HTTPS / SSL AwareIm

hpl123

PointsWell wrote
hpl123 wrote
If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?

I created a separate thread Tomcat v Reverse Proxy pros and cons rather than clog this one up with pros and cons

A lot of great stuff and thoughts in that post, I am swamped rest of week and weekend but will post my thoughts, pro/con stuff and questions next week. Awesome to get a discussion going on this.

intra

Like most things in security, its all about layers (much like a onion).

Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.

(https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487#:~:text=CVE%2D2020%2D1938%20is%20a,files%20from%20a%20vulnerable%20server.)

Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.

Another handy thing is that you can fully automate letsencrypt certificate renewals WITHOUT a restart of tomcat connector causing users to drop off!

I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)

customaware

For us it has been great.

Pete has done a great job and taken a big headache off of our plate

hpl123

intra wrote
Like most things in security, its all about layers (much like a onion).

Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.

(https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487#:~:text=CVE%2D2020%2D1938%20is%20a,files%20from%20a%20vulnerable%20server.)

Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.

Another handy thing is that you can fully automate letsencrypt certificate renewals WITHOUT a restart of tomcat connector causing users to drop off!

I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)

Which proxy server have you setup? and any tips and recommendations for me or others that want to set it up?

hpl123

PointsWell wrote
hpl123 wrote
If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?

I created a separate thread Tomcat v Reverse Proxy pros and cons rather than clog this one up with pros and cons

Pointswell, maybe you could create another separate thread for the scaling discussion post I tried to get started lol, it seems you have better luck rattling the community 😃.

triss

For those looking for an easy to configure reverse proxy, you may want to check out Caddy Server: https://caddyserver.com

It is similar to NGINX in functionality, but benchmarks slightly faster, is much easier to configure, and most importantly will automatically obtain Lets Encrypt certificates. You can set it up in front of the AIM server, using the standard AIM ports between the AIM server and the proxy and port 443 to the outside world.

I have no relationship to this project, just a fan.

Tom

hpl123

triss wrote
For those looking for an easy to configure reverse proxy, you may want to check out Caddy Server: https://caddyserver.com

It is similar to NGINX in functionality, but benchmarks slightly faster, is much easier to configure, and most importantly will automatically obtain Lets Encrypt certificates. You can set it up in front of the AIM server, using the standard AIM ports between the AIM server and the proxy and port 443 to the outside world.

I have no relationship to this project, just a fan.

Tom

Cool, thanks for sharing. Anyone using this with Aware?

cishpix

triss wrote
For those looking for an easy to configure reverse proxy, you may want to check out Caddy Server: https://caddyserver.com

It is similar to NGINX in functionality, but benchmarks slightly faster, is much easier to configure, and most importantly will automatically obtain Lets Encrypt certificates. You can set it up in front of the AIM server, using the standard AIM ports between the AIM server and the proxy and port 443 to the outside world.

Hi Tris, you're right.
I have test it but do you know how to solve the session timeout after we login into our AwareIM application?
FYI, I have set it (AwareIM server) as reverse proxy in Caddy. And I have try add XFP in Tomcat configuration but still stuck.
Any idea?

cishpix

cishpix wrote
I have test it but do you know how to solve the session timeout after we login into our AwareIM application?

I think I know my issue and I've solved it.
The issue in my Caddy configuration, no need use rewrite. It's my fault 😃

« Previous Page