-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/01/2007, at 11:50 AM, Mikolaj Rydzewski wrote:
Leon Rosenberg wrote:
Sure, I could write my own filters and pass the static content
through
them first, but that'd slow down the whole app (tested).
Could you explain this a little more? Ho
That's 16GB, and I wouldn't consider it cheap. Besides, our company is
renting the servers since we don't just put some machines down in our
private "bunker" ;)
Bute Leaon, we#re eally getting off-topic here, so if you want to
discuss this isse further, feel free to drop me a line on my private
e
On 1/10/07, Darren <[EMAIL PROTECTED]> wrote:
> but if you remember how this thread
> started, the author of the article and OP suggested in his article to
> put an apache / iis in front of tomcat to INCREASE security
No I didn't, but if that's how you interpreted the section on
'running on port
On 1/10/07, Gregor Schneider <[EMAIL PROTECTED]> wrote:
> hmm, haven't you said you have 300.000 files? I don't know how large
> your files actually are, but assuming 100K a fairly large size you 'll
> need ~30 Gb of RAM to cache them all. Now a machine with 32 Gb of RAM
> is pretty cheap nowerda
but if you remember how this thread
started, the author of the article and OP suggested in his article to
put an apache / iis in front of tomcat to INCREASE security
No I didn't, but if that's how you interpreted the section on
'running on port 80' then it needs to be reworded accordingly.
h
Markus,
Therefore - IMO - a claim like "i'm just saying that nobody should worry about
this combination" is useless (maybe even dangerous) without the "ifs" you've
come up with now, full stop.
OK, we absolutely disagree on that one - so can we leave it at that?
You got the honor of the final w
Hi Leon,
I think we both now can agree that there are millions of absolutely
valid reasons
to run a httpd-tomcat combination, but that security isn't among them :-)
Ok?
Absolutely!
hmm, haven't you said you have 300.000 files? I don't know how large
your files actually are, but assuming 100
On 1/10/07, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote:
Leon Rosenberg wrote:
> Still, since you can guarantee that everything is in memory if you
> customize your webapp, and apache httpd simply relies on the file
> system cache which has it's own behaviour, not designed for your
> webapp, a si
On 1/10/07, Gregor Schneider <[EMAIL PROTECTED]> wrote:
Hi Leon,
On 1/10/07, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
>
> Aehm,
> the original thread was about security, and now you wrote "performs"
> better, which I assumed referred to "performance". If not - my fault
> :-)
>
Well, we moved ki
Mikolaj Rydzewski wrote:
> Leon Rosenberg wrote:
> >> Sure, I could write my own filters and pass the static content through
> >> them first, but that'd slow down the whole app (tested).
> >
> > Could you explain this a little more? How can it be that if you write
> > out something from memory it's
Gregor Schneider wrote:
> On 1/10/07, Markus Schönhaber <[EMAIL PROTECTED]> wrote:
> > Gregor Schneider wrote:
> > > that's definately not the case.
> >
> > "Definitely"? Hm, again such an absolute claim of yours for which you
> > provide no facts to back it up.
>
> Markus:
> As I stated above: I
Leon Rosenberg wrote:
Still, since you can guarantee that everything is in memory if you
customize your webapp, and apache httpd simply relies on the file
system cache which has it's own behaviour, not designed for your
webapp, a single filesystem "miss" will cost more time than you'll
ever win b
Hi Leon,
On 1/10/07, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
Aehm,
the original thread was about security, and now you wrote "performs"
better, which I assumed referred to "performance". If not - my fault
:-)
Well, we moved kinda of-topic here, sou you got me right.
What I actually wanted t
Hmm,
interesting reading.
Still, since you can guarantee that everything is in memory if you
customize your webapp, and apache httpd simply relies on the file
system cache which has it's own behaviour, not designed for your
webapp, a single filesystem "miss" will cost more time than you'll
ever
On 1/10/07, Gregor Schneider <[EMAIL PROTECTED]> wrote:
Hi Leon,
On 1/10/07, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
> > In *our* scenario I rather have Apache http in front because
> >
> > - it performs better
>
> What?
> You can argue that httpd doesn't decrease security, but talking about
>
Leon Rosenberg wrote:
Sure, I could write my own filters and pass the static content through
them first, but that'd slow down the whole app (tested).
Could you explain this a little more? How can it be that if you write
out something from memory it's slower than ask the filesystem which
could e
Hi Leon,
On 1/10/07, Leon Rosenberg <[EMAIL PROTECTED]> wrote:
> In *our* scenario I rather have Apache http in front because
>
> - it performs better
What?
You can argue that httpd doesn't decrease security, but talking about
it being fast??? Come'on you're kidding :-)
Sorry, but I don't get
On 1/10/07, Gregor Schneider <[EMAIL PROTECTED]> wrote:
> > OTOH, i'd rather have apache in
> > front than running tomcat on port 80 via jsvc or as a service.
>
> I'd like to repeat Chuck's question: why?
>
Plain and simple:
You also can misconfigure jsvc (ok, chances are pretty small...)
In *o
Hi Marcus,
On 1/10/07, Markus Schönhaber <[EMAIL PROTECTED]> wrote:
Gregor Schneider wrote:
OTOH there a very good reasons to use a httpd-Tomcat combination. Alas,
the "only reason" there "usually" is, as you said, I wouldn't count amongst
the good reasons. Tomcat serves static content just fin
Christopher Schultz wrote:
> Markus Schönhaber wrote:
> > You defend it yourself in the next paragraph you've written.
> >
> >> One could argue that more moving parts equals more complexity, and that
> >> complexity is an enemy of security (and I agree). However, there must be
> >> a balance. If g
Gregor Schneider wrote:
> On 1/9/07, Markus Schönhaber <[EMAIL PROTECTED]> wrote:
> > Did you read the article that is subject to this thread?
>
> yep
>
> > I don't think I understand how your post relates to mine.
>
> My post relates to yours and to some other posts here in that sense
> that you
On 1/9/07, Christopher Schultz <[EMAIL PROTECTED]> wrote:
Leon's message says flat out that adding Apache httpd reduces security,
and provides no basis for that statement. A more appropriate statement
might have been that Apache does not add any appreciable measure of
security as Tomcat provides
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Darren,
Darren wrote:
> I think the 'running on port 80' section needs some rewording as I'm not
> advocating that putting IIS or apache infront of your tomcat
> installation will make it any more secure. As a sysadmin you may be
> asked to serve tom
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Markus,
Markus Schönhaber wrote:
> You defend it yourself in the next paragraph you've written.
>
>> One could argue that more moving parts equals more complexity, and that
>> complexity is an enemy of security (and I agree). However, there must be
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andrew,
Andrew Miehs wrote:
> With Apache HTTPD you have the advantage of being able to do fine grained
> url/ IP access control.
I believe that Tomcat also has that capability. Am I wrong?
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.
> From: Gregor Schneider [mailto:[EMAIL PROTECTED]
> Subject: Re: Securing Tomcat Article for Review
>
> OTOH, i'd rather have apache in front than running
> tomcat on port 80 via jsvc or as a service.
Why?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR O
Hi Markus,
On 1/9/07, Markus Schönhaber <[EMAIL PROTECTED]> wrote:
Did you read the article that is subject to this thread?
yep
I don't think I understand how your post relates to mine.
My post relates to yours and to some other posts here in that sense
that you (and others) stated that put
Did you read the article that is subject to this thread?
Gregor Schneider wrote:
> putting up apache in front of tomcat usually is not done due to
> security-reasons. however, doing so won't do any harm if you know what
> you're doing... ;)
Whatever you're doing, it's always a good idea to know
Things like:
Change files in CATALINA_HOME/conf to be readonly (400)
...
Rename CATALINA_HOME/conf/server.xml to ...
won't work for dummies (due to missing rights) if they'll follow the
guide step by step.
You're right, the ordering is perhaps a little confusing. The
article is not aimed sp
well,
putting up apache in front of tomcat usually is not done due to
security-reasons. however, doing so won't do any harm if you know what
you're doing... ;)
the only reason putting up apache in front usually is to serve static
content when running a high-load-web-app. besides, you can do quit
Christopher Schultz wrote:
> Leon Rosenberg wrote:
> > Also by using apache in front of tomcat you rather loose[sic]
> > security than gain it. At least this is my personal opinion :-)
>
> Would you care to defend that argument?
You defend it yourself in the next paragraph you've written.
> One
> From: Christopher Schultz [mailto:[EMAIL PROTECTED]
> I would argue that Apache httpd is quite mature and is trustworthy.
> Sure, you're not likely to run into a buffer overflow bug in
> Tomcat, but
> a bad configuration can open any server to attack. Is a bad Tomcat
> configuration alone any b
On 09/01/2007, at 5:20 PM, Christopher Schultz wrote:
Leon Rosenberg wrote:
Also by using apache in front of tomcat you rather loose[sic]
security than gain it. At least this is my personal opinion :-)
Would you care to defend that argument? Security in layers is
typically
an advantage.
O
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Leon,
Leon Rosenberg wrote:
> Also by using apache in front of tomcat you rather loose[sic]
> security than gain it. At least this is my personal opinion :-)
Would you care to defend that argument? Security in layers is typically
an advantage.
One c
Who's the target audience?
Things like:
Change files in CATALINA_HOME/conf to be readonly (400)
...
Rename CATALINA_HOME/conf/server.xml to
CATALINA_HOME/conf/server-original.xml and rename
CATALINA_HOME/conf/server-minimal.xml to
CATALINA_HOME/conf/server.xml. The minimal configuration provides
I've been working on an article about securing tomcat for the Open
Web Application Security Project (OWASP). The article details some
quick and easy ways to improve the 'out of the box' security of
tomcat from the perspective of a sysadmin. It's written with tomcat
5.5 in mind, but almost
36 matches
Mail list logo