Greg,
On 9/28/21 06:52, Greg Huber wrote:
Hello,
Are there any best practice notes for the manager app?
eg, if include the app in webapps I get a context on my site, do I
create a long name for the folder (the url) to hide it?
eg folder called reallylongmanager1234567890
so I get http://xxx.site/reallylongmanager1234567890
Or is there a better way?
Hiding the name is just security-by-obscurity. But in this case, it's a
useful one if you want to go through the effort. No script kiddie is
going to scan the internet for host/reallylongmanager1234567890, they'll
try host/manager and, getting a 404, will move-on to others.
At $work, we enable the RemoteAddrValve and make sure it only allows
connections from localhost. It turns out this is the default these days,
so I may adjust my build process to stop doing that explicitly. We also
require authentication so local miscreants, if they exist, can't mess
with our applications. Well, at least non-root miscreants. ;)
We also run everything through a reverse proxy (httpd) and only map our
"real" web applications from the outside world into the back-end Tomcat
notes. This is the real protection: you can't get to our manager from
the outside world at all.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
