[ajug-members] Tomcat + Apache and SSL

Travis Bailey mail at travisbailey.com
Tue Oct 30 16:51:13 EDT 2007 

Oh... I concur that bad coding will always undermine any security strategy, but that is hopefully understood too.  Maybe it's the "aluminum hat" weirdness in me, but I still value a rock solid configured Apache install sitting up front.
Even if I have other applications on the same server, I can restrain them all to listen to localhost and only expose what I want.
Security is only a small portion of that, but it is still there.

I really just like having a flexible point in the architecture for web based activity.
I view Tomcat as merely an application server, albeit a light and effective one... ;-)

But yes... please people... guard your applications from x-scripting, sql injection, session hijacking and other things for gosh sake!

;-)
 
Travis Bailey
 www.travisbailey.com
 404.664.7782 (c)

        "The greater the artist the greater the doubt. Perfect confidence is granted to the less talented as a consolation prize." - Robert Hughes



----- Original Message ----
From: Dean H. Saxe <dean at fullfrontalnerdity.com>
To: ajug-members at ajug.org
Sent: Tuesday, October 30, 2007 1:30:02 PM
Subject: Re: [ajug-members] Tomcat + Apache and SSL

FWIW, Travis, the vast majority of attacks are against the applications themselves these days and not the underlying infrastructure.  So layer upon layer of firewall, apache sitting in front of tomcat, etc. will only serve to make attacking Tomcat more difficult, but your application is still exposed.  
 
And the thought of apache being hardened against security vulnerabilities is not matched by the reality of the situation.  I see plenty of insecure apache installations on web application penetration testing gigs.  The same is true of IIS, Tomcat, WebSphere, etc.  I see little or no value in having apache sit in front of Tomcat as a security precaution if you're not also securing your apps and your deployment environment.


-dhs


Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"If liberty means anything at all, it means the right to tell people what they do not want to hear." 
    -- George Orwell, 1945

 

On Oct 30, 2007, at 1:24 PM, Travis Bailey wrote:


Security should always be a consideration regardless of SSL.  Apache is generally prescribed for system architecture because it is, or can be made, bare-bones.  Being subjected to the Net's harshest situations has vetted that Apache will only expose a minimum set of security vulnerabilities.  Apache is, in essence, shielding and armor for you application.  It is also generally prescribed to live on it's own server in high security environments so that the application servers can be positioned behind a second set of firewalls that allow limited port access from specific machines.  This would require that a hostile agent would have to get past initial firewalls, compromise the Apache server, then get by secondary firewalls to compromise the application server.

The end game is guarding, with the highest needed cost, the database.  Since the application server generally needs direct access to the database, it is considered to be a vulnerable segment in the chain.  If someone compromises your application server they may have access to properties files, code, or other secure assets.  They would also have direct access to attack the database.

Use of Apache can help address both security and performance.  It just depends on your system and needs.  If you are streaming media or heavy amounts of static content, it may make sense to have Apache in the mix because it is more optimized for these activities.  If security is a concern then use of Apache allows for a simple front end web server with a history of being extremely hardened to security vulnerabilities.

You don't NEED Apache, as much as you should WANT Apache because the architecture demands it.  If my butt was on the line because a server gets hacked, you can be damn sure I will have the architecture set up to give me ultimate protection.  Apache is clearly a more secure web server than Tomcat, if more the mere reasons that it is simpler in function, more widely used as a web server, and been hardened a lot longer.

Of course there are other reasons to have Apache...
It allows for easy maintenance page replacement during system downtimesIt allows for introduction of applications across a variety of platformsIt has simpler URL rewriting functionalityIt can provide easier maintenance of SSL certificates since you can technically just have one Apache instance to multiple Tomcat instances.

That said... many configurations with Tomcat as the web server can and do make sense (not many in my opinion, but some...)
 
Travis Bailey
 www.travisbailey.com
 404.664.7782 (c)

        "The greater the artist the greater the doubt. Perfect confidence is granted to the less talented as a consolation prize." - Robert Hughes



----- Original Message ----
From: "Buch, Peter" <peter.buch at emory.edu>
To: ajug-members at ajug.org
Sent: Tuesday, October 30, 2007 8:27:14 AM
Subject: Re: [ajug-members] Tomcat + Apache and SSL

   I think two issues of serving static content with Tomcat are security and performance. Although, I don’t fully understand the security argument if all your apps and pages require SSL and authentication. Perhaps someone could enlighten me. The performance argument is a sound one on a high load web app. Why bogg your app server down with static requests? It sounds like performance isn’t an issue in this situation if your considering removing Apache.
   

  

 
    
From: Carl Hall [mailto:carl.hall at gmail.com] 
 Sent: Monday, October 29, 2007 5:02 PM
 To: General AJUG membership forum (100-200 messages/month)
 Subject: [ajug-members] Tomcat + Apache and SSL
 
  

Our current production setup has an Apache instance in front of each tomcat instance (4 machines; each with 1 Apache + 1 Tomcat).  This sits behind a BigIP load balancer.  We let Apache serve the static content as well though the Tomcat docs lead me to believe that Tomcat can server static content as good or better.  The only explanation I've heard for using this is that it's easier for Apache to unwrap the SSL requests than it is for Tomcat (more overhead on Tomcat; all of our traffic is over SSL).  We're using Apache 2.0 + mod_jk + Tomcat 5.5 and are considering going to Apache 2.2 + mod_proxy_ajp + Tomcat 5.5 but I'm wondering if we could remove Apache all together.  Does anyone have any experience or data to support/deny the claim of SSL is better handled by Apache than Tomcat.  Is Apache + Tomcat still the way to go? 
 
 




_______________________________________________
ajug-members mailing list
ajug-members at ajug.org
http://www.ajug.org/mailman/listinfo/ajug-members




-----Inline Attachment Follows-----


_______________________________________________
ajug-members mailing list
ajug-members at ajug.org
http://www.ajug.org/mailman/listinfo/ajug-members




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ajug.org/pipermail/ajug-members/attachments/20071030/28084d03/attachment.html

More information about the ajug-members mailing list