Its essential to proxy to Tomcat on the internal network only, you can also configure Tomcat to accept requests only from specific servers (i.e. your front end), and use a connector like mod_jk, and disable the other connectors.
On Wed, Jan 23, 2008 at 1:40 PM, Christian Folini <[EMAIL PROTECTED]> wrote: > Hi-ho, > > I propose you go with the reverse proxy and install ModSecurity > with the Core Rule set. That should be enough for a general > level of security. However, you should keep an eye on the > audit-logs of ModSecurity, as the core rules let many possible > attacks pass, but say so in the audit log. (This can be adjusted, > but could bring more false positives). > > Regs, > > Christian > > On Wed, Jan 23, 2008 at 11:24:18AM -0000, Paul Cocker wrote: > > We have a helpdesk system which is accessed via HTTPS. However, the web > > interface is handled via Apache Tomcat, which is shipped as part of the > > product and therefore cannot be updated independently by us as this > > could interfere with manufacturer patches and void our support. This > > makes us nervous of offering access to this facility to anyone outside > > the internal network. > > > > However, setting up a reverse proxy on a DMZ box is an option to us, but > > I'm unsure as to whether this would mitigate the security concerns or > > not of a web hosting tool which we don't have the ability to keep it > > 100% up-to-date. > > > > I'm thinking this is ground we shouldn't tread, but I'm looking for > > advice from those more experienced in reverse proxy. > > > > Paul > > > > > > > > > > TNT Post is the trading name for TNT Post UK Ltd (company number: > 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd > (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd > (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle > Marketing (Mother and Baby) Ltd (02556692). All companies are registered in > England and Wales; registered address: 1 Globeside Business Park, Fieldhouse > Lane, Marlow, Buckinghamshire, SL7 1HY. > > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > " from the digest: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
