On Thu, Apr 30, 2009 at 9:58 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Leon, > > On 4/27/2009 1:59 PM, Leon Rosenberg wrote: >> On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rwil...@kingsisle.com> wrote: >>> The apache servers can sit in a different DMZ area >> >> Sorry, this is no security at all. If the attacker was able to break >> your os once and come to your apache httpd server, he will be able to >> break it second time and come to the tomcat serving server. Increasing >> complexity doesn't necessary increase security, the truth is that more >> complexity usually compromise security. Anyway an unfiltered >> connection between your httpd and your tomcat server exist (ajp), and >> the attacker can exploit it directly, since httpd will just send all >> maped request 1 on 1. > > A connection that allows only ajp would be, IMO, a "filtered" > connection, not an unfiltered one. Just because an attacker can break > into Apache httpd on a publicly-available web server doesn't guarantee > that he will be able to break through your ajp connection into the app > server. I'm not sure how you can logically connect a web server > intrusion with a definite app server intrusion.
I so much hoped the thread was dead, but since you are addressing me directly:-) The only way to break into a tomcat is to send something which leads to something else giving the attacker at the end more control of the machine as intended. For the sake of experiment lets assume that if you send a "/givemegodpermissions.html" to a tomcat server it opens a console in root mode on the machine it runs on. For a standalone tomcat behind a firewall (and don't tell me people can't afford firewalls, iptables is free) where only port 8080 is open (and probably mapped from 80 by portmapper or something) the only way to exploit tomcat itself (we are not talking about os level hacking) is to send http://youradress/givemegodpermissions.html. Now lets add an apache httpd in front and connect them via ajp. If the attacker sends the very same url http://youradress/givemegodpermissions.html the apache will just send the /givemegodpermissions.html to the tomcat over ajp and exactly the same happens. So what have you gained? Nothing. > >> Finally, httpd is written in C and therefore vulnerable to all kind of >> attacks a java program is not like buffer/heap overflows. > > True, which is exactly why breaking into the web server and breaking > into the app server would require different techniques. Therefore > compromising the web server does not necessarily equal an app server > break-in. see above. having an additional piece of software means that you have more holes and more to protect. > >>> In addition to more granular security (as described above), having >>> isolated the web layer from the application layer allows you to >>> independently adjust the performance >of each. >> >> The short answer to that would probably be, if you have performance >> concerns, you just do not use apache httpd. If you want/need to >> loadbalance, a hardware loadbalancer is the weapon of choice. If you >> need to serve a lot of large static content (pictures) you put >> reverse proxies in front of your tomcats. > > ...and run /what/ as your reverse proxies? squid, varnish, whatever. you may even serve static files via a fast lean web server like lighttpd. > >> If you need to serve static content (js, css etc) along with dynamic >> content, you let tomcat handle it, it serves static content faster >> than httpd anyway. > > Citation? Or more Tomcat FUD ;) Actually I mentioned the book in this thread, and some time ago in a mail in reply to YOUR question. But why not, here's the link again: http://www.amazon.com/gp/product/0596101066/ref=s9_sims_gw_s9_p14_i1?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=1J4CRZSBWAQZMCDA54ET&pf_rd_t=101&pf_rd_p=470938631&pf_rd_i=507846 Tomcat: The Definitive Guide (Paperback) 2nd edition. Be sure to get the second edition from 2007, it covers tomcat 6. There are a lot of performance comparison charts in this book for various tomcat connectors with or without apr against various httpd setups. regards Leon > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkn6AuEACgkQ9CaO5/Lv0PBMKwCeKwfzn7Pgwpl+DoKqbo93NEef > o30AoJ7e7ZddDISQj/lP0WEkdqEsXGDh > =qKnx > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
