Re: How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?
Brian Braun wrote: Hi, This is my infrastructure, from the point of view of what my users/attackers are facing: - Amazon web service Elastic Load balancer - 2 or more Ubuntu Linux VPSs behind the load balancer - IPTables running inside Ubuntu - JVM 1.6.0_35-b10 - Tomcat 7.0.33 - My app, running inside Tomcat I want to stop if one person starts making an excesive amount of requests to my app, maybe because he needs to make all those requests but didn’t know there is a service limit in the RestFul service I'm providing, maybe because he doesn’t care about the service limits, or maybe because he wants to attack me with a DoS. I can do it at the app level using a servlet filter and I'm already filtering them by IPs there, but that is not the best solution because the http requests will go all the way to my app, causing a lot of work to the previous layers (from the OS to the app). I can also do it at the Tomcat level using valves even at the engine level, but the same concern applies here: too much previous effort. Besides that, I can not update the offending IPs registered in the valve in a programmatic way (as I can do using servler filters and a MySQL database containing the offending IPs). I can NOT do it at the IPTables level, because the real IP address is in the x_forwarded_for header and IPTables deals with TCP/IP, not with HTTP. Or at least, even if there is a way to create a rule, it will not run in an efficient way. I will NOT be able to do it a the load balancer level, because Amazon doesn't allow us the stop some IPs there, not to mention a way to stop a DoS. I have been doing some reasearch, and it seems that I have two good options: Installing Apache HTTPD server or NGINX, before Tomcat. I know a lot about Tomcat, but almost nothing about Apache HTTPD and nothing about NGINX. Which one would you recommend me? This is what I’m looking for: - To be able to evaluate the x_forwarded_for header to recognize the real IP address (because there will be a load balancer behind) - To be able to limit the rate of request based on the IP making it enter my site at a slower rate, or if that is not possible to reject the excesive requests. - To place this new layer (HTTPD or NGINX) between the load balancer and Tomcat, so Tomcat will still run the app. My app has been written in Java and I love java/Tomcat, so this will definitely existing. - Speed, low resources consumption (mainly CPU and RAM), stability, reliability. - Easy to learn, install and maintain. Which one would you recommend, Apache or NGINX? I guess it would be better to use Apache because of all the documentation and information out there, and It would not harm me to finally learn about Apache. But I read somewhere that NGINX is specially fast and light in doing this (stopping Dos). However, I read that it is easier to connect HTTPD and Tomcat while it is not that easy NGINX/Tomcat. Or is there a better solution to stop users making an excesive amount of requests, using just Tomcat? Is there a filter somewhere that could help me, or a valve I haven't heard of? Thank you for the good description above. Based on these elements, I would recommend having a look at mod_evasive in Apache httpd. Google for apache mod_security ubuntu. (Those two are often configured together) Connecting Apache httpd and Tomcat can be done using either - mod_proxy and mod_proxy_http (if you want to stick to HTTP between Apache httpd and Tomcat) - mod_proxy and mod_proxy_ajp (using the AJP protocol between Apache httpd and Tomcat) - mod_jk (also using the AJP protocol between Apache httpd and Tomcat) The choice between the last 2 is a matter of specific needs, convenience and preference. There is quite of lot of previous discussion available in the list archives about this choice of Apache/Tomcat connectors. All of them are easy to install in Ubuntu, as there are standard apt packages for all of them. Note that all 3 connection methods above already include options for load-balancing the Tomcat back-ends, if you would see any advantage in suppressing the Amazon web service Elastic Load balancer layer. To restate the obvious : No matter at which level you do the rate-limiting or DOS-protection, it is going to cost some overhead somewhere. Generally-speaking however, if the point is to limit and discard at the request level, it is better to do it as early as possible. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restricting ciphers
As can be seen from your usage of keystoreType attribute, you are using Java implementation of the Connector, not openssl/APR one. You should look into Java documentation for their cipher names. See this thread from October 2009: http://markmail.org/message/zn4namfhypyxum23 Ahh, that was it! It did not occur to me that OpenSSL and Java might name the ciphers differently. If I restrict the ciphers to those from the (differently named) set used by Java, it works as expected. Mahalo! ciphers=SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA The BIO connector in = 7.0.35 silently reverts to the JVM default ciphers (and sslEnabledProtocols) if none of the specified options are supported by the SSL implemenation. I've changed this in 7.0.36+ [1] to not do this (I've had customers bitten by the same issue when running on AIX, since IBM change the prefix on all the cipher suites from TLS_ to SSL_). [1]: https://issues.apache.org/bugzilla/show_bug.cgi?id=54406 cheers tim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question about config and correct start-up
Dear Tomcat user's group: I'm having a problem getting cgi to work. I have Tomcat installed--used the installer from download page. It's working fine for java, but I need the web server for my cgi project running testing perl from html locally on my PC...yea Windows env...ah, well...anyway my goal is to develop Perl stuff locally before uploading to regular server. I've followed all the config instructions for setting it up, including editing the conf\web.xml file to make the cgi servlet functional, which just involves removing comment signs from around the servlet. Done. So, what should happen is that when I call a perl script from html it should fire up go. But still no workey so digging further I noticed the config document which is a README.xml makes a vague reference to having the correct context for cgi, but seemingly no other dataI'm missing something?? Now, folks, I have no more clues what this refers to ... can someone shed some light for me?? I've made an assumption that since I'm the only user on my PC that I do not have to register me in the Tomcat-users.xml since the role of manager-gui does not seem to apply to cgi. But I've been wrong before! Thanks, Alan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about config and correct start-up
Forgot to mention version of tomcat .7.0.34 . on WindowsXP Original Message Subject:Question about config and correct start-up Date: Sun, 13 Jan 2013 19:52:55 -0700 From: Alan Findly afin...@ronan.net To: users@tomcat.apache.org Dear Tomcat user's group: I'm having a problem getting cgi to work. I have Tomcat installed--used the installer from download page. It's working fine for java, but I need the web server for my cgi project running testing perl from html locally on my PC...yea Windows env...ah, well...anyway my goal is to develop Perl stuff locally before uploading to regular server. I've followed all the config instructions for setting it up, including editing the conf\web.xml file to make the cgi servlet functional, which just involves removing comment signs from around the servlet. Done. So, what should happen is that when I call a perl script from html it should fire up go. But still no workey so digging further I noticed the config document which is a README.xml makes a vague reference to having the correct context for cgi, but seemingly no other dataI'm missing something?? Now, folks, I have no more clues what this refers to ... can someone shed some light for me?? I've made an assumption that since I'm the only user on my PC that I do not have to register me in the Tomcat-users.xml since the role of manager-gui does not seem to apply to cgi. But I've been wrong before! Thanks, Alan
Re: Question about config and correct start-up
On 14/01/2013 03:52, Alan Findly wrote: Forgot to mention version of tomcat .7.0.34 . on WindowsXP Original Message Subject: Question about config and correct start-up Date: Sun, 13 Jan 2013 19:52:55 -0700 From: Alan Findly afin...@ronan.net To: users@tomcat.apache.org Dear Tomcat user's group: I'm having a problem getting cgi to work. snip/ I've followed all the config instructions for setting it up, including editing the conf\web.xml file to make the cgi servlet functional, which just involves removing comment signs from around the servlet. You need to remove the comments around the servlet mapping as well. Done. So, what should happen is that when I call a perl script from html it should fire up go. That depends on how you are calling a perl script from html. But still no workey so digging further I noticed the config document which is a README.xml I don't recall any file of that name. What is its exact path on your system? makes a vague reference to having the correct context for cgi, but seemingly no other dataI'm missing something?? Have you read the docs? http://tomcat.apache.org/tomcat-7.0-doc/cgi-howto.html You need to mark your context as privileged. I've made an assumption that since I'm the only user on my PC that I do not have to register me in the Tomcat-users.xml since the role of manager-gui does not seem to apply to cgi. Correct, assuming the resources are not protected by security constraints. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org