Test it because ajp is either the best or the worse regarding perf... Le 10 déc. 2012 05:48, "Howard W. Smith, Jr." <smithh032...@gmail.com> a écrit :
> For now, I just decided to delete all the webapps except mine (tomee, > manager, host...), and that does the trick for me, since I'm not using > those right now. > > One day, I would like to consider Apache httpd, Tomcat AJP, and APR, so I > can have the best possible performance. > > > On Sun, Dec 9, 2012 at 5:26 PM, Howard W. Smith, Jr. < > smithh032...@gmail.com > > wrote: > > > Jonathan, > > > > Thanks for the detailed response. Yes, you're right, I want port 4848 > > (tomee/admin web apps) only available to myself (LAN), and port 8080 > > (business webapp) available to LAN and WAN. > > > > I've done a lot of reading about apache httpd and tomcat, and for the > most > > part, I read that it's not necessary to run the two together, so I have > not > > done that yet (as I am new to Tomcat/TomEE), but if it is highly > > recommended, then I might give it a try. Right now, TomEE is serving > > dynamic web page content (JSF web app) to a small number of users at the > > present. Hopefully, in the near future, the same web app (and tomEE) will > > possibly serve static as well as dynamic web page content to customers. > > > > Most of what you mentioned below, I read recently (within last 2 or 3 > > hours) in Tomcat docs, since Romain advised me to look there. > > > > Right now, i have no need for tomee web app, and the other admin apps, > but > > I might find use for them in the near future. So, for right now, if I > could > > have tomee/admin web apps only on 4848 and business web app on 8080, then > > I'm fine with that. Also, I have no need for load balancing at the > present, > > but may have a need for that some time in the future. > > > > It's interesting how much I'm learning by talking to and interfacing with > > Apache committers and users. Learning a lot...and loving it! :) > > > > Thanks, > > Howard > > > > > > On Sun, Dec 9, 2012 at 4:26 PM, Jonathan Gallimore < > > jonathan.gallim...@gmail.com> wrote: > > > >> Hi Howard, > >> > >> Sounds like you want to make your application available on > >> http://localhost:8080/myapp, and have the usual Tomcat / TomEE > >> administrative applications available via > >> http://localhost:4848/[tomee|manager|etc]. Similarly, you don't want > >> http://localhost:4848/myapp or http://localhost:8080[tomee|manager|etc] > >> to > >> work, with the overall goal being to restrict access to the admin apps > to > >> just your machine, or users on your LAN - is that correct? > >> > >> I have a couple of suggestions: > >> > >> You might be able to achieve this by defining different connectors, > >> engines > >> and hosts in server.xml. I haven't done it myself, but I'm happy to give > >> it > >> a try, document it and provide a sample config if that would be > helpful. I > >> found a couple of questions on StackOverflow trying to do something > >> similar, albeit with Tomcat 6 that might be helpful: > >> > >> > >> > http://stackoverflow.com/questions/8823290/how-to-run-different-apps-on-single-tomcat-instance-behind-different-ports > >> > >> > >> > http://stackoverflow.com/questions/4366843/how-to-deploy-mutiple-web-application-in-tomcat-which-will-run-on-different-port > >> > >> I have a couple of alternative suggestions as well, that might be > useful. > >> > >> First is to try the RemoteAddressFilter valve: > >> > >> > http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter- > >> we used to use this within the TomEE .war file to restrict access from > >> everywhere except localhost. Everything would still be available on port > >> 8080, but would access to specific apps would be allowed or blocked > based > >> on IP address. > >> > >> Alternatively, if you don't need the TomEE and Tomcat webapps, you can > >> remove them (take a backup first!). To remove the TomEE webapp, copy the > >> jars from $CATALINA_HOME/webapps/tomee/WEB-INF/lib > >> and $CATALINA_HOME/webapps/tomee/lib to $CATALINA_HOME/lib and then > remove > >> the webapp (more info here: http://tomee.apache.org/tomee-webapp.html). > >> The > >> other webapps can safely be removed unless you are using them. > >> > >> The downside to this is that remote EJB invocation via HTTP won't work > >> (i.e. if you are using a RemoteInitialContextFactory with a > >> http://localhost:8080/tomee/ejb URL). You can still use this mechanism > >> from > >> within your own webapp if you wish by adding this to your web.xml: > >> > >> <servlet> > >> <servlet-name>ServerServlet</servlet-name> > >> > >> > <servlet-class>org.apache.openejb.server.httpd.ServerServlet</servlet-class> > >> </servlet> > >> <servlet-mapping> > >> <servlet-name>ServerServlet</servlet-name> > >> <url-pattern>/ejb</url-pattern> > >> </servlet-mapping> > >> > >> You can then use http://localhost:8080/myapp/ejb to access your EJBs > >> remotely. > >> > >> One final suggestion - use Apache httpd in front of TomEE and use > >> mod_proxy > >> to proxy to your app running on Tomcat's AJP port. Firewall off access > to > >> TomEE completely to the outside world, and only allow httpd to serve up > >> your app. There are loads of options in the Apache httpd server to > >> configure access control, and you can also use httpd to load balance > >> several Tomcat instances as well if you wish. You can also serve up > static > >> parts of your webapp directly from httpd rather than forwarding from > >> Tomcat, which can be quicker. I could knock an example configuration of > >> this as well if that would be helpful - if you're currently allowing > users > >> straight on to port 8080, this option might be worth a look. > >> > >> I'd be interested if others also put Apache httpd in front of Tomcat as > >> well or not. > >> > >> Hope that helps! > >> > >> Jon > >> > >> On Sun, Dec 9, 2012 at 8:35 PM, Howard W. Smith, Jr. < > >> smithh032...@gmail.com > >> > wrote: > >> > >> > Sorry, i don't understand. The following is in my server.xml, I added > >> the > >> > port 4848, but if I go to localhost:4848 and localhost:8080 in my > >> browser, > >> > then I'm seeing the same 'tomcat' page that has a way for hackers to > >> click > >> > on TomEE Gui, Server Status, Manager App, and Host manager. I only > want > >> to > >> > see that page when access localhost:4848, I do not want to see that > page > >> > when accessing localhost:8080. > >> > > >> > > >> > <Connector port="8080" protocol="HTTP/1.1" > >> > connectionTimeout="20000" > >> > redirectPort="8443" /> > >> > <!-- A "Connector" using the shared thread pool--> > >> > <Connector executor="tomcatThreadPool" > >> > port="4848" protocol="HTTP/1.1" > >> > connectionTimeout="20000" > >> > redirectPort="8443" /> > >> > > >> > > >> > On Sun, Dec 9, 2012 at 11:30 AM, Romain Manni-Bucau > >> > <rmannibu...@gmail.com>wrote: > >> > > >> > > Just look tomcat site. Basically connector(s) ports and shutdown > port > >> > > (<Server> and < Connector>) > >> > > Le 9 déc. 2012 17:26, "Howard W. Smith, Jr." < > smithh032...@gmail.com> > >> a > >> > > écrit : > >> > > > >> > > > Can you reply with a URL or two that advises how to configure > >> > server.xml? > >> > > > thanks. > >> > > > > >> > > > > >> > > > On Sun, Dec 9, 2012 at 11:23 AM, Romain Manni-Bucau > >> > > > <rmannibu...@gmail.com>wrote: > >> > > > > >> > > > > That's right, tomee webapp only serve for default ejbd (remote > ejb > >> > > > > transport). > >> > > > > > >> > > > > For port just update server.xml > >> > > > > Le 9 déc. 2012 17:20, "Howard W. Smith, Jr." < > >> smithh032...@gmail.com > >> > > > >> > > a > >> > > > > écrit : > >> > > > > > >> > > > > > Romain, > >> > > > > > > >> > > > > > I have TomEE 1.5.1 running on production server, and I am > >> getting > >> > > > > > hack-attempts late at night (midnight) by someone, trying to > >> login > >> > to > >> > > > > > 'admin' acct of TomEE (tomcat7). I have a strong password > and a > >> > > > > different > >> > > > > > admin-user-name in place. > >> > > > > > > >> > > > > > I really would like to change configuration to put the tomee > >> app on > >> > > > > > localhost:4848 (port 4848) instead of port 80 or 8080. > >> > > > > > > >> > > > > > I have not been successful at this yet. I think I read in > tomee > >> or > >> > > > > tomcat7 > >> > > > > > user guide, that I can delete the tomee app? I can also delete > >> > > > > manager/etc > >> > > > > > apps as well, so they won't even be served. Right? > >> > > > > > > >> > > > > > Howard > >> > > > > > > >> > > > > > > >> > > > > > On Tue, Nov 27, 2012 at 6:06 AM, Romain Manni-Bucau > >> > > > > > <rmannibu...@gmail.com>wrote: > >> > > > > > > >> > > > > > > By default in dev more you should get tomee user (but only > to > >> > > access > >> > > > > > tomee > >> > > > > > > webapp, not tomcat one) > >> > > > > > > > >> > > > > > > if you set openejb.profile to something else (system > property) > >> > > you'll > >> > > > > > need > >> > > > > > > to define it explicitely > >> > > > > > > > >> > > > > > > *Romain Manni-Bucau* > >> > > > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > >> > > > > > > *Blog: **http://rmannibucau.wordpress.com/*< > >> > > > > > > http://rmannibucau.wordpress.com/> > >> > > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > >> > > > > > > *Github: https://github.com/rmannibucau* > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > 2012/11/27 Howard W. Smith, Jr. <smithh032...@gmail.com> > >> > > > > > > > >> > > > > > > > Wow, check this out. I'm so glad that you all ship > tomee.xml > >> > with > >> > > > all > >> > > > > > > > users/passwords 'commented out'! :) > >> > > > > > > > > >> > > > > > > > Nov 27, 2012 5:48:05 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > > > "manager" > >> > > > > > > > Nov 27, 2012 5:48:05 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > > > "manager" > >> > > > > > > > Nov 27, 2012 5:48:06 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > > "role1" > >> > > > > > > > Nov 27, 2012 5:48:06 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > > "role1" > >> > > > > > > > Nov 27, 2012 5:48:07 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > "root" > >> > > > > > > > Nov 27, 2012 5:48:07 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > "root" > >> > > > > > > > Nov 27, 2012 5:48:07 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > "root" > >> > > > > > > > Nov 27, 2012 5:48:08 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > > "tomcat" > >> > > > > > > > Nov 27, 2012 5:48:08 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > > "tomcat" > >> > > > > > > > Nov 27, 2012 5:48:09 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > "both" > >> > > > > > > > Nov 27, 2012 5:48:09 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > "both" > >> > > > > > > > Nov 27, 2012 5:48:09 AM > >> org.apache.catalina.realm.LockOutRealm > >> > > > > > > authenticate > >> > > > > > > > WARNING: An attempt was made to authenticate the locked > user > >> > > "both" > >> > > > > > > > > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:58 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:47:59 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:00 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:01 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:02 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:03 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:04 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:05 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:06 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:07 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:08 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > 88.191.100.2 - - [27/Nov/2012:05:48:09 -0500] "HEAD > >> > /manager/html > >> > > > > > > HTTP/1.0" > >> > > > > > > > 401 - > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > > > > >