[ajug-members] Tomcat + Apache and SSL

Tue Oct 30 13:30:02 EDT 2007

FWIW, Travis, the vast majority of attacks are against the  
applications themselves these days and not the underlying  
infrastructure.  So layer upon layer of firewall, apache sitting in  
front of tomcat, etc. will only serve to make attacking Tomcat more  
difficult, but your application is still exposed.

And the thought of apache being hardened against security  
vulnerabilities is not matched by the reality of the situation.  I see  
plenty of insecure apache installations on web application penetration  
testing gigs.  The same is true of IIS, Tomcat, WebSphere, etc.  I see  
little or no value in having apache sit in front of Tomcat as a  
security precaution if you're not also securing your apps and your  
deployment environment.

-dhs

Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"If liberty means anything at all, it means the right to tell people  
what they do not want to hear."
     -- George Orwell, 1945

On Oct 30, 2007, at 1:24 PM, Travis Bailey wrote:

>
> Security should always be a consideration regardless of SSL.  Apache  
> is generally prescribed for system architecture because it is, or  
> can be made, bare-bones.  Being subjected to the Net's harshest  
> situations has vetted that Apache will only expose a minimum set of  
> security vulnerabilities.  Apache is, in essence, shielding and  
> armor for you application.  It is also generally prescribed to live  
> on it's own server in high security environments so that the  
> application servers can be positioned behind a second set of  
> firewalls that allow limited port access from specific machines.   
> This would require that a hostile agent would have to get past  
> initial firewalls, compromise the Apache server, then get by  
> secondary firewalls to compromise the application server.
>
> The end game is guarding, with the highest needed cost, the  
> database.  Since the application server generally needs direct  
> access to the database, it is considered to be a vulnerable segment  
> in the chain.  If someone compromises your application server they  
> may have access to properties files, code, or other secure assets.   
> They would also have direct access to attack the database.
>
> Use of Apache can help address both security and performance.  It  
> just depends on your system and needs.  If you are streaming media  
> or heavy amounts of static content, it may make sense to have Apache  
> in the mix because it is more optimized for these activities.  If  
> security is a concern then use of Apache allows for a simple front  
> end web server with a history of being extremely hardened to  
> security vulnerabilities.
>
> You don't NEED Apache, as much as you should WANT Apache because the  
> architecture demands it.  If my butt was on the line because a  
> server gets hacked, you can be damn sure I will have the  
> architecture set up to give me ultimate protection.  Apache is  
> clearly a more secure web server than Tomcat, if more the mere  
> reasons that it is simpler in function, more widely used as a web  
> server, and been hardened a lot longer.
>
> Of course there are other reasons to have Apache...
> It allows for easy maintenance page replacement during system  
> downtimes
> It allows for introduction of applications across a variety of  
> platforms
> It has simpler URL rewriting functionality
> It can provide easier maintenance of SSL certificates since you can  
> technically just have one Apache instance to multiple Tomcat  
> instances.
>
> That said... many configurations with Tomcat as the web server can  
> and do make sense (not many in my opinion, but some...)
>
> Travis Bailey
> www.travisbailey.com
> 404.664.7782 (c)
>
> "The greater the artist the greater the doubt. Perfect confidence is  
> granted to the less talented as a consolation prize." - Robert Hughes
>
>
> ----- Original Message ----
> From: "Buch, Peter" <peter.buch at emory.edu>
> To: ajug-members at ajug.org
> Sent: Tuesday, October 30, 2007 8:27:14 AM
> Subject: Re: [ajug-members] Tomcat + Apache and SSL
>
> I think two issues of serving static content with Tomcat are  
> security and performance. Although, I don’t fully understand the  
> security argument if all your apps and pages require SSL and  
> authentication. Perhaps someone could enlighten me. The performance  
> argument is a sound one on a high load web app. Why bogg your app  
> server down with static requests? It sounds like performance isn’t  
> an issue in this situation if your considering removing Apache.
>
>
>
> From: Carl Hall [mailto:carl.hall at gmail.com]
> Sent: Monday, October 29, 2007 5:02 PM
> To: General AJUG membership forum (100-200 messages/month)
> Subject: [ajug-members] Tomcat + Apache and SSL
>
>
> Our current production setup has an Apache instance in front of each  
> tomcat instance (4 machines; each with 1 Apache + 1 Tomcat).  This  
> sits behind a BigIP load balancer.  We let Apache serve the static  
> content as well though the Tomcat docs lead me to believe that  
> Tomcat can server static content as good or better.  The only  
> explanation I've heard for using this is that it's easier for Apache  
> to unwrap the SSL requests than it is for Tomcat (more overhead on  
> Tomcat; all of our traffic is over SSL).  We're using Apache 2.0 +  
> mod_jk + Tomcat 5.5 and are considering going to Apache 2.2 +  
> mod_proxy_ajp + Tomcat 5.5 but I'm wondering if we could remove  
> Apache all together.  Does anyone have any experience or data to  
> support/deny the claim of SSL is better handled by Apache than  
> Tomcat.  Is Apache + Tomcat still the way to go?
>
>
> _______________________________________________
> ajug-members mailing list
> ajug-members at ajug.org
> http://www.ajug.org/mailman/listinfo/ajug-members

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ajug.org/pipermail/ajug-members/attachments/20071030/9e8d6a87/attachment.html 