Alan Chandler wrote:
I am trying to add tomcat4 into my existing apache2 system so that I can
experiment with java (in the form of servlets and jsp).
Although in reality I only have a single computer, for learning purposes I
want to similate the situation where I have potentially split web and
application servers.
So this server has two ethernet cards - one facing the outside world with an
address assigned by my isp using dhcp. www.chandlerfamily.org.uk points at
this address.
On the other side, my lan side, I have allocated myself a range of io
addresses using eth1 (192.168.0.20) eth1:0 (192.168.0.30) eth1:1
(192,168.0.31) as the devices (and their ip addresses) created via iface
stanzas in /etc/networking/interfaces.
Bind is used to provide different names to the different lan-based ip
addresses.
An iptables firewall protects the addresses and does NAT.
Using Apache2, I then use ip based virtual hosts, so the external address has
one web site for http and two of the internal addresses support two other
http web sites. https is allocated a further host on the external address to
replicate one of the internal sites and providing secure access to webmail.
I would like to set up tomcat so that it acts as though it were running on the
single ip address 192.168.0.31 (although appropriate requests to my external
web site - are routed through to it via apache).
Alan,
I am not an expert on network security, but, IIRC, putting a web server
on the same physical box as a firewall is an incredibly _bad_ idea, at
least from a security point of view. Why? Well, if your web server is
compromised (via the box's "external address," as you term it), and if
the attacker then gains root access to the box on which the web server
runs (which he can do with a root kit), he can then either (a) attack
machines that lie _behind_ the firewall (the ones with IP addresses
beginning with "192.168") or (b) install a packet sniffer to gather
passwords and other sensitive information. Furthermore, here, you are
proposing to run not one, but _two_, web servers (Apache and Tomcat) on
your firewall box, increasing the chances of compromise (simply because
twice the servers means twice the security vulnerabilities in the server
software).
If I were you, I would have a security expert give a quick opinion on
the soundness of your proposed configuration.
Sincerely,
Paul Bain
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
