Unexpected errors after opening port 80
I am running a Tomcat server on Windows Server 2003 RC2 over HTTPS (443). The server has been running smoothly for many months with 100s of thousands of daily transactions. Yesterday my networks team modified the firewall rules to permit traffic on port 80, it could be a coincidence but after this we had 8 errors calling Oracle Procedures on a separate Unix based Oracle DB server and 2 errors connecting to a remote API. These errors were unspecific and we believe they were due to network timeouts / dropped packets, as a last resort we restarted the Tomcat server and have not seen any errors since. The only reference to port 80 in the Tomcat config is (server.xml)... Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / I am not a Tomcat expert and don't fully understand Tomcats Thread Pooling but could this be in any way related to our errors observed before the restart? Thanks for your help in advance. Steve Stephen Faro Analyst Programmer This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients NHSmail provides an email address for your career in the NHS and can be accessed anywhere For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail
Re: Unexpected errors after opening port 80
On 03/09/2010 15:33, Faro Stephen (NHS Connecting for Health) wrote: I am running a Tomcat server on Windows Server 2003 RC2 over HTTPS (443). The server has been running smoothly for many months with 100s of thousands of daily transactions. Excellent. Yesterday my networks team modified the firewall rules to permit traffic on port 80, it could be a coincidence but after this we had 8 errors calling Oracle Procedures on a separate Unix based Oracle DB server and 2 errors connecting to a remote API. These errors were unspecific and we believe they were due to network timeouts / dropped packets, as a last resort we restarted the Tomcat server and have not seen any errors since. The only reference to port 80 in the Tomcat config is (server.xml)... So the server was internal only before? Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / I am not a Tomcat expert and don't fully understand Tomcats Thread Pooling but could this be in any way related to our errors observed before the restart? The errors you describe are pretty vague, it's hard to know what we're responding to. If you have an Executor configured, and referenced in the Connector, the latter uses the associated thread pool, which has some advantages. How does this have any bearing on a firewall port being opening and some database errors? p Thanks for your help in advance. Steve Stephen Faro Analyst Programmer This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSI recipients NHSmail provides an email address for your career in the NHS and can be accessed anywhere For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Unexpected errors after opening port 80
From: Pid [mailto:p...@pidster.com] Subject: Re: Unexpected errors after opening port 80 How does this have any bearing on a firewall port being opening and some database errors? It's possible that opening port 80 has enabled a much larger set of attacks to get through the firewall now, and make it to the back end. If the webapps under Tomcat should be accessible only via HTTPS, they should have a transport-guarantee setting of CONFIDENTIAL in their WEB-INF/web.xml files; this will stop all regular HTTP requests dead in their tracks. (Or you could just remove the port 80 Connector.) If you want to keep port 80 open for in-house use, you can add a valve to insure that only known IP addresses come through that door. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unexpected errors after opening port 80
On 03/09/2010 16:01, Caldarale, Charles R wrote: From: Pid [mailto:p...@pidster.com] Subject: Re: Unexpected errors after opening port 80 How does this have any bearing on a firewall port being opening and some database errors? It's possible that opening port 80 has enabled a much larger set of attacks to get through the firewall now, and make it to the back end. If the webapps under Tomcat should be accessible only via HTTPS, they should have a transport-guarantee setting of CONFIDENTIAL in their WEB-INF/web.xml files; this will stop all regular HTTP requests dead in their tracks. (Or you could just remove the port 80 Connector.) If you want to keep port 80 open for in-house use, you can add a valve to insure that only known IP addresses come through that door. Fair point. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature