John, On 24.7.2014 21:11, John Smith wrote:
1. Can I specify /admin/* as a security constraint url pattern so that only that directory runs under SSL?
Yes, you can.
2. The NIO connector is accepted for JSSE, since I'm using it already, is there any point in not using it as my SSL connector?
If /admin has low traffic, then I would say, there is no need to use anything else. For high traffic TLS/SSL applications you may want to do some performance measurements of different Tomcat connectors, simulating your traffic patterns.
3. Any known issues with routing 443 to 8443 in Iptables?
I recommend using JSVC instead of iptables redirect. I had issues with redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support redirect, either.
4. The admin tools share underlying classes with the rest of the web application, which is why it makes sense to have it just as a subdirectory in the same webapp. But would I be better off migrating the admin tools to their own webapp for the purposes of SSL?
Yes, I think so. From the security standpoint, that is way better. It will be much easier to apply IP address filtering, move it to another port / server, to isolate admin and user privileges, and so on.
-Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
