Patrick.Raspante | 3 Mar 14:25 2011

mod_security + tomcat

 

I currently have a Tomcat server hosting a web app with no apache proxy in front of it. The Tomcat server is also terminating Client Authenticated SSL connections to the web application. I want to do some layer 7 data filtering for my web application using mod_security, or a similar product. In order to use mod_security, will I have to re-architect my whole system? For example, will I have to stand up a new instance of apache, install mod_security, reconfigure my web app so that the ssl connections terminate at apache, and then use mod_jk to connect to tomcat? Or is there a simpler solution? Any advice here would be great.

 

Thanks,

pwr

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
Christian Bockermann | 3 Mar 15:28 2011

Re: mod_security + tomcat


Hi Patrick,

yes, in order to protect your tomcat with modsecuriy you'd need to set up
Apache+ModSecurity in front of it.
I have this setting up and running for several years and it works just fine.

However, instead of mod_jk, I use mod-proxy with the ajp part and set up a
"secure" AJP/1.3 connector within the tomcat server. Marking this as "secure"
(secure="true") will make the tomcat/web-app aware that this connection fullfils
the transport-confidential guarantees.

So the SSL terminates at the Apache, the Apache does reverse-proxying using the
binary AJP protocol, and the tomcat receives connections from that Apache, marking
them as "secure".

You can even do this in parallel, i.e. for testing - set up Apache, add the
AJP/1.3 connector to your tomcat (see example server.xml in tomcat distributions)
and add

     ProxyPass /  ajp://private-ip-of-your-tomcat:8009/
     ProxyPassReverse /  ajp://private-ip-of-your-tomcat:8009/

to your Apache, given that mod_proxy_ajp is enabled.

Then try to access your apache. You can still have your other tomcat connector
(https-connector) running in parallel.

Best regards,

    Chris

Am 03.03.2011 um 14:25 schrieb <Patrick.Raspante <at> gdc4s.com> <Patrick.Raspante <at> gdc4s.com>:

>  
> 
> I currently have a Tomcat server hosting a web app with no apache proxy in front of it. The Tomcat server is
also terminating Client Authenticated SSL connections to the web application. I want to do some layer 7
data filtering for my web application using mod_security, or a similar product. In order to use
mod_security, will I have to re-architect my whole system? For example, will I have to stand up a new
instance of apache, install mod_security, reconfigure my web app so that the ssl connections terminate
at apache, and then use mod_jk to connect to tomcat? Or is there a simpler solution? Any advice here would be great.
> 
>  
> 
> Thanks,
> 
> pwr
> 
> ------------------------------------------------------------------------------
> Free Software Download: Index, Search & Analyze Logs and other IT data in 
> Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
> generated by your applications, servers and devices whether physical, virtual
> or in the cloud. Deliver compliance at lower cost and gain new business 
> insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php

Abdellah Tantan | 3 Mar 23:53 2011

Re: mod_security + tomcat

Hello,

 

I have the same setup that you just described, it has been working well for me,  for years.

Unfortunately, I don’t know of any other way (Open Source) to do this. I am almost certain that you must have apache2 to use mod_security.

 

The downside I see to this set up, is that you will need a good machine with enough processing and memory resources if you don’t already have one.

 

Let me know if you need any help.

 

Thanks

Abdellah

 

From: Patrick.Raspante <at> gdc4s.com [mailto:Patrick.Raspante <at> gdc4s.com]
Sent: Thursday, March 03, 2011 7:25 AM
To: mod-security-users <at> lists.sourceforge.net
Subject: [mod-security-users] mod_security + tomcat

 

 

I currently have a Tomcat server hosting a web app with no apache proxy in front of it. The Tomcat server is also terminating Client Authenticated SSL connections to the web application. I want to do some layer 7 data filtering for my web application using mod_security, or a similar product. In order to use mod_security, will I have to re-architect my whole system? For example, will I have to stand up a new instance of apache, install mod_security, reconfigure my web app so that the ssl connections terminate at apache, and then use mod_jk to connect to tomcat? Or is there a simpler solution? Any advice here would be great.

 

Thanks,

pwr

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
Ryan Barnett | 4 Mar 00:01 2011

Re: mod_security + tomcat

For ModSecurity v2 you do need to run Apache 2. If you have to run Apache v1 then you could still use the older
ModSecurity v1 branch. This may work for you depending on your requirements.

On Mar 3, 2011, at 5:55 PM, "Abdellah Tantan" <adtantan <at> paydq.com<mailto:adtantan <at> paydq.com>> wrote:

Hello,

I have the same setup that you just described, it has been working well for me,  for years.
Unfortunately, I don’t know of any other way (Open Source) to do this. I am almost certain that you must
have apache2 to use mod_security.

The downside I see to this set up, is that you will need a good machine with enough processing and memory
resources if you don’t already have one.

Let me know if you need any help.

Thanks
Abdellah

From: Patrick.Raspante <at> gdc4s.com<mailto:Patrick.Raspante <at> gdc4s.com> [mailto:Patrick.Raspante <at> gdc4s.com]
Sent: Thursday, March 03, 2011 7:25 AM
To: <mailto:mod-security-users <at> lists.sourceforge.net> mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
Subject: [mod-security-users] mod_security + tomcat


I currently have a Tomcat server hosting a web app with no apache proxy in front of it. The Tomcat server is
also terminating Client Authenticated SSL connections to the web application. I want to do some layer 7
data filtering for my web application using mod_security, or a similar product. In order to use
mod_security, will I have to re-architect my whole system? For example, will I have to stand up a new
instance of apache, install mod_security, reconfigure my web app so that the ssl connections terminate
at apache, and then use mod_jk to connect to tomcat? Or is there a simpler solution? Any advice here would be great.

Thanks,
pwr
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. <http://p.sf.net/sfu/progress-d2d> http://p.sf.net/sfu/progress-d2d

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users

ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php


________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

Gmane