How to run Tomcat in a most secure way? - apache

We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(

Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server

Related

Trying to Properly configure the mod alias in Apache

I'm running apache 2.2.24 on Max OS X 10.9.1. Currently, we have a network drive that we access all of our Git repos on at /Volumes/GitWebsites. I would like to configure Apache to serve our PHP based repos from that directory. So, localhost (or 127.0.0.1)/phpsite1/ or /phpsite2? etc. will serve sites from /Volumes/GitWebsites/phpsite1/ or /phpsite2/ in the browser. My two questions are:
Do I simply modify the server root or do I need to use the mod-alias in the httpd.conf file?
What are the permission setting I need to in order for apache to access /Volumes/GitWebsites ?
I've done configuration changes like this in IIS 7.5 and set up a NodeJS dev environment but still new to make large scale changes to Apache. Thanks for any help given.
If you are happy with serving the contents of /Volumes/GitWebsites as it is then it should be fine to point the document root at it. It's also makes it easy to add sites later.
However this could be troublesome later if you want to manage php configuration later on for the sites separately.

Integrating liferay tomcat with apache web server

I am trying to integrate the liferay tomcat with apache web server.I successfully integrate the liferay with web server.
Condition:
Life ray deployed on ip say : 10.10.10.70
Apache web server on ip say: 10.10.10.80
I provided all the requirement virtual host requirement in httpd.conf file..and provided the web.server.host in portal-ext.properties file.
Problem: When i run liferay portal i can open it on ip: 10.10.10.70
but when i click on any page link (let say /home)that is present in my portal it moved the request to
10.10.10.80:8080/home instead of 10.10.10.70:8080/home
I want to know how to handle this condition.
Because i dont have any page resource on web server doc folder only contain static css..
You might be a bit more precise what "all the required virtual host settings" are, e.g. what did you configure?
Note that by explicitly configuring hostnames/IP-addresses, you're explicitly overriding the autodetected settings from the request - no matter how you get to your portal, Liferay will generate URLs based on the explicitly configured hostname/port.
What's the point in having an Apache in front and then trying to reach tomcat through the non-apache IP/Port? Typically you might have static resources, rewrites, caches on Apache, so that you'll get different results when you alternatively access tomcat through both URLs.
If you configure Apache to "properly" handle the requests before tomcat sees them, you'll typically not need to configure Liferay at all, because Apache will make the actual hostname that it's requested under available to Tomcat. I'm typically using mod_jk for this and it beautifully handles all the configuration with almost no need to explicitly configure tomcat/liferay. If you don't like this, keep in mind that you're explicitly configuring Liferay for the virtual host setup - naturally this explicitly configured name is what Liferay uses. It would be weird if the explicit value would not be used, right?

Why does my work file work locally, but not on my webhosting server?

I developed a website and got a Tomcat account on Dailyrazor. My website runs fine when I start Tomcat from the command line and stick my war file in Apache's webapps folder. I access it by http://localhost:8080/dkashtanartportfolio/.
Now should it be as easy as dropping the war in my webapps folder on my DailyRazor Tomcat server? I expect to be able to access my website via http://www.<domain-name>.com/<war-file-name>/, which should look like http://www.dkartportfolio.com/dkashtanartportfolio/
I get a 404 error and I do not know why? Can anybody help?
Some of the DailyRazor accounts don't allow automatic deploy. So after uploading war you need to restart Tomcat. I use shell to execute tomcat_manage stop, followed by tomcat_manage start.
You may also be able to request restart by opening a help ticket.
For some reason, my accounts expect war's to be in public_html and not webapps. I have an old account so they may have changed the way new accounts work.
You need to look carefully into tomcat/conf/server.xml and make sure that you've specified correct path to app folder. Also you need to keep in mind that if you have shared tomcat you need to unpack your war file before requesting tomcat restart - it won't unpack automatically.

Change hosts file on Jenkins executor node

We are planning to migrate our java web application build environment to Cloudbees but one aspect is currently blocking us. We are developing a multi-tenant application. It uses host subdomain to identify tenants and we use wildcard dns entries to do that in production (e.g. : *.example.com).
In development, we have hardcoded a few entries in our hosts file to mimic that. Those entries are enough to run our tests :
...
127.0.0.1 test1.app.dev
127.0.0.1 test2.app.dev
127.0.0.1 test3.app.dev
127.0.0.1 test4.app.dev
So basically, Jenkins should set the hosts file, then launch our app using our web container locally. Then the test suite is executed against the running web app.
I tried to add a pre-process step in the Jenkins project configuration to edit the hosts file but as expected, the Jenkins job does not have permission to do that.
Is there a way to change the hosts file before my test suite is run? Or is there something else we could do to simulate wildcard dns entries?
You could use the xip.io service from 37signals:
http://37signals.com/svn/posts/3191-announcing-pow-040-with-xipio-support
Thus your host names would be
test1.127.0.0.1.xip.io
test2.127.0.0.1.xip.io
test3.127.0.0.1.xip.io
test4.127.0.0.1.xip.io
I'd personally try and keep these in a centrally configured area, just in case the xip.io service was decommissioned, but it's probably fairly cheap to operate and so should be around for a while at least.

Configuring Drupal to work with an existing webapp

I have an existing web application which I have been building with an ant script and deploying as a .war file to Tomcat.
I am trying to add Drupal to my current technology stack to provide CMS and general UI-related functionality so that I don't have to write my html pages by hand and rather use templates.
During the installation of Drupal7, some of the instructions suggest that I go to this directory:
/etc/apache2/sites-available
and change the DocumentRoot to
/home/myuser/drupal/drupal7
If I make the docroot a basic directory on the file system, how will this impact how the application will work? In addition to Apache, I also have Tomcat server. My goal is to get them to all play nice together. How is this best accomplished?
If I make the docroot a basic directory on the filesystem
I'm not sure what you mean by this. There's no qualitative difference between /var/www and /home/mysuser/drupal/drupal7. The latter is longer and in the user's home directory, but assuming this user would be administering the service anyway that doesn't matter.
Next, the best way to make Tomcat and Apache get along is probably to run one of them on different subdomains. You could use the same domain, but that'd mean you had to run one of the daemons off a nonstandard port and that looks strange and might run into firewall trouble with some users.