Duh. Thanks. I should have seen that. But I still do not understand how this is all working.
Basically I want the to run a default deny ipfilter firewall on the host. Only allowing port 8080 and 8443 (or 4443 there seems to be some confusion with my apps guys on which one is ther real SSL proxy port) connections from internal. I then want to NAT (rdr) to redirect all incominf 80 and 443 connections to that 8080 and 8443 (or 4443) port internal. I suppose it is my lack of familiarity on ipfilter (this is so much easier to do using OBSD'd PF). I'd really like to see some other folks ipnat.conf and ipf.conf files if this is being done already. I'll do some more research and keep the group appraised of my progress. Thanks. Roberto David Smith <[EMAIL PROTECTED]> 08/15/2005 08:29 AM Please respond to "Tomcat Users List" <tomcat-user@jakarta.apache.org> To Tomcat Users List <tomcat-user@jakarta.apache.org> cc Subject Re: Security Questions Regarding Tomcat But it's also commented out and not active. It's there as an example of a proxied port if you happen to be using Apache and mod_rewrite as a front end to tomcat. --David Robert V. Coward/CTR/OSAGWI wrote: >Hmmm. Well take a look at this entry from the server.xml file: > > <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> > <!-- See proxy documentation for more information about using this. >--> > <!-- > <Connector port="8082" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" acceptCount="100" >connectionTimeout="20000" > proxyPort="80" disableUploadTimeout="true" /> > --> > >I did not add this and from what I can tell this comes with the default >config. Any info? > >Roberto > > > > >David Smith <[EMAIL PROTECTED]> >08/12/2005 11:40 AM >Please respond to >"Tomcat Users List" <tomcat-user@jakarta.apache.org> > > >To >Tomcat Users List <tomcat-user@jakarta.apache.org> >cc > >Subject >Re: Security Questions Regarding Tomcat > > > > > > >This sounds really fishy. Tomcat does not by default have any >connectors configured for port 80. There must be another service or >you've modified your server.xml somehow. > >--David > >Robert V. Coward/CTR/OSAGWI wrote: > > > >>Having a similar issue to this with Tomcat 5. >>Apparently T5 comes with a port 80 proxy server a special servlet >>container or something. Basically I have ipfilter running and only allow >>access to port 8080, but if you send a request to 80 tTomcat picks up >> >> >and > > >>does some sort of internal redirect to port 8080. According to a netstat >>-a only port 808 is litening, but when I run nmap against it it show 80 >>and 8080. I'd like to have ipfileter take block all connections and >>redirect packets bound for port 80 to 8080. Inother words I want to do >>what the T5 server seems to be doing already. Anyone have any ideas? My >>network admin is giving me much grief about allowing port 8080 access to >>the web. >> >>Thanks >> >> >> >> >> >>Paul Singleton <[EMAIL PROTECTED]> >>08/12/2005 10:08 AM >>Please respond to >>"Tomcat Users List" <tomcat-user@jakarta.apache.org> >> >> >>To >>Tomcat Users List <tomcat-user@jakarta.apache.org> >>cc >>Alon Belman <[EMAIL PROTECTED]> >>Subject >>Re: Security Questions Regarding Tomcat >> >> >> >> >> >> >>Harrell, Ralph wrote: >> >> >> >> >> >>>I would like to be able to start TOMCAT as a non-root >>>user but am unable to as we are running SSL and use >>>port 443 and non-root users do not have the permission >>>to use ports under 1000. >>> >>> >>> >>> >>...not in Linux and some (all?) Unix variants, anyway. >> >>(FWIW I think this root-only-below-1000 rule is an >>ill considered security kludge which has probably >>caused more trouble than it has circumvented) >> >>You could redirect port 443 to 8443 (and 80 to 8080) >>either in an external firewall/router or in iptables >>within your server, then start Tomcat as e.g. tomcat >>on its usual ports. >> >>Paul Singleton >> >> >> >> >> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > -- ======================================= David Smith Network Operations Supervisor Department of Entomology College of Agriculture & Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
