Raghu, On 9/30/20 10:35, Mysore, Raghunath wrote: > This plan about Tomcat security is very nice. We look forward to the > meetings. > > Could we have a session related to " Best practices for using Tomcat > + (Apache Web Server) Forward Proxy (FP) combo in a real production > environment " where an application hosted in Tomcat (web) container, > targets a destination system in the internet, through the FP ? There are some presentations already on our "presentations" page that might address some of your questions. Is there something specific that is missing?
http://tomcat.apache.org/presentations.html > The application communicates with the destination system on a TLS > channel. The FP is placed in a perimeter zone. The role of FP is to > route the intranet traffic to the destination system in internet. This sounds like a fairly specific use-case. Are you looking for help in building such a system, or some suggestions for making sure that it's secure, high-performance, etc.? > Is there any generalized document that makes assessment (and > recommendations) of a Tomcat plus a Forward Proxy combo, in a real > word set up ? No, but it would probably be an interesting subject for a presentation. Maybe you could work with others in the community to develop such a presentation and in fact present it at an upcoming conference! -chris > -----Original Message----- > From: Maarten van Hulsentop <maar...@vanhulsentop.nl> > Sent: Wednesday, September 30, 2020 3:10 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Virtual event focussed on Tomcat Security > > Hi Mark, > > This sounds like a great idea to me. Security is a very important topic, and > the maturity of the Tomcat makes it a very secure choice for users. I am sure > a lot of people will be interested to join in. > > What is not completely clear to me on this event; would this event be > focussed on improving the security of Tomcat from within (as a Hackathon > suggests)? Like trying to find security flaws/improvements and get them fixed. > or is this meant to be an educational event where information is shared about > secure setups/hardening of the Tomcat in production systems? Or a little of > both? > > For the educational/hardening aspect, it could be nice to team up > with/involve OWASP? > > I am surely interested to pitch in on this topic! > > Kind regards, > > Maarten van Hulsentop > > Op di 29 sep. 2020 om 13:26 schreef Mark Thomas <ma...@apache.org>: > >> Hi all, >> >> We (the Tomcat community) have some funding from Google to help us >> improve Tomcat security. Our original plan was to use the funding to >> support an in-person security focussed hackathon. As you would expect, >> those plans are on hold for now. We would, therefore, like to explore >> the possibility of doing something virtually. >> >> The purpose of this email is to gather input from the community about >> what such an event should look like. With that input we can put >> together a plan for the event. So, over to you. What would your ideal >> virtual event focussed on Tomcat Security look like? >> >> Thanks, >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
