-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 4/30/15 5:13 AM, André Warnier wrote: > Paul Klinkenberg wrote: >> Hi Christopher, >> >> Thanks for taking the time to respond; again much appreciated. >> >> Your point, and André's, is understood. Security should not be >> done based on incoming IP address. With this current project, we >> off course want to deliver software which is secure by default. >> Now, if someone would install Tomcat, then add the mod_cfml >> valve, and then doesn't lock port 8080 or 8009, the server would >> become vulnerable in the same way as if the /host-manager would >> not have password-protection. >> >> Currently, I am discussing with the main mod_cfml developers >> Jordan Michaels and Bilal Soylu how to implement security, since >> I now won't be implementing IP restriction. We'll probably go >> with using the "secret" configuration parameter for ajp like you >> suggested. Or maybe using a shared "secret" key between the >> frontend server and the Tomcat valve. In this last case, we would >> also have tackled security when remote attackers try to contact >> Tomcat on http-8080 directly, instead of using the ajp >> connector. >> >> I never knew the remote_addr could not be trusted, but I believe >> you at once when you say so. I thought it was taken from the >> actual socket connection. With the exception of ajp by the way, >> where it is programmatically changed to reflect the remote client >> while handling the http call. Out of curiosity, could you shed >> some light as to why the remote_addr is not to be trusted in a >> regular http request? >> >> Thanks again for your time and effort! >> >> Kind regards, >> >> Paul Klinkenberg >> > > On Tomcat, you can set the AJP Connector to only listen on the > local IP address of the Tomcat server host. That means that only > "local LAN" clients (including the httpd front-end, presumably) can > connect to that <Connector>. So this already stops any external > client (be it workstation or server) from even connecting to Tomcat > using AJP. It also, presumably, insures that only your internal > httpd front-ends can potentially connect to Tomcat via AJP. Not quite. You can bind to localhost, which only allows local connections. Or you can bind to * (all interfaces), which allows connections from anywhere. Or, you can bind to a specific interface (IP address), which also allows connections from anywhere. There is no interface to which you can bind that means "only the local network", unless if course there is some other factor at work; such as an interface that is only connected to a local network. > Now if you do not even trust your internal servers/clients, /then/ > you need additional measures. But in such a case, whether you use a > "secret" which the front-end must provide, or whether you use an > additional header or Jk variable, is only a choice; but any of > those requires some setup on the front-ends. +1 > The same is for the other Connectors, like HTTP/HTTPS. If you do > not want people to connect through these, disable them or have them > also only listen on a local IP address. +1 The best way to protect against unauthorized access is to require authentication in some way that doesn't rely on some shaky and sloppy checking, like IP address. At some point, you have to trust your own web servers. If you don't trust your own web servers, it means you are expecting MitM attacks. Why not lock-down the connections between your web servers and your application servers and then not have to distrust incoming connections just in case they aren't coming from your web servers? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQjgBAAoJEBzwKT+lPKRYKEIP/1fAJwB2F99YVcgDbLPo9zky aDRkX0Rvv73vVxJdWoOJsM1FsgGXBaPg83ZC383Ma9iKpI0E4+iLbSc3WNembMIr PgV+6yG7BYV0p2v51OXOfzFNp3fDml6gc9RLEiQ+r8k5Dj7MscCHnKZzwaghxRyf HBlSPy5k+TMrQsPEAIzx6mrM2r8VNVZjrisLXkatoviDGQG/9ji5q4OG6XVUv5pe fSkWTpH04MZsEG/bRIqak1as0jQnjHckw+XH2aamApWRsIuH2HTV685BqSVOp3ZV Cg1v0KXavJOjspWVPZpngDmTRaB4kvDt8pC2bbMUDxocZgw+SG/AwVY6IAvBpuPR 4oVB/vBGrY546lvjXxOvcr6RdNfs/+1pK6OFbaKcI5m4UxHVP1k8cRLCjRlcIKKX MRWYraCwfx9CWd6t97Ax1FXge0fMgXPWobcgaGTRT7IKm0pSDAXbOvzwPPUxWFOP aQ+nOIAp7He7kKsUEU/0DooV2Vzf+FVTNwW8z1rJMdPWd716OWS8ASUJi7yLVnOI rH/O6TQ9gAhfUaAGY0nRtpAtPCCI05eUxWe91G+IFKIAvZ4O30Mi1AouwNo08CjZ EBjpm7h67m5lkHQb/sVjCrMKcg70OnKEvjYbivgubf12HBrP89v1nTU/NE1fffD8 TuNP/MKIFBs6MzyrMh9H =EBju -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
