I've been deploying letting Tomcat do it all when it came to connectors and
SSL, with the app forcing everything to SSL in the <security-constraints>
section. Now I'm setting up a haproxy front-end that will both terminate the
SSL and take care of the redirect from HTTP to HTTPS for me and tomcat only
running a standard HTTP port on 8080.
So my question is, Is it still important for the app to know that it operating
"secure", and if so, what settings are a must?
Here is the old setup:
SERVER.XML:
<Service name="Catalina">
<Connector address="${IP_ADDRESS}" port="80" maxHttpHeaderSize="8192"
maxThreads="50" enableLookups="false" redirectPort="443"
acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,text/javascript,text/rtf,text/richtext"
/>
<Connector address="${IP_ADDRESS}" port="443" maxHttpHeaderSize="8192"
maxThreads="150" enableLookups="false" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,text/csv,text/javascript,text/rtf,text/richtext"
scheme="https" secure="true" SSLEnabled="true"
SSLHonorCipherOrder="true"
SSLCipherSuite="list-of-ciphers"
SSLCertificateFile="path-to-server.crt"
SSLCertificateKeyFile="path-to-server.key"
SSLCertificateChainFile="path-to-server_chain.crt"
SSLPassword="password" />
<Engine name="Catalina" defaultHost="localhost ">
<Host name="localhost " appBase=" webapps"
unpackWARs="true" autoDeploy="false" deployXML = "false">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
CONTEXT.XML: No tomcat-level parameters specified
WEB.XML: (only the important bits, assume servlets and filters won't change)
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Here is the new setup:
SERVER.XML:
<Service name="Catalina">
<Connector port="${tomcatPort}" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost " jvmRoute="serverX">
<Host name="localhost " appBase=" webapps"
unpackWARs="true" autoDeploy="false" deployXML = "false">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
CONTEXT.XML: no changes
WEB.XML: drop the <security-constraints> section?
Am I missing something from a security standpoint here?
And yes, I'm aware I need to adjust some parameters in the <Connector> that are
left out in the second example. I'm just interested in things like
secure-cookie, etc.
Jeffrey Janner
Sr. Network Administrator
jeffrey.jan...@polydyne.com<mailto:first.l...@polydyne.com>
PolyDyne Software Inc.
Main: 512.343.9100
Direct: 512.583.8930
[cid:image002.png@01CC0FB7.4FF43CE0]
Speed, Intelligence & Savings in Sourcing
