Yes that was the wrong thread but thank you.
=========================== Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, November 2, 2017 9:36 AM To: users@tomcat.apache.org Subject: Re: security headers You seem to be responding on the wrong thread, but here are some answers anyway (will save Christopher some typing) On 02.11.2017 13:55, Cheltenham, Chris wrote: > Mr. Shultz, > > I really appreciate your detailed answers. > Helps me out a lot. > > I am now thinking big picture because my application does not require > APR.. > > May I ask this , what exactly does APR give me for apache-tomcat? APR stands for "Apache Portable Run-time". Here is one explanation : It is a software library, containing a series of functions which are often used by Apache Foundation programs of all kinds (not only tomcat), particularly in what regards network interfaces and protocols. The people who make this APR, make sure that it is available for many platforms (Windows, Liux etc.), and that it is really optimised for each of these different platforms. To access the network, tomcat can do it in 2 different ways : 1) by using standard Java functions, which always work, but are not particularly optimised for any platform or 2) if APR is available, then tomcat can use instead, some calls which exist in the APR library, and which may be more optimised fo the current platform on which it is running When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because it is probably a bit faster than the Java alternative. If APR is not available, tomcat will use the standard Java functions, which are maybe a bit slower. And just to let you know that, it will print a friendly message to the log, to let you know that maybe this is not the most optimal solution, in terms of ultimate tomcat performance. But this is just an informational message, and you can decide to ignore it, and run tomcat anyway without APR (which many people do, and most of the time they will not notice the difference). There is a secondary effect which needs to be considered when using SSL (HTTPS) : When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR functions rely on the underlying presence of SSL libraries provided by another package, named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and key stores. When tomcat does not find APR, it will use the builtin Java functions for SSL. And these builtin functions require another format for the SSL keys and key stores. So the parameters used in the <Connector> elements are a bit different in each case. This is well explained in the tomcat on-line documentation. > > I am thinking to scrap the whole APR install. > > The reason I am trying to install it is because of my anal need to > have clean logs. I won't even try to interpret this.. > I can’t stand any messages suggesting or recommending that I do this > or that. They are just friendly messages, like the Amazon "other readers who have purchased this book, have also liked this : ... " > I have always tried to accommodate those recommendations. Ah, ok. I thought you could not stand them ? > However, in this case it may be the best to ignore the catalane log > message saying that I should install APR. > catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, and so is tomcat usually. > > =========================== > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, November 1, 2017 4:04 PM > To: users@tomcat.apache.org > Subject: Re: security headers > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Alejandro, > > On 11/1/17 3:37 PM, Alejandro Vargas M. wrote: >> Hello, >> >> I recently used on web.xml >> >> <filter> <filter-name>httpHeaderSecurity</filter-name> >> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi > lter-class> >> >> <async-supported>true</async-supported> </filter> >> >> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> >> <url-pattern>/*</url-pattern> </filter-mapping> >> >> to enable some security headers, but it won't enable Content Security >> Policy header. Is there anyway to enable Content Security Policy at >> top server level??? > > What were you expecting that Filter to generate for you? A header which > disables everything? Not terribly useful. > > My recommendation would be to use something like url-rewrite[1] to add > headers to every outgoing response. url-rewrite has very similar > capabilities to httpd's mod_headers (and much more, of course). > > - -chris > > [1] http://tuckey.org/urlrewrite/ > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8 > pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE > //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc > WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc > oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj > 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP > 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC > CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+ > Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM > ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58 > wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8 > G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8= > =j1H+ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
