On 15/04/2013 03:51, Esmond Pitt wrote: > >>> I agree with your comment. Adding a second box for Tomcat only means I >>> also have to configure a firewall between them, whereas using >>> 127.0.0.x for Tomcat protects it completely. > >> No it doesn't! >> Obfuscation or indirection != security. >> HTTPD doesn't magically provide you with some extra security capability. > > I don't know what you're talking about. I didn't mention HTTPD in the > message you quoted. I mentioned 127.0.0.x, and it does exactly what I said > it does. There is no 'security via obscurity' here, just a well-known TCP > mechanism.
I quote: > We: > > - Hid the Tomcat behind an Apache HTTPD on port 80. You used the word 'hid'. ob·scure Adjective Not discovered or known about; uncertain. Verb Keep from being seen; conceal. Security via obscurity. > - Closed port 8080, indeed removed all the HTTP Connectors from Tomcat and > just used AJP connectors running on 127.0.0.1/2/3/4/..., all on the same > port for simplicity, so there is no zero direct access to Tomcat from the > outside I am objecting to the above as being an improvement on two counts: 1. the phrase 'direct access' has no meaning here 2. Tomcat still processes the bytes received from the client with no prior inspection or validation of their safety. > - Configured Apache HTTPD for LDAP authentication via an OpenLDAP server > that in turn is configured via the Password Policy overlay for finite (5 I > think) password retries before locking out the account > - required a very restricted LDAP group membership for access to /manager > (and the other Tomcat builtins). So you secured the Manager app, rather than use a password that could be guessed. > No recurrence, not even an attempt. I think actually closing port 8080 may > have played the biggest part in all this. No it didn't. Using a password that couldn't be guessed did. p -- [key:62590808] --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
