Tomcat v Reverse Proxy pros and cons

Contains tips for configurators working with Aware IM
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Tomcat v Reverse Proxy pros and cons

Post by PointsWell »

This thread raises the question as to what are the pros and cons of fronting Aware directly onto the internet or hiding it behind a reverse proxy.

The source was a query on SSL and Tomcat by Henrik.

I've put this in the tips and trick rather than general as it's not really a functionality question and it might be easier for others to find someway down the road. I've come to like the model of a reverse proxy so most of my comments will be pro - while my posts may read like a statement of fact they are opinions and open to challenge and discussion.

Structure

Post a reply for each pro or con and rename the subject to describe the benefit or overhead - this will make it easier to follow conversation threads.

The following are links to the specific posts for Pros and Cons. I'll update until such time as I forget...

Proxy Server Pros
  1. Security through obscurity
  2. Graceful Failover
  3. SSL, Let's Encrypt & CertBot
  4. Load Balancing
  5. Physically distancing the DB from Internet
  6. Decouple from AwareIM releases which leads to
  7. Preventing update mistakes
  8. Hide Tomcat Management Panel
  9. Shutdown port access prevented
  10. Subdomains instead of custom Logon Pages
  11. Decommission Apps
Proxy Server Cons
  1. Additional Server Required
  2. Harder to run dev and prod on same AIM server
(The lack of threading on phpBB makes this messy to keep track of, hence the TOC list)
Last edited by PointsWell on Tue Sep 07, 2021 10:48 pm, edited 9 times in total.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Security through Obscurity - Proxy Pro

Post by PointsWell »

If you front your Tomcat server directly onto the web then the 8080 port in the URL is a bit of a giveaway as to what server is running.

Using a proxy server limits the URL data to whatever your domain is.

I believe that there are opportunities to do URL rewrites as well, which limits the information being posted into the URL which can become complex.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Graceful failover - Proxy Pro

Post by PointsWell »

If you are using a web proxy in front of the Tomcat server you are able to use error pages to gracefully communicate to a user that the server is down.

If you just have the Tomcat server exposed to the end user and you take the server down you will get a generic timeout message
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

SSL and Certificate Renewal - Proxy Pro

Post by PointsWell »

Lets Encrypt and certbot are easily set up and allow for automatic certificate renewal without having to take the server down for updates
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Load Balancing - Proxy Pro

Post by PointsWell »

You can use a web proxy to manage load where you have more than one Aware server running.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Physically Distance DB - Proxy Pro

Post by PointsWell »

With a reverse proxy in place you can control where the traffic from the internet goes.

User --> reverse proxy --> Aware Server --> Database.

If you have a proxy in place you can ensure that traffic can only be served to the Aware Server. The connection to the Database can be abstracted further away from the internet. This provides an added layer of safety for your data (assuming you are not hosting your database on the same server as Aware - that is a bad idea).
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Decouple Access from Aware Releases - Proxy Pro

Post by PointsWell »

As Aware ships with Tomcat, most people are probably not updating the Tomcat software separately. This means that when vulnerabilities are found in Tomcat see here https://www.cvedetails.com/product/887/ ... ndor_id=45 you can either update Tomcat or wait until it is updated within the Aware bundle.

If you abstract Tomcat away from the user it means that vulnerabilities are harder to exploit, party because the reverse proxy is acting as the user and can be expected to act in a manner that is security compliant, but also through the security by obscurity concept.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Prevent Update Mistakes - Proxy Pro

Post by PointsWell »

If you have configured Tomcat in any way it becomes a management overhead when you update Aware to ensure that you remember to reapply your changes e.g. enabling SSL
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Hides Management Panel - Proxy Pro

Post by PointsWell »

This is less of an issue with more recent releases of Tomcat, but you cannot load the Tomcat Management screens from behind a proxy (unless you have set a route from the proxy to the management panels).

Nowadays it is more difficult to accidentally enable management user access due to changes in the way that users.xml defaults are set.
Last edited by PointsWell on Wed Feb 17, 2021 4:17 am, edited 1 time in total.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Remove access to Shutdown Port - Proxy Pro

Post by PointsWell »

Tomcat has a shut down port. If you don't switch it off a call to http://yourservername.com:8005 will shutdown your server.

For this to happen with a reverse proxy you would have to create a route to port 8005. If you didn't create the route explicitly the malicious user would just get an error message.

One less thing to have to check every time you update Aware

Edit: this is achievable with a decent firewall rule as well so not proxy specific.
Last edited by PointsWell on Wed Feb 17, 2021 11:26 pm, edited 2 times in total.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Extra Server Required - Proxy Con

Post by PointsWell »

To run a reverse proxy you have to set up another server, so one more to manage.

The server doesn't have to be particularly hefty though as it is just managing connections and traffic.
PointsWell
Posts: 1169
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Use Sub Domains instead of Login.html - Proxy Pro

Post by PointsWell »

Currently I am working with client subdomains to connect to their personalised login pages, which makes for a cleaner url

Code: Select all

client.yourwebservice.com 
instead of

Code: Select all

yourwebserice.com:8080/AwareIM/LoginClientName.html
The proxy route converts client.yourwebservice.com to the full URL internally, though you could use a directory instead of a subdomain.

Personally I feel like the subdomain is more personalised, but it is a "feels" and an opinion.
hpl123
Posts: 2382
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Tomcat v Reverse Proxy pros and cons

Post by hpl123 »

A lot of benefits to using a reverse proxy :). Any Tomcat experts out there, why is Tomcat SSL better? Pros and cons?
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2382
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Reverse proxy issues with resources?

Post by hpl123 »

If you configure a reverse proxy, the URL may need rewriting in some cases as the public URL is different from the private URL. Have anyone experienced problems with this when using a reverse proxy with Aware?
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2382
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Extra Server Required - Proxy Con

Post by hpl123 »

PointsWell wrote: Wed Feb 17, 2021 3:36 am To run a reverse proxy you have to set up another server, so one more to manage.

The server doesn't have to be particularly hefty though as it is just managing connections and traffic.
One thing I am wondering about is how much a revere proxy actually toll a system. I am using IIS as a reverse proxy and I know others are using NGINX and it is ONLY used for that so I would think it does´nt take much but I don´t know.
Henrik (V8 Developer Ed. - Windows)
Post Reply