On Thu, Jul 24, 2014 at 6:24 PM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote:
> John, > > > On 24.7.2014 21:11, John Smith wrote: > >> 1. Can I specify /admin/* as a security constraint url pattern so that >> only >> that directory runs under SSL? >> > > Yes, you can. > > > > 2. The NIO connector is accepted for JSSE, since I'm using it already, is >> there any point in not using it as my SSL connector? >> > > If /admin has low traffic, then I would say, there is no need to use > anything else. For high traffic TLS/SSL applications you may want to do > some performance measurements of different Tomcat connectors, simulating > your traffic patterns. > > > > 3. Any known issues with routing 443 to 8443 in Iptables? >> > > I recommend using JSVC instead of iptables redirect. I had issues with > redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support > redirect, either. > > > > 4. The admin tools share underlying classes with the rest of the web >> application, which is why it makes sense to have it just as a subdirectory >> in the same webapp. But would I be better off migrating the admin tools to >> their own webapp for the purposes of SSL? >> > > Yes, I think so. From the security standpoint, that is way better. It will > be much easier to apply IP address filtering, move it to another port / > server, to isolate admin and user privileges, and so on. > > -Ognjen > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks for the info. Best, John