well, there's not 2 things here - its the same thing.
1 is the code so its easy to copy/paste into server.xml
the other is an image of the server.xml file that everyone has. usually the lower section (connector for 443) is not active.
this is from a live system.
if you monkey with the keystore, its a lot more difficult (the older way)
HTTPS / SSL AwareIm
Re: HTTPS / SSL AwareIm
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: HTTPS / SSL AwareIm
I am lost here, so you not using keystore, how do you start the cert processif you monkey with the keystore, its a lot more difficult (the older way)
I thought you had to use the Keytool
Re: HTTPS / SSL AwareIm
If you working with a keystore file this setting will also do.
I used this setup in the server.xml file for my own self-signed certificate called tomcat.keystore. This file was placed into a keystore folder: AwareIM/Tomcat/keystore/tomcat.keystore
I used this setup in the server.xml file for my own self-signed certificate called tomcat.keystore. This file was placed into a keystore folder: AwareIM/Tomcat/keystore/tomcat.keystore
- Attachments
-
- 1Basic Server.xml Setup.jpg (143.1 KiB) Viewed 16575 times
Last edited by ACDC on Tue Feb 16, 2021 4:18 pm, edited 1 time in total.
Re: HTTPS / SSL AwareIm
I also had to make an extra change further down the file by adding this :
(I should find out more about how to set the password rather than just making it false, not sure what this is for, maybe someone can help)
(I should find out more about how to set the password rather than just making it false, not sure what this is for, maybe someone can help)
- Attachments
-
- 2Basic Server.xml Setup.jpg (32.83 KiB) Viewed 16575 times
Re: HTTPS / SSL AwareIm
Sounds very simple, the keystore way was a mess and a whole other way of integrating the certificate so just adding some lines of code and be done seems unbelievable but thanks for the tips and I will test it out and also look to see if it actually works.
Henrik (V8 Developer Ed. - Windows)
-
- Posts: 1459
- Joined: Tue Jan 24, 2017 5:51 am
- Location: 'Stralya
Re: HTTPS / SSL AwareIm
Henrick
I've been following this for a bit and I am a bit confused, so forgive me if this is a dud question. If you've already set up a reverse proxy to isolate your Tomcat server behind a web server what are the benefits are you seeking from exposing the Tomcat server directly? Surely you are losing the security of shielding it behind a server that will only process port 443 calls? Or are you trying to put SSL certificate between your reverse proxy and the Tomcat server?
Re: HTTPS / SSL AwareIm
I don´t intend to use both if that was your question? For me the preference of having it implemented directly in Tomcat is mostly a security thing. I have used the "regular" way SSL with Tomcat for most of my Aware time and is what it is designed to do i.e it´s a webserver with a SSL function or whatever you want to call it so implementing it the "regular" way seems best. When using a reverse proxy you introduce another factor into the mix and sure, this is what reverse proxies do bla bla bla but it still seems right to do it the "regular" way and is most likely superstition and not knowing that much about these things. Another thing is, when using a reverse proxy, you also have to meddle with various rewrite rules, inbound/outbound rules and can have various resource access complexities. Why make it more complex than necessary.PointsWell wrote: ↑Tue Feb 16, 2021 11:00 pmHenrick
I've been following this for a bit and I am a bit confused, so forgive me if this is a dud question. If you've already set up a reverse proxy to isolate your Tomcat server behind a web server what are the benefits are you seeking from exposing the Tomcat server directly? Surely you are losing the security of shielding it behind a server that will only process port 443 calls? Or are you trying to put SSL certificate between your reverse proxy and the Tomcat server?
Henrik (V8 Developer Ed. - Windows)
-
- Posts: 1459
- Joined: Tue Jan 24, 2017 5:51 am
- Location: 'Stralya
Re: HTTPS / SSL AwareIm
That's what I was wondering
I am not a security consultant, but, my memories from my consulting days is that the app server is more secure behind the proxy acting as a firewall, as there is only the route defined in the web proxy to the server, i.e. explicit routes that you define for example shutdown port calls can't be activated maliciously
I'm interested to understand why you consider it more secure to access Tomcat directly? That is a genuine question as I don't profess to be a Tomcat expert
The penetration test talk that Rod gave at conference in the before times raised some points that I am probably only half remembering.
Re: HTTPS / SSL AwareIm
As I wrote above, for me it just seems like the most secure and easy/practical way, is to do it directly in Tomcat but I don´t know this to be true. I am sure both ways has it´s advantages and drawbacks. If we have any security consultants or Tomcat / proxy server experts, what are the pros and cons, which is more secure, better etc. (and why)?PointsWell wrote: ↑Wed Feb 17, 2021 12:48 amThat's what I was wondering
I am not a security consultant, but, my memories from my consulting days is that the app server is more secure behind the proxy acting as a firewall, as there is only the route defined in the web proxy to the server, i.e. explicit routes that you define for example shutdown port calls can't be activated maliciously
I'm interested to understand why you consider it more secure to access Tomcat directly? That is a genuine question as I don't profess to be a Tomcat expert
The penetration test talk that Rod gave at conference in the before times raised some points that I am probably only half remembering.
Henrik (V8 Developer Ed. - Windows)
-
- Posts: 1459
- Joined: Tue Jan 24, 2017 5:51 am
- Location: 'Stralya
Re: HTTPS / SSL AwareIm
A lot of great stuff and thoughts in that post, I am swamped rest of week and weekend but will post my thoughts, pro/con stuff and questions next week. Awesome to get a discussion going on this.PointsWell wrote: ↑Wed Feb 17, 2021 3:33 amI created a separate thread here rather than clog this one up with pros and cons
Henrik (V8 Developer Ed. - Windows)
Re: HTTPS / SSL AwareIm
Like most things in security, its all about layers (much like a onion).
Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.
(https://www.tenable.com/blog/cve-2020-1 ... e%20server.)
Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.
Another handy thing is that you can fully automate letsencrypt certificate renewals _WITHOUT_ a restart of tomcat connector causing users to drop off!
I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)
Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.
(https://www.tenable.com/blog/cve-2020-1 ... e%20server.)
Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.
Another handy thing is that you can fully automate letsencrypt certificate renewals _WITHOUT_ a restart of tomcat connector causing users to drop off!
I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)
Avid Linux user....
-
- Posts: 2403
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: HTTPS / SSL AwareIm
For us it has been great.
Pete has done a great job and taken a big headache off of our plate
Pete has done a great job and taken a big headache off of our plate
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: HTTPS / SSL AwareIm
Which proxy server have you setup? and any tips and recommendations for me or others that want to set it up?intra wrote: ↑Fri Feb 19, 2021 2:24 am Like most things in security, its all about layers (much like a onion).
Example could be.. a few months back (i believe last year) there was a CVE released for Tomcat AJP which allowed for a exploit which you could access files.
(https://www.tenable.com/blog/cve-2020-1 ... e%20server.)
Now having a reverse proxy allows for additional controls where you can restrict access only to HTTP/HTTPS, remap and even load balance. Since the proxy is a full blown web server (much like apache) you can also do (fairly easily) geo-blocking and full log tracking without the cost of additional third party packages and best of all with fairly industry standard tool sets.
Another handy thing is that you can fully automate letsencrypt certificate renewals _WITHOUT_ a restart of tomcat connector causing users to drop off!
I can say that i know of at least two people who I've setup for and to date they have been enjoying the fairly maintenance free setup. (Pointswell and Eagles9999)
Henrik (V8 Developer Ed. - Windows)
Re: HTTPS / SSL AwareIm
Pointswell, maybe you could create another separate thread for the scaling discussion post I tried to get started lol, it seems you have better luck rattling the community .PointsWell wrote: ↑Wed Feb 17, 2021 3:33 amI created a separate thread here rather than clog this one up with pros and cons
Henrik (V8 Developer Ed. - Windows)