Hi,
I have question about the ebase server deployment practices.
ebase server is an application server on tomcat. when we deploy, should we install another separate web server in front of it?
If not, is there any security concern?
Does ebase server have any security features?
If a seperate web server is recommended, what are the benefits?
What are the recommended deployment architecture?
Do you have any document for this?
Thanks,
Xiaoli
ebase server installation/ deployment practices
Moderators: Jon, Steve, Ian, Dave
-
- Ebase User
- Posts: 272
- Joined: Fri Dec 14, 2012 2:55 pm
- Location: Ottawa
-
- Moderator
- Posts: 1342
- Joined: Wed Sep 12, 2007 12:49 pm
A: No, not just for deployment. You may well choose to use another web server for other reasons.when we deploy, should we install another separate web server in front of it?
A: Yes, deployment security is very important, so is security of the server admin app. These are both services offered via HTTP and are open to the entire internet.If not, is there any security concern?
A: Yes, you have a number of options - see the documentation on deployment security http://dev-docs.verj.io/ufs/doc/Deploym ... c416699665Does ebase server have any security features?
A: There is no official recommendation. Personally, I would recommend using all the security options available: ip whitelist, userid/password, deployment tokens.What are the recommended deployment architecture?
A: Standard documentation index > Deployment > Deployment SecurityDo you have any document for this?
See also:
Standard documentation index > Server Administration Application > Server Administration Application Security
0 x
-
- Ebase User
- Posts: 272
- Joined: Fri Dec 14, 2012 2:55 pm
- Location: Ottawa
Hi Jon,
It seems that I did not make my question clear.
What I would like to know is the about the when we design the server architecture in production environment and open to public network. (our ebase server already inside a firewall and behind a reverse web proxy)
Do we need to put anther layer of protection in front of ebase tomcat server: e.g. a apache web server before tomcat server.
As far as I know we don't have load balancing issue yet. no URL re-write issue, as well.
What my concern is that should I put an apache web server to protect ebase tomcat server for milicious attack or other security concerns.
I would like to know what is your suggestion and best practice and how your other client look at this issue?
Thanks,
Xiaoli
It seems that I did not make my question clear.
What I would like to know is the about the when we design the server architecture in production environment and open to public network. (our ebase server already inside a firewall and behind a reverse web proxy)
Do we need to put anther layer of protection in front of ebase tomcat server: e.g. a apache web server before tomcat server.
As far as I know we don't have load balancing issue yet. no URL re-write issue, as well.
What my concern is that should I put an apache web server to protect ebase tomcat server for milicious attack or other security concerns.
I would like to know what is your suggestion and best practice and how your other client look at this issue?
Thanks,
Xiaoli
0 x
-
- Moderator
- Posts: 1342
- Joined: Wed Sep 12, 2007 12:49 pm
OK, now I understand your question, but I'm not sure I have the answer. This isn't a question (surprisingly) that is asked very often. You might be better just googling this as it's more a Tomcat question than an Ebase one.
I think it's probably true that Tomcat is vulnerable to a denial of service attack - where your server is flooded by requests. It has in the past had other security exposures - so have most similar packages - but these have been fixed in new releases. Generally if your Tomcat system is at or close to the latest level you're in quite good shape, and there are certainly many thousands of web sites around the world using Tomcat without an additional web listener.
But having said that, it could certainly be more secure, particularly with regard to denial of service attacks. If you think you need this extra protection, then you should consider using a separate web listener. I'm not an expert on what might be the best solution, maybe apache, we have also been using haproxy a little recently and I know this is used by quite a few very large web sites.
I think it's probably true that Tomcat is vulnerable to a denial of service attack - where your server is flooded by requests. It has in the past had other security exposures - so have most similar packages - but these have been fixed in new releases. Generally if your Tomcat system is at or close to the latest level you're in quite good shape, and there are certainly many thousands of web sites around the world using Tomcat without an additional web listener.
But having said that, it could certainly be more secure, particularly with regard to denial of service attacks. If you think you need this extra protection, then you should consider using a separate web listener. I'm not an expert on what might be the best solution, maybe apache, we have also been using haproxy a little recently and I know this is used by quite a few very large web sites.
0 x
-
- Ebase User
- Posts: 272
- Joined: Fri Dec 14, 2012 2:55 pm
- Location: Ottawa
-
- Moderator
- Posts: 1342
- Joined: Wed Sep 12, 2007 12:49 pm
Who is online
Users browsing this forum: No registered users and 54 guests