redirection

Hello

I have a tomcat server running on port 8080.

users need to create a dns alias which is on port 80. redirection cannot be done on DNS level of course.

do you have any idea how to achieve this in tomcat. For example:

http://siroe redirects to http://machineX:8080 that is a tomcat application?

thank you




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Melanie Pfefer wrote: mod_proxy or mod_jk (most likely) if you are using apache.

--
eats the blues for breakfast
does unix for rent
rides for the freedom
scrapes for the challenge
310-947-8565

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

You need some front-end proxy.
Apache web-server could do it.
Squid could (AFAIK).
Nginx could do it also.



-----Original Message-----
From: Melanie Pfefer [mailto:[hidden email]]
Sent: Tuesday, March 31, 2009 8:59 PM
To: [hidden email]
Subject: redirection


Hello

I have a tomcat server running on port 8080.

users need to create a dns alias which is on port 80. redirection cannot be
done on DNS level of course.

do you have any idea how to achieve this in tomcat. For example:

http://siroe redirects to http://machineX:8080 that is a tomcat application?

thank you


     

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

> From: Melanie Pfefer [mailto:[hidden email]]
> Subject: redirection
>
> I have a tomcat server running on port 8080.

Why don't you just configure Tomcat to use port 80?  That can either replace the existing <Connector> for 8080 or be an additional <Connector>.  Look in the conf/server.xml file.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

Hi,

i think, the best way is to use the mod_jk module. So, in a firewall environment, you can have your web server (Apache) in the non-protected area and apache will redirect all requests (http:// ....:80 or nothing) at your Tomcat server (http:// ....:8080) within the protected one.
Take a look at the connectors documentation
http://tomcat.apache.org/connectors-doc/

JL

> From: mateo-jl [mailto:[hidden email]]
> Subject: re: redirection
>
> i think, the best way is to use the mod_jk module. So, in a firewall
> environment, you can have your web server (Apache) in the non-protected
> area and apache will redirect all requests (http:// ....:80 or nothing)
> at your Tomcat server (http:// ....:8080) within the protected one.

In what way would that improve security?  Since all requests would be forwarded to Tomcat, adding httpd accomplishes nothing except additional overhead and complexity.  It's silly to place *anything* in a completely unprotected area; you would still have a firewall in place restricting access to just ports 80 and 443, even if httpd were handling those ports.  Might as well have Tomcat handle those ports directly.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

I would be better...The apache httpd web server is more versatile and its vulnerabilities are better researched. You can also add mod_security and other modules to further protect the Tomcat against common attacks (assuming you do not use a WAF firewall).  Furthermore you can add more Tomcats and balance when needed... also on unix if you do not use jsvc or iptable you need to run tomcat as root for port 80 which is not a good idea...etc...

Rgds - Fred

Caldarale, Charles R wrote

> From: mateo-jl [mailto:mateo-jl@orange.fr]
> Subject: re: redirection
>
> i think, the best way is to use the mod_jk module. So, in a firewall
> environment, you can have your web server (Apache) in the non-protected
> area and apache will redirect all requests (http:// ....:80 or nothing)
> at your Tomcat server (http:// ....:8080) within the protected one.

In what way would that improve security?  Since all requests would be forwarded to Tomcat, adding httpd accomplishes nothing except additional overhead and complexity.  It's silly to place *anything* in a completely unprotected area; you would still have a firewall in place restricting access to just ports 80 and 443, even if httpd were handling those ports.  Might as well have Tomcat handle those ports directly.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

> From: fredk2 [mailto:[hidden email]]
> Subject: RE: redirection
>
> The apache httpd web server is more versatile

Additional versatility is worthless if not needed; from a security perspective it merely provides more opportunities for abuse.

> its vulnerabilities are better researched

Evidence, please?  Just because httpd has been around longer does not necessarily mean it is more secure.  Besides, since the previously suggested arrangement was to forward all requests to Tomcat, httpd security is of no interest.

> (assuming you do not use a WAF firewall)

If you're not using a firewall, you're simply asking for trouble.

> Furthermore you can add more Tomcats and balance when needed

Performance was not a topic of discussion; even if it were, there are much superior load balancers available (although they do have a cost).

> on unix if you do not use jsvc or iptable you need to run
> tomcat as root for port 80 which is not a good idea

No one ever suggested running Tomcat as root.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

> From: fredk2 [mailto:[hidden email]]
> I would be better...The apache httpd web server is more
> versatile

Irrelevant to this problem.

> and its vulnerabilities are better researched.

References for that assertion?  I'm not disagreeing, I'd just be interested in the hard data.

> You can also add
> mod_security and
> other modules to further protect the Tomcat against common
> attacks (assuming you do not use a WAF firewall).

And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.

> Furthermore you can add more Tomcats and
> balance when needed...

Irrelevant to this problem, though I agree with you in the general case.

> also on unix if you do not use jsvc or
> iptable you
> need to run tomcat as root for port 80 which is not a good
> idea...etc...

True, but that's like saying "if you do not have a lock on your front door, your front door will not be locked which is not a good idea."  Why would anyone *not* run using jsvc or iptables?

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Indeed the topic of this discussion is not to have 8080 as the main port of Tomcat.
I've just emitted one solution among many others: mod_jk.
Some of my customers have opted for this one because of the simplicity of writing url, of performance (load-balancing),
of security too (No-using 80 port for Tomcat was a security directive in some cases)

On Wed, Apr 1, 2009 at 4:22 PM, Peter Crowther
<[hidden email]> wrote:
>
> And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
>

Since I'm interested on hard data, too, hand over the facts, please.

It's just that I'm curious...

Rgds

Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

> From: Gregor Schneider [mailto:[hidden email]]
> On Wed, Apr 1, 2009 at 4:22 PM, Peter Crowther
> <[hidden email]> wrote:
> >
> > And, indeed, that Apache + mod_security + mod_jk + Tomcat
> has fewer vulnerabilities than just Tomcat.
> >
>
> Since I'm interested on hard data, too, hand over the facts, please.

Quite.  If you look at the full original quote...

-- snip --
> From: fredk2 [mailto:[hidden email]]
[...]
> (assuming you do not use a WAF firewall).

And, indeed, that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
-- snip --

... I was re-using the "assuming" from the previous poster's brackets.  Sorry - I should have made that more explicit.  Here's the re-stated version:

And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.

I'd also be very interested to see the evidence (either way) on that.

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Melanie Pfefer wrote: Hi Melanie.
Since by now, after all these ponderous answers, you might be pretty
confused as to what to do, let me restart from the beginning.

First, you can configure Tomcat to accept requests on port 80, instead
of, or in addition to, port 8080.
That is easy, and you would do it in principle by changing in the
server.xml file, the existing <Connector ... port="8080"> to <Connector
... port="80">.  That's almost it.
The only catch is that in order for this to work, this Tomcat would need
to run as user root, because only user root can run a process that opens
a listening port <= 1024.

If this Tomcat cannot run as root, then there is a workaround : you can
use something called jsvc, which is like a "wrapper" process which
starts as root, opens port 80 for Tomcat, then runs Tomcat as a non-root
user.  That allows Tomcat to run as a non-root user, and to still listen
on port 80.

If none of the above is possible, then you could indeed run an Apache
httpd "in front of" your Tomcat.  The Apache httpd (maybe one that is
there already), can accept requests on port 80, look at the request,
determine that it is one that Tomcat should handle, and pass it to the
back-end Tomcat on another port.  This can be done in several ways :

1) the front-end Apache httpd, which listens on port 80, can just act as
a HTTP proxy, and pass the appropriate requests to the back-end Tomcat
on the Tomcat HTTP port 8080.
2) the front-end Apache can act as an AJP proxy, and pass requests to
Tomcat using the AJP protocol.  This requires adding another <Connector>
to Tomcat, to listen for requests that use that protocol.
There are 2 sub-cases of this :
2a) using (at the Apache httpd level), a module called mod_proxy_ajp
2b) using (at the Apache httpd level), a module called mod_jk
(In both cases, you can choose the port Tomcat uses to listen for that)

If none of the above is possible or practical, then there are still
other solutions, using other methods in software/hardware.

Roughly, the above is in order of increasing complexity.

The issue here is not to find a solution (there are many), but to find
the solution that is the easiest and best-adapted to your problem.

Your initial post above is not very clear as to why you need this.
Tell us a bit more about your real problem and we could probably do
better at recommending an appropriate solution to you.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Peter,

On Wed, Apr 1, 2009 at 4:58 PM, Peter Crowther
<[hidden email]> wrote:

> And, indeed, *assuming* that Apache + mod_security + mod_jk + Tomcat has fewer vulnerabilities than just Tomcat.
>
> I'd also be very interested to see the evidence (either way) on that.
>
See, I believe in the statement that the more components you're adding
to an environment, the more possibilities there are for a
security-hole. However, to believe is not to know...

However, when I check full-disclosure and other security-lists, I see
few issues referring to Tomcat, but I see quite some issues referring
to HTTPD and it's modules.

I guess if you're once able to break HTTPD and found your way into the
box, harm is on it's way. I further /believe/ that from this point it
makes sense to use as few components as possible.

Anyhow, that's what I believe, not what I know.

Cheers

Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

> From: Gregor Schneider [mailto:[hidden email]]
> See, I believe in the statement that the more components you're adding
> to an environment, the more possibilities there are for a
> security-hole. However, to believe is not to know...

It's clear that a naïve "more components => less secure" argument doesn't work in computer security, as I think few people on this list would argue with the following: "A Tomcat server with a dedicated firewall in front will be more secure than the same Tomcat with no dedicated firewall in front."  Here, more components - and the assumption of fitness for purpose and correct configuration - lead to an assumption of higher rather than lower security.

So we're then into a discussion of how well httpd + mod_security + { mod_proxy, mod_jk} would serve for the purpose - a discussion of the *quality* of the components, rather than just the *quantity*.  And that's why I'd love to see the hard data because, like you, I don't know :-).

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Gregor

can you elucidate any documented security holes in Apache HTTPD?

Martin
______________________________________________
Verzicht und Vertraulichkeitanmerkung / Disclaimer and confidentiality note
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
This message is confidential and may be privileged. If you are not the intended recipient, we kindly ask you to  please inform the sender. Any unauthorised dissemination or copying hereof is prohibited. This message serves for information purposes only and shall not have any legally binding effect. Given that e-mails can easily be subject to manipulation, we can not accept any liability for the content provided.






_________________________________________________________________
Rediscover Hotmail®: Get quick friend updates right in your inbox.
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Updates1_042009

Martin,

On Wed, Apr 1, 2009 at 6:53 PM, Martin Gainty <[hidden email]> wrote:
>
> Gregor
>
> can you elucidate any documented security holes in Apache HTTPD?
>

Most of them are fixed, but it proofs that there are quite some, and I
bet there will be some full disclosure in future.

For a start:

http://www.google.de/search?q=full+disclosure+apache+httpd&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a

Rgds

Gregor
--
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Martin Gainty wrote:
> Gregor
>
> can you elucidate any documented security holes in Apache HTTPD?

Martin - did you even bother to look?

http://httpd.apache.org/security_report.html

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]