ebase server installation/ deployment practices

[xren]

Hi,

I have question about the ebase server deployment practices.

ebase server is an application server on tomcat. when we deploy, should we install another separate web server in front of it?
If not, is there any security concern?
Does ebase server have any security features?
If a seperate web server is recommended, what are the benefits?

What are the recommended deployment architecture?

Do you have any document for this?

Thanks,
Xiaoli

[Jon]

when we deploy, should we install another separate web server in front of it?

A: No, not just for deployment. You may well choose to use another web server for other reasons.

If not, is there any security concern?

A: Yes, deployment security is very important, so is security of the server admin app. These are both services offered via HTTP and are open to the entire internet.

Does ebase server have any security features?

A: Yes, you have a number of options - see the documentation on deployment security http://dev-docs.verj.io/ufs/doc/Deploym ... c416699665

What are the recommended deployment architecture?

A: There is no official recommendation. Personally, I would recommend using all the security options available: ip whitelist, userid/password, deployment tokens.

Do you have any document for this?

A: Standard documentation index > Deployment > Deployment Security
See also:
Standard documentation index > Server Administration Application > Server Administration Application Security

[xren]

Hi Jon,

It seems that I did not make my question clear.
What I would like to know is the about the when we design the server architecture in production environment and open to public network. (our ebase server already inside a firewall and behind a reverse web proxy)

Do we need to put anther layer of protection in front of ebase tomcat server: e.g. a apache web server before tomcat server.
As far as I know we don't have load balancing issue yet. no URL re-write issue, as well.
What my concern is that should I put an apache web server to protect ebase tomcat server for milicious attack or other security concerns.

I would like to know what is your suggestion and best practice and how your other client look at this issue?

Thanks,
Xiaoli

[Jon]

OK, now I understand your question, but I'm not sure I have the answer. This isn't a question (surprisingly) that is asked very often. You might be better just googling this as it's more a Tomcat question than an Ebase one.

I think it's probably true that Tomcat is vulnerable to a denial of service attack - where your server is flooded by requests. It has in the past had other security exposures - so have most similar packages - but these have been fixed in new releases. Generally if your Tomcat system is at or close to the latest level you're in quite good shape, and there are certainly many thousands of web sites around the world using Tomcat without an additional web listener.

But having said that, it could certainly be more secure, particularly with regard to denial of service attacks. If you think you need this extra protection, then you should consider using a separate web listener. I'm not an expert on what might be the best solution, maybe apache, we have also been using haproxy a little recently and I know this is used by quite a few very large web sites.

[xren]

What is ebase site's setup? do you have a reverse proxy or a web server installed before your ebase application server?

What application server do you use? tomcat or weblogic or jboss?

Thanks,
Xiaoli

[Jon]

We use Tomcat alone for the Ebase website i.e. no separate web listener such as IIS or Apache. By the way, there are many more app servers that could be used other than tomcat or weblogic or jboss.