Re: TC7 and SSL Questions
On Thu, Jul 24, 2014 at 6:24 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: John, On 24.7.2014 21:11, John Smith wrote: 1. Can I specify /admin/* as a security constraint url pattern so that only that directory runs under SSL? Yes, you can. 2. The NIO connector is accepted for JSSE, since I'm using it already, is there any point in not using it as my SSL connector? If /admin has low traffic, then I would say, there is no need to use anything else. For high traffic TLS/SSL applications you may want to do some performance measurements of different Tomcat connectors, simulating your traffic patterns. 3. Any known issues with routing 443 to 8443 in Iptables? I recommend using JSVC instead of iptables redirect. I had issues with redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support redirect, either. 4. The admin tools share underlying classes with the rest of the web application, which is why it makes sense to have it just as a subdirectory in the same webapp. But would I be better off migrating the admin tools to their own webapp for the purposes of SSL? Yes, I think so. From the security standpoint, that is way better. It will be much easier to apply IP address filtering, move it to another port / server, to isolate admin and user privileges, and so on. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks for the info. Best, John
TC7 and SSL Questions
TC 7.0.54 / JDK 1.7.0_60 / RHEL 6 My webapp is the only one on my TC install. It's in webapps/ROOT. Iptables routes 80 to 8080 and I'm using the NIO connector. There are two physical servers with that same webapp, using session replication. Everything works great. There's a subdirectory /admin in the webapp that has some admin tools that we've been using behind our firewall and under BASIC authentication. I want to put just the /admin directory under SSL and have a user/hashed-pass in the database do the login and authentication instead of having them in tomcat-users.xml. Questions: 1. Can I specify /admin/* as a security constraint url pattern so that only that directory runs under SSL? 2. The NIO connector is accepted for JSSE, since I'm using it already, is there any point in not using it as my SSL connector? 3. Any known issues with routing 443 to 8443 in Iptables? 4. The admin tools share underlying classes with the rest of the web application, which is why it makes sense to have it just as a subdirectory in the same webapp. But would I be better off migrating the admin tools to their own webapp for the purposes of SSL? Apologies if I've missed any of this in the docs. Any additional info/advice appreciated. Thanks in Advance, John
Re: TC7 and SSL Questions
John, On 24.7.2014 21:11, John Smith wrote: 1. Can I specify /admin/* as a security constraint url pattern so that only that directory runs under SSL? Yes, you can. 2. The NIO connector is accepted for JSSE, since I'm using it already, is there any point in not using it as my SSL connector? If /admin has low traffic, then I would say, there is no need to use anything else. For high traffic TLS/SSL applications you may want to do some performance measurements of different Tomcat connectors, simulating your traffic patterns. 3. Any known issues with routing 443 to 8443 in Iptables? I recommend using JSVC instead of iptables redirect. I had issues with redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support redirect, either. 4. The admin tools share underlying classes with the rest of the web application, which is why it makes sense to have it just as a subdirectory in the same webapp. But would I be better off migrating the admin tools to their own webapp for the purposes of SSL? Yes, I think so. From the security standpoint, that is way better. It will be much easier to apply IP address filtering, move it to another port / server, to isolate admin and user privileges, and so on. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org