Greetings, Folks This plan about Tomcat security is very nice. We look forward to the meetings. Could we have a session related to " Best practices for using Tomcat + (Apache Web Server) Forward Proxy (FP) combo in a real production environment " where an application hosted in Tomcat (web) container, targets a destination system in the internet, through the FP ? The application communicates with the destination system on a TLS channel. The FP is placed in a perimeter zone. The role of FP is to route the intranet traffic to the destination system in internet. If it is desired to have TLS terminated on the FP, and a SSL (or TLS) intercept is being sought - what is the best way to accomplish this interception (so that the application's communication reaches the destination system smoothly) ? The TLS intercept portion intends to decrypt the TLS transactions, check for security compliance and then re-encrypt to push the traffic to the destination system. Is there any generalized document that makes assessment (and recommendations) of a Tomcat plus a Forward Proxy combo, in a real word set up ?
Thanks, -Raghu -----Original Message----- From: Maarten van Hulsentop <maar...@vanhulsentop.nl> Sent: Wednesday, September 30, 2020 3:10 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Virtual event focussed on Tomcat Security Hi Mark, This sounds like a great idea to me. Security is a very important topic, and the maturity of the Tomcat makes it a very secure choice for users. I am sure a lot of people will be interested to join in. What is not completely clear to me on this event; would this event be focussed on improving the security of Tomcat from within (as a Hackathon suggests)? Like trying to find security flaws/improvements and get them fixed. or is this meant to be an educational event where information is shared about secure setups/hardening of the Tomcat in production systems? Or a little of both? For the educational/hardening aspect, it could be nice to team up with/involve OWASP? I am surely interested to pitch in on this topic! Kind regards, Maarten van Hulsentop Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <ma...@apache.org>: > Hi all, > > We (the Tomcat community) have some funding from Google to help us > improve Tomcat security. Our original plan was to use the funding to > support an in-person security focussed hackathon. As you would expect, > those plans are on hold for now. We would, therefore, like to explore > the possibility of doing something virtually. > > The purpose of this email is to gather input from the community about > what such an event should look like. With that input we can put > together a plan for the event. So, over to you. What would your ideal > virtual event focussed on Tomcat Security look like? > > Thanks, > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
