Re: manager best practice

Sat, 13 Nov 2021 02:43:27 -0800 

Chris,

Blimey, even with a long name it gets found, I guess we are always being 
snooped on๐Ÿ™.

401 Unauthorized
       /reallylongmanager1234567890/html: 3 Time(s)
6 1(1.03%) 0(0.00%) 3.38 KiB(0.23%) FR France Mozilla/5.0 (Linux; U; Android 4.1.2; ja-jp; SC-06D Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 7 1(1.03%) 0(0.00%) 3.38 KiB(0.23%) Unknown Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 

I guess the default 401 page should be modified locally to just say 401 
Unauthorized and not mention Tomcat.

Cheers Greg

On 01/10/2021 22:09, Christopher Schultz wrote:

Greg,

On 9/28/21 06:52, Greg Huber wrote:

Hello,

Are there any best practice notes for the manager app?
eg, if include the app in webapps I get a context on my site, do I create a long name for the folder (the url) to hide it? 

eg folder called reallylongmanager1234567890

so I get http://xxx.site/reallylongmanager1234567890

Or is there a better way?
Hiding the name is just security-by-obscurity. But in this case, it's a useful one if you want to go through the effort. No script kiddie is going to scan the internet for host/reallylongmanager1234567890, they'll try host/manager and, getting a 404, will move-on to others.
At $work, we enable the RemoteAddrValve and make sure it only allows connections from localhost. It turns out this is the default these days, so I may adjust my build process to stop doing that explicitly. We also require authentication so local miscreants, if they exist, can't mess with our applications. Well, at least non-root miscreants. ;)
We also run everything through a reverse proxy (httpd) and only map our "real" web applications from the outside world into the back-end Tomcat notes. This is the real protection: you can't get to our manager from the outside world at all. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to