Tomcat v Reverse Proxy pros and cons

Contains tips for configurators working with Aware IM
hpl123
Posts: 2374
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Hiding or blocking Tomcat?

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 10:06 pm
hpl123 wrote: Thu Feb 25, 2021 1:13 pm
PointsWell wrote: Thu Feb 25, 2021 12:15 am

The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.
Yeah but Tomcat can still be accessed from the web? You are blocking it in the firewall or how?
You block access to the AIM server in your firewall. Create access only between reverse proxy and AIM server. The internal IP address should not be accessible from the outside world as this defeats the purpose of the reverse proxy.

The firewall would want to allow
80 and 443 access to the reverse proxy from external
8080 access between the reverse proxy and AIM
3306 access between AIM and the Database.

You probably also want
22 to the AIM server so that you can tunnel with SSH for access to the AIM desktop (unless you are operating headless in which case you'd use SSH for terminal access) and to connect remotely to the database. Though you may want to set up a separate server that is spun up only when you want to use SSH access to ensure that you have adequately isolated the AIM server from everything but the proxy
Yes, this is what I thought and I haven't done this. Thanks for detailing ports.
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1160
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Hiding or blocking Tomcat?

Post by PointsWell »

hpl123 wrote: Thu Feb 25, 2021 10:44 pm
PointsWell wrote: Thu Feb 25, 2021 10:06 pm 3306 access between AIM and the Database.
Yes, this is what I thought and I haven't done this. Thanks for detailing ports.
Obv that is the MySQL/Maria port I don't know what the MSSQLS port is.

Also if you are using the Config Tool remotely from your AIM server then you have different challenges to deal with as you need a bunch of other ports open and you'd want to be able to access the AIM server and it would basically undo a bunch of the isolation protection you gain from the reverse proxy route.
PointsWell
Posts: 1160
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Not practical if Dev and Prod are same server - Proxy Con

Post by PointsWell »

I just thought of this a minute ago.

If you only use one server for your development and use it for production then you have to expose your AIM/Tomcat server to the internet anyway - unless you can think of some fancy pants way to route the config tools port calls to the AIM server.

If you are doing your dev on a remote server there's probably a whole bunch of other challenges that you face as well - such as maintaining the server connection. I suppose if you were doing that you'd probably be using Remote Desktop.
intra
Posts: 275
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Tomcat v Reverse Proxy pros and cons

Post by intra »

Well here's my train of thought.

If its a single box for everything and you are running the config tool remotely...

Why not use a reverse proxy to do the normal security thing, then use a VPN to run the rest of the stuff.

<Internet> -> 443 (Bidirectional) -> [Instance]

<Internet for Config Tool> -> [VPN] -> [Instance]
Avid Linux user....
PointsWell
Posts: 1160
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Stop Access to Discontinued Apps - Proxy Pro

Post by PointsWell »

AIM does not have a function to decommission published apps https://awareim.com/forum/viewtopic.php?f=1&t=10198

Using a Reverse Proxy allows you to control access at a granular level to individual Apps

For example:

App.mydomain.com can direct a user to a specific app or when I decommission this app I can point this sub domain to an HTML page instead.
Post Reply