HTTPS / SSL AwareIm

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Jaymer
Posts: 2049
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: HTTPS / SSL AwareIm

Post by Jaymer »

well, there's not 2 things here - its the same thing.

1 is the code so its easy to copy/paste into server.xml
the other is an image of the server.xml file that everyone has. usually the lower section (connector for 443) is not active.

this is from a live system.

if you monkey with the keystore, its a lot more difficult (the older way)
Click Here to see a collection of my tips & hacks on this forum? Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
ACDC
Posts: 1028
Joined: Sat Jun 30, 2007 5:03 pm

Re: HTTPS / SSL AwareIm

Post by ACDC »

if you monkey with the keystore, its a lot more difficult (the older way)
I am lost here, so you not using keystore, how do you start the cert process :shock:
I thought you had to use the Keytool
ACDC
Posts: 1028
Joined: Sat Jun 30, 2007 5:03 pm

Re: HTTPS / SSL AwareIm

Post by ACDC »

If you working with a keystore file this setting will also do.

I used this setup in the server.xml file for my own self-signed certificate called tomcat.keystore. This file was placed into a keystore folder: AwareIM/Tomcat/keystore/tomcat.keystore
Attachments
1Basic Server.xml Setup.jpg
1Basic Server.xml Setup.jpg (143.1 KiB) Viewed 3635 times
Last edited by ACDC on Tue Feb 16, 2021 4:18 pm, edited 1 time in total.
ACDC
Posts: 1028
Joined: Sat Jun 30, 2007 5:03 pm

Re: HTTPS / SSL AwareIm

Post by ACDC »

I also had to make an extra change further down the file by adding this :
(I should find out more about how to set the password rather than just making it false, not sure what this is for, maybe someone can help)
Attachments
2Basic Server.xml Setup.jpg
2Basic Server.xml Setup.jpg (32.83 KiB) Viewed 3635 times
hpl123
Posts: 2384
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: HTTPS / SSL AwareIm

Post by hpl123 »

Sounds very simple, the keystore way was a mess and a whole other way of integrating the certificate so just adding some lines of code and be done seems unbelievable but thanks for the tips and I will test it out and also look to see if it actually works.
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1188
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: HTTPS / SSL AwareIm

Post by PointsWell »

hpl123 wrote: Sun Feb 14, 2021 8:03 pm I use it with IIS today for websites and also for Aware via a reverse proxy but it isn't as good as having it set directly for Tomcat.
Henrick

I've been following this for a bit and I am a bit confused, so forgive me if this is a dud question. If you've already set up a reverse proxy to isolate your Tomcat server behind a web server what are the benefits are you seeking from exposing the Tomcat server directly? Surely you are losing the security of shielding it behind a server that will only process port 443 calls? Or are you trying to put SSL certificate between your reverse proxy and the Tomcat server?
hpl123
Posts: 2384
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: HTTPS / SSL AwareIm

Post by hpl123 »

PointsWell wrote: Tue Feb 16, 2021 11:00 pm
hpl123 wrote: Sun Feb 14, 2021 8:03 pm I use it with IIS today for websites and also for Aware via a reverse proxy but it isn't as good as having it set directly for Tomcat.
Henrick

I've been following this for a bit and I am a bit confused, so forgive me if this is a dud question. If you've already set up a reverse proxy to isolate your Tomcat server behind a web server what are the benefits are you seeking from exposing the Tomcat server directly? Surely you are losing the security of shielding it behind a server that will only process port 443 calls? Or are you trying to put SSL certificate between your reverse proxy and the Tomcat server?
I don´t intend to use both if that was your question? For me the preference of having it implemented directly in Tomcat is mostly a security thing. I have used the "regular" way SSL with Tomcat for most of my Aware time and is what it is designed to do i.e it´s a webserver with a SSL function or whatever you want to call it so implementing it the "regular" way seems best. When using a reverse proxy you introduce another factor into the mix and sure, this is what reverse proxies do bla bla bla but it still seems right to do it the "regular" way and is most likely superstition and not knowing that much about these things. Another thing is, when using a reverse proxy, you also have to meddle with various rewrite rules, inbound/outbound rules and can have various resource access complexities. Why make it more complex than necessary.
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1188
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: HTTPS / SSL AwareIm

Post by PointsWell »

hpl123 wrote: Tue Feb 16, 2021 11:43 pmI don´t intend to use both if that was your question?
That's what I was wondering
hpl123 wrote: Tue Feb 16, 2021 11:43 pmFor me the preference of having it implemented directly in Tomcat is mostly a security thing.
I am not a security consultant, but, my memories from my consulting days is that the app server is more secure behind the proxy acting as a firewall, as there is only the route defined in the web proxy to the server, i.e. explicit routes that you define for example shutdown port calls can't be activated maliciously

I'm interested to understand why you consider it more secure to access Tomcat directly? That is a genuine question as I don't profess to be a Tomcat expert

The penetration test talk that Rod gave at conference in the before times raised some points that I am probably only half remembering.
hpl123
Posts: 2384
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: HTTPS / SSL AwareIm

Post by hpl123 »

PointsWell wrote: Wed Feb 17, 2021 12:48 am
hpl123 wrote: Tue Feb 16, 2021 11:43 pmI don´t intend to use both if that was your question?
That's what I was wondering
hpl123 wrote: Tue Feb 16, 2021 11:43 pmFor me the preference of having it implemented directly in Tomcat is mostly a security thing.
I am not a security consultant, but, my memories from my consulting days is that the app server is more secure behind the proxy acting as a firewall, as there is only the route defined in the web proxy to the server, i.e. explicit routes that you define for example shutdown port calls can't be activated maliciously

I'm interested to understand why you consider it more secure to access Tomcat directly? That is a genuine question as I don't profess to be a Tomcat expert

The penetration test talk that Rod gave at conference in the before times raised some points that I am probably only half remembering.
As I wrote above, for me it just seems like the most secure and easy/practical way, is to do it directly in Tomcat but I don´t know this to be true. I am sure both ways has it´s advantages and drawbacks. If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1188
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: HTTPS / SSL AwareIm

Post by PointsWell »

hpl123 wrote: Wed Feb 17, 2021 1:09 am If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?
I created a separate thread here rather than clog this one up with pros and cons
hpl123
Posts: 2384
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: HTTPS / SSL AwareIm

Post by hpl123 »

PointsWell wrote: Wed Feb 17, 2021 3:33 am
hpl123 wrote: Wed Feb 17, 2021 1:09 am If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?
I created a separate thread here rather than clog this one up with pros and cons
A lot of great stuff and thoughts in that post, I am swamped rest of week and weekend but will post my thoughts, pro/con stuff and questions next week. Awesome to get a discussion going on this.
Henrik (V8 Developer Ed. - Windows)
intra
Posts: 275
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: HTTPS / SSL AwareIm

Post by intra »

Like most things in security, its all about layers (much like a onion).

Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.

(https://www.tenable.com/blog/cve-2020-1 ... e%20server.)

Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.

Another handy thing is that you can fully automate letsencrypt certificate renewals _WITHOUT_ a restart of tomcat connector causing users to drop off!

I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)
Avid Linux user....
eagles9999
Posts: 2249
Joined: Mon Jul 02, 2012 12:24 am
Location: Ulaanbaatar, Mongolia

Re: HTTPS / SSL AwareIm

Post by eagles9999 »

For us it has been great.

Pete has done a great job and taken a big headache off of our plate
Cheers,
Mark
_________________
AwareIM 6.0, 8.4, 8.6 (build 2941) MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Chrome, Edge
Upcloud
Image
hpl123
Posts: 2384
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: HTTPS / SSL AwareIm

Post by hpl123 »

intra wrote: Fri Feb 19, 2021 2:24 am Like most things in security, its all about layers (much like a onion).

Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.

(https://www.tenable.com/blog/cve-2020-1 ... e%20server.)

Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.

Another handy thing is that you can fully automate letsencrypt certificate renewals _WITHOUT_ a restart of tomcat connector causing users to drop off!

I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)
Which proxy server have you setup? and any tips and recommendations for me or others that want to set it up?
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2384
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: HTTPS / SSL AwareIm

Post by hpl123 »

PointsWell wrote: Wed Feb 17, 2021 3:33 am
hpl123 wrote: Wed Feb 17, 2021 1:09 am If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?
I created a separate thread here rather than clog this one up with pros and cons
Pointswell, maybe you could create another separate thread for the scaling discussion post I tried to get started lol, it seems you have better luck rattling the community :D.
Henrik (V8 Developer Ed. - Windows)
Post Reply