look?
http://httpd.apache.org/security_report.html
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: redirection
Posted by Gregor Schneider <rc...@googlemail.com>.
Martin,
On Wed, Apr 1, 2009 at 6:53 PM, Martin Gainty <mg...@hotmail.com> wrote:
>
> Gregor
>
> can you elucidate any documented security holes in Apache HTTPD?
>
Most of them are fixed, but it proofs that there are quite some, and I
bet there will be some full disclosure in future.
For a start:
http://www.google.de/search?q=full+disclosure+apache+httpd&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a
Rgds
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by Martin Gainty <mg...@hotmail.com>.
Gregor
can you elucidate any documented security holes in Apache HTTPD?
Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung / Disclaimer and confidentiality note
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
This message is confidential and may be privileged. If you are not the intended recipient, we kindly ask you to please inform the sender. Any unauthorised dissemination or copying hereof is prohibited. This message serves for information purposes only and shall not have any legally binding effect. Given that e-mails can easily be subject to manipulation, we can not accept any liability for the content provided.
> Date: Wed, 1 Apr 2009 17:31:34 +0200
> Subject: Re: redirection
> From: rc46fi@googlemail.com
> To: users@tomcat.apache.org
>
> Peter,
>
> On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther
> <Pe...@melandra.com> wrote:
>
> > And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
> >
> > I'd also be very interested to see the evidence (either way) on that.
> >
> See, I believe in the statement that the more components you're adding
> to an environment, the more possibilities there are for a
> security-hole. However, to believe is not to know...
>
> However, when I check full-disclosure and other security-lists, I see
> few issues referring to Tomcat, but I see quite some issues referring
> to HTTPD and it's modules.
>
> I guess if you're once able to break HTTPD and found your way into the
> box, harm is on it's way. I further /believe/ that from this point it
> makes sense to use as few components as possible.
>
> Anyhow, that's what I believe, not what I know.
>
> Cheers
>
> Gregor
> --
> just because your paranoid, doesn't mean they're not after you...
> gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
> gpgp-key available
> @ http://pgpkeys.pca.dfn.de:11371
> @ http://pgp.mit.edu:11371/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Rediscover Hotmail®: Get quick friend updates right in your inbox.
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Updates1_042009
Re: redirection
Posted by Gregor Schneider <rc...@googlemail.com>.
Peter,
On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther
<Pe...@melandra.com> wrote:
> And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
>
> I'd also be very interested to see the evidence (either way) on that.
>
See, I believe in the statement that the more components you're adding
to an environment, the more possibilities there are for a
security-hole. However, to believe is not to know...
However, when I check full-disclosure and other security-lists, I see
few issues referring to Tomcat, but I see quite some issues referring
to HTTPD and it's modules.
I guess if you're once able to break HTTPD and found your way into the
box, harm is on it's way. I further /believe/ that from this point it
makes sense to use as few components as possible.
Anyhow, that's what I believe, not what I know.
Cheers
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Gregor Schneider [mailto:rc46fi@googlemail.com]
> On Wed, Apr 1, 2009 at 4:22 PM, Peter Crowther
> <Pe...@melandra.com> wrote:
> >
> > And, indeed, that Apache + mod_security + mod_jk + Tomcat
> has fewer vulnerabilities than just Tomcat.
> >
>
> Since I'm interested on hard data, too, hand over the facts, please.
Quite. If you look at the full original quote...
-- snip --
> From: fredk2 [mailto:fredk2@gmail.com]
[...]
> (assuming you do not use a WAF firewall).
And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
-- snip --
... I was re-using the "assuming" from the previous poster's brackets. Sorry - I should have made that more explicit. Here's the re-stated version:
And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
I'd also be very interested to see the evidence (either way) on that.
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: redirection
Posted by Gregor Schneider <rc...@googlemail.com>.
On Wed, Apr 1, 2009 at 4:22 PM, Peter Crowther
<Pe...@melandra.com> wrote:
>
> And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
>
Since I'm interested on hard data, too, hand over the facts, please.
It's just that I'm curious...
Rgds
Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by Peter Crowther <Pe...@melandra.com>.
> From: fredk2 [mailto:fredk2@gmail.com]
> I would be better...The apache httpd web server is more
> versatile
Irrelevant to this problem.
> and its vulnerabilities are better researched.
References for that assertion? I'm not disagreeing, I'd just be interested in the hard data.
> You can also add
> mod_security and
> other modules to further protect the Tomcat against common
> attacks (assuming you do not use a WAF firewall).
And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
> Furthermore you can add more Tomcats and
> balance when needed...
Irrelevant to this problem, though I agree with you in the general case.
> also on unix if you do not use jsvc or
> iptable you
> need to run tomcat as root for port 80 which is not a good
> idea...etc...
True, but that's like saying "if you do not have a lock on your front door, your front door will not be locked which is not a good idea." Why would anyone *not* run using jsvc or iptables?
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by fredk2 <fr...@gmail.com>.
I would be better...The apache httpd web server is more versatile and its
vulnerabilities are better researched. You can also add mod_security and
other modules to further protect the Tomcat against common attacks (assuming
you do not use a WAF firewall). Furthermore you can add more Tomcats and
balance when needed... also on unix if you do not use jsvc or iptable you
need to run tomcat as root for port 80 which is not a good idea...etc...
Rgds - Fred
Caldarale, Charles R wrote:
>
>> From: mateo-jl [mailto:mateo-jl@orange.fr]
>> Subject: re: redirection
>>
>> i think, the best way is to use the mod_jk module. So, in a firewall
>> environment, you can have your web server (Apache) in the non-protected
>> area and apache will redirect all requests (http:// ....:80 or nothing)
>> at your Tomcat server (http:// ....:8080) within the protected one.
>
> In what way would that improve security? Since all requests would be
> forwarded to Tomcat, adding httpd accomplishes nothing except additional
> overhead and complexity. It's silly to place *anything* in a completely
> unprotected area; you would still have a firewall in place restricting
> access to just ports 80 and 443, even if httpd were handling those ports.
> Might as well have Tomcat handle those ports directly.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
>
>
--
View this message in context: http://www.nabble.com/redirection-tp22809932p22827189.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: mateo-jl [mailto:mateo-jl@orange.fr]
> Subject: re: redirection
>
> i think, the best way is to use the mod_jk module. So, in a firewall
> environment, you can have your web server (Apache) in the non-protected
> area and apache will redirect all requests (http:// ....:80 or nothing)
> at your Tomcat server (http:// ....:8080) within the protected one.
In what way would that improve security? Since all requests would be forwarded to Tomcat, adding httpd accomplishes nothing except additional overhead and complexity. It's silly to place *anything* in a completely unprotected area; you would still have a firewall in place restricting access to just ports 80 and 443, even if httpd were handling those ports. Might as well have Tomcat handle those ports directly.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
re: redirection
Posted by mateo-jl <ma...@orange.fr>.
Hi,
i think, the best way is to use the mod_jk module. So, in a firewall environment, you can have your web server (Apache) in the non-protected area and apache will redirect all requests (http:// ....:80 or nothing) at your Tomcat server (http:// ....:8080) within the protected one.
Take a look at the connectors documentation
http://tomcat.apache.org/connectors-doc/
JL
> Message du 31/03/09 18:59
> De : "Melanie Pfefer"
> A : users@tomcat.apache.org
> Copie à :
> Objet : redirection
>
>
>
> Hello
>
> I have a tomcat server running on port 8080.
>
> users need to create a dns alias which is on port 80. redirection cannot be done on DNS level of course.
>
> do you have any idea how to achieve this in tomcat. For example:
>
> http://siroe redirects to http://machineX:8080 that is a tomcat application?
>
> thank you
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
Re: redirection
Posted by André Warnier <aw...@ice-sa.com>.
Melanie Pfefer wrote:
> Hello
>
> I have a tomcat server running on port 8080.
>
> users need to create a dns alias which is on port 80. redirection cannot be done on DNS level of course.
>
> do you have any idea how to achieve this in tomcat. For example:
>
> http://siroe redirects to http://machineX:8080 that is a tomcat application?
>
Hi Melanie.
Since by now, after all these ponderous answers, you might be pretty
confused as to what to do, let me restart from the beginning.
First, you can configure Tomcat to accept requests on port 80, instead
of, or in addition to, port 8080.
That is easy, and you would do it in principle by changing in the
server.xml file, the existing <Connector ... port="8080"> to <Connector
... port="80">. That's almost it.
The only catch is that in order for this to work, this Tomcat would need
to run as user root, because only user root can run a process that opens
a listening port <= 1024.
If this Tomcat cannot run as root, then there is a workaround : you can
use something called jsvc, which is like a "wrapper" process which
starts as root, opens port 80 for Tomcat, then runs Tomcat as a non-root
user. That allows Tomcat to run as a non-root user, and to still listen
on port 80.
If none of the above is possible, then you could indeed run an Apache
httpd "in front of" your Tomcat. The Apache httpd (maybe one that is
there already), can accept requests on port 80, look at the request,
determine that it is one that Tomcat should handle, and pass it to the
back-end Tomcat on another port. This can be done in several ways :
1) the front-end Apache httpd, which listens on port 80, can just act as
a HTTP proxy, and pass the appropriate requests to the back-end Tomcat
on the Tomcat HTTP port 8080.
2) the front-end Apache can act as an AJP proxy, and pass requests to
Tomcat using the AJP protocol. This requires adding another <Connector>
to Tomcat, to listen for requests that use that protocol.
There are 2 sub-cases of this :
2a) using (at the Apache httpd level), a module called mod_proxy_ajp
2b) using (at the Apache httpd level), a module called mod_jk
(In both cases, you can choose the port Tomcat uses to listen for that)
If none of the above is possible or practical, then there are still
other solutions, using other methods in software/hardware.
Roughly, the above is in order of increasing complexity.
The issue here is not to find a solution (there are many), but to find
the solution that is the easiest and best-adapted to your problem.
Your initial post above is not very clear as to why you need this.
Tell us a bit more about your real problem and we could probably do
better at recommending an appropriate solution to you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: redirection
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Melanie Pfefer [mailto:melanie_pfefer@yahoo.co.uk]
> Subject: redirection
>
> I have a tomcat server running on port 8080.
Why don't you just configure Tomcat to use port 80? That can either replace the existing <Connector> for 8080 or be an additional <Connector>. Look in the conf/server.xml file.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: redirection
Posted by Ilya Kazakevich <ka...@devexperts.com>.
You need some front-end proxy.
Apache web-server could do it.
Squid could (AFAIK).
Nginx could do it also.
-----Original Message-----
From: Melanie Pfefer [mailto:melanie_pfefer@yahoo.co.uk]
Sent: Tuesday, March 31, 2009 8:59 PM
To: users@tomcat.apache.org
Subject: redirection
Hello
I have a tomcat server running on port 8080.
users need to create a dns alias which is on port 80. redirection cannot be
done on DNS level of course.
do you have any idea how to achieve this in tomcat. For example:
http://siroe redirects to http://machineX:8080 that is a tomcat application?
thank you
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: redirection
Posted by Steve <st...@up-south.com>.
Melanie Pfefer wrote:
> Hello
>
> I have a tomcat server running on port 8080.
>
> users need to create a dns alias which is on port 80. redirection cannot be done on DNS level of course.
>
> do you have any idea how to achieve this in tomcat. For example:
>
> http://siroe redirects to http://machineX:8080 that is a tomcat application?
>
> thank you
>
>
mod_proxy or mod_jk (most likely) if you are using apache.
--
eats the blues for breakfast
does unix for rent
rides for the freedom
scrapes for the challenge
310-947-8565
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org