Chris,
Blimey, even with a long name it gets found, I guess we are always being
snooped on.
401 Unauthorized
/reallylongmanager1234567890/html: 3 Time(s)
6 1(1.03%) 0(0.00%) 3.38 KiB(0.23%) FR France Mozilla/5.0 (Linux;
U; Android 4.1.2; ja-jp; SC-06D Build/JZO54K) AppleWebKit/534.30 (KHTML,
like Gecko) Version/4.0 Mobile Safari/534.30
7 1(1.03%) 0(0.00%) 3.38 KiB(0.23%) Unknown Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/95.0.4638.69 Safari/537.36
I guess the default 401 page should be modified locally to just say 401
Unauthorized and not mention Tomcat.
Cheers Greg
On 01/10/2021 22:09, Christopher Schultz wrote:
Greg,
On 9/28/21 06:52, Greg Huber wrote:
Hello,
Are there any best practice notes for the manager app?
eg, if include the app in webapps I get a context on my site, do I
create a long name for the folder (the url) to hide it?
eg folder called reallylongmanager1234567890
so I get http://xxx.site/reallylongmanager1234567890
Or is there a better way?
Hiding the name is just security-by-obscurity. But in this case, it's
a useful one if you want to go through the effort. No script kiddie is
going to scan the internet for host/reallylongmanager1234567890,
they'll try host/manager and, getting a 404, will move-on to others.
At $work, we enable the RemoteAddrValve and make sure it only allows
connections from localhost. It turns out this is the default these
days, so I may adjust my build process to stop doing that explicitly.
We also require authentication so local miscreants, if they exist,
can't mess with our applications. Well, at least non-root miscreants. ;)
We also run everything through a reverse proxy (httpd) and only map
our "real" web applications from the outside world into the back-end
Tomcat notes. This is the real protection: you can't get to our
manager from the outside world at all.
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
