Re: libapache2-mod-jk2 configuration -- Do NOT do that!
From: Paul D. Bain (paulbain_at_pobox.com)
Date: 06/24/05
- Previous message: Jan C. Nordholz: "Re: annoying iptables messages"
- In reply to: Alan Chandler: "libapache2-mod-jk2 configuration"
- Next in thread: Alan Chandler: "Re: libapache2-mod-jk2 configuration -- Do NOT do that!"
- Reply: Alan Chandler: "Re: libapache2-mod-jk2 configuration -- Do NOT do that!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 23 Jun 2005 20:12:25 -0400 To: Alan Chandler <alan@chandlerfamily.org.uk>
Alan Chandler wrote:
> I am trying to add tomcat4 into my existing apache2 system so that I can
> experiment with java (in the form of servlets and jsp).
>
> Although in reality I only have a single computer, for learning purposes I
> want to similate the situation where I have potentially split web and
> application servers.
>
> So this server has two ethernet cards - one facing the outside world with an
> address assigned by my isp using dhcp. www.chandlerfamily.org.uk points at
> this address.
>
> On the other side, my lan side, I have allocated myself a range of io
> addresses using eth1 (192.168.0.20) eth1:0 (192.168.0.30) eth1:1
> (192,168.0.31) as the devices (and their ip addresses) created via iface
> stanzas in /etc/networking/interfaces.
>
> Bind is used to provide different names to the different lan-based ip
> addresses.
>
> An iptables firewall protects the addresses and does NAT.
>
> Using Apache2, I then use ip based virtual hosts, so the external address has
> one web site for http and two of the internal addresses support two other
> http web sites. https is allocated a further host on the external address to
> replicate one of the internal sites and providing secure access to webmail.
>
> I would like to set up tomcat so that it acts as though it were running on the
> single ip address 192.168.0.31 (although appropriate requests to my external
> web site - are routed through to it via apache).
Alan,
I am not an expert on network security, but, IIRC, putting a web server
on the same physical box as a firewall is an incredibly _bad_ idea, at
least from a security point of view. Why? Well, if your web server is
compromised (via the box's "external address," as you term it), and if
the attacker then gains root access to the box on which the web server
runs (which he can do with a root kit), he can then either (a) attack
machines that lie _behind_ the firewall (the ones with IP addresses
beginning with "192.168") or (b) install a packet sniffer to gather
passwords and other sensitive information. Furthermore, here, you are
proposing to run not one, but _two_, web servers (Apache and Tomcat) on
your firewall box, increasing the chances of compromise (simply because
twice the servers means twice the security vulnerabilities in the server
software).
If I were you, I would have a security expert give a quick opinion on
the soundness of your proposed configuration.
Sincerely,
Paul Bain
-- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
- Previous message: Jan C. Nordholz: "Re: annoying iptables messages"
- In reply to: Alan Chandler: "libapache2-mod-jk2 configuration"
- Next in thread: Alan Chandler: "Re: libapache2-mod-jk2 configuration -- Do NOT do that!"
- Reply: Alan Chandler: "Re: libapache2-mod-jk2 configuration -- Do NOT do that!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
