Tomcat v Reverse Proxy pros and cons

Contains tips for configurators working with Aware IM
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Hiding or blocking Tomcat?

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 10:06 pm
hpl123 wrote: Thu Feb 25, 2021 1:13 pm
PointsWell wrote: Thu Feb 25, 2021 12:15 am

The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.
Yeah but Tomcat can still be accessed from the web? You are blocking it in the firewall or how?
You block access to the AIM server in your firewall. Create access only between reverse proxy and AIM server. The internal IP address should not be accessible from the outside world as this defeats the purpose of the reverse proxy.

The firewall would want to allow
80 and 443 access to the reverse proxy from external
8080 access between the reverse proxy and AIM
3306 access between AIM and the Database.

You probably also want
22 to the AIM server so that you can tunnel with SSH for access to the AIM desktop (unless you are operating headless in which case you'd use SSH for terminal access) and to connect remotely to the database. Though you may want to set up a separate server that is spun up only when you want to use SSH access to ensure that you have adequately isolated the AIM server from everything but the proxy
Yes, this is what I thought and I haven't done this. Thanks for detailing ports.
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Hiding or blocking Tomcat?

Post by PointsWell »

hpl123 wrote: Thu Feb 25, 2021 10:44 pm
PointsWell wrote: Thu Feb 25, 2021 10:06 pm 3306 access between AIM and the Database.
Yes, this is what I thought and I haven't done this. Thanks for detailing ports.
Obv that is the MySQL/Maria port I don't know what the MSSQLS port is.

Also if you are using the Config Tool remotely from your AIM server then you have different challenges to deal with as you need a bunch of other ports open and you'd want to be able to access the AIM server and it would basically undo a bunch of the isolation protection you gain from the reverse proxy route.
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Not practical if Dev and Prod are same server - Proxy Con

Post by PointsWell »

I just thought of this a minute ago.

If you only use one server for your development and use it for production then you have to expose your AIM/Tomcat server to the internet anyway - unless you can think of some fancy pants way to route the config tools port calls to the AIM server.

If you are doing your dev on a remote server there's probably a whole bunch of other challenges that you face as well - such as maintaining the server connection. I suppose if you were doing that you'd probably be using Remote Desktop.
intra
Posts: 279
Joined: Thu Oct 11, 2012 1:30 pm
Location: Australia

Re: Tomcat v Reverse Proxy pros and cons

Post by intra »

Well here's my train of thought.

If its a single box for everything and you are running the config tool remotely...

Why not use a reverse proxy to do the normal security thing, then use a VPN to run the rest of the stuff.

<Internet> -> 443 (Bidirectional) -> [Instance]

<Internet for Config Tool> -> [VPN] -> [Instance]
Avid Linux user....
PointsWell
Posts: 1457
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Stop Access to Discontinued Apps - Proxy Pro

Post by PointsWell »

AIM does not have a function to decommission published apps https://awareim.com/forum/viewtopic.php?f=1&t=10198

Using a Reverse Proxy allows you to control access at a granular level to individual Apps

For example:

App.mydomain.com can direct a user to a specific app or when I decommission this app I can point this sub domain to an HTML page instead.
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: Tomcat v Reverse Proxy pros and cons

Post by Jaymer »

Henrik
I don't know if this was covered elsewhere (like in another nginx thread), but there is ABSOLUTELY no reason to continue using 8080 in Aware.
In this [thread] context, you simply use Tomcat on 80/443 and forget about remapping all these ports.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Tomcat v Reverse Proxy pros and cons

Post by hpl123 »

Jaymer wrote: Thu Jan 19, 2023 7:27 pm Henrik
I don't know if this was covered elsewhere (like in another nginx thread), but there is ABSOLUTELY no reason to continue using 8080 in Aware.
In this [thread] context, you simply use Tomcat on 80/443 and forget about remapping all these ports.
I can't remember the specifics of this discussion but I use IIS as a reverse proxy using HTTPS i.e 443 "in" to the server and then IIS maps that to localhost:8080..... . Do you mean this isn't the best config and if so, what is better (and why)?
Henrik (V8 Developer Ed. - Windows)
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: Tomcat v Reverse Proxy pros and cons

Post by Jaymer »

my only point is that I NEVER use 8080 - it looks stupid to the user, and its unnecessary. Tomcat runs fine on 80 so I always change it.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Tomcat v Reverse Proxy pros and cons

Post by hpl123 »

Jaymer wrote: Fri Jan 20, 2023 4:40 am my only point is that I NEVER use 8080 - it looks stupid to the user, and its unnecessary. Tomcat runs fine on 80 so I always change it.
Aha, yeah I agree and when using the reverse proxy the end user doesn't see ports etc. They do however see the ugly other URL fragments that Aware creates like NEW_TAB and a lot of other useless and confusing things. I am fairly sure I or someone else have logged a FR to fix this but was a long time ago. Still badly needed today IMO.
Henrik (V8 Developer Ed. - Windows)
Post Reply