Cookbook Secure Failover for Tomcat Application Server Use Apache, mod_proxy, mod_security, mod_ssl to offer secure application delivery



Similar documents
How to setup HTTP & HTTPS Load balancer for Mediator

Setting Up B2B Data Exchange for High Availability in an Active/Active Configuration

EQUELLA. Clustering Configuration Guide. Version 6.2

White Paper DEPLOYING WDK APPLICATIONS ON WEBLOGIC AND APACHE WEBSERVER CLUSTER CONFIGURED FOR HIGH AVAILABILITY AND LOAD BALANCE

Apache HTTP Server. Load-Balancing with Apache HTTPD 2.2 and later. Erik Abele

By PANKAJ SHARMA. Concepts of Server Load Balancing

EQUELLA. Clustering Configuration Guide. Version 6.0

Apache Performance Tuning Part Two: Scaling Out

The mod_proxy Cookbook

Apache SSL Certificate Deployment Guide

xcp Application Deployment On Tomcat Cluster

Apache Performance Tuning

Technical specification

Administering mod_jk. To Enable mod_jk

CentraSite SSO with Trusted Reverse Proxy

How-to-Guide: Apache as Reverse Proxy for Fiori Applications

An Esri White Paper January 2010 Performance and Throughput Tips for ArcGIS Server Cached Map Services and the Apache HTTP Server

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

HP ALM. Software Version: External Authentication Configuration Guide

mod_cluster Documentation

How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X

i2b2: Security Baseline

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

HP Business Service Management

Spectrum Technology Platform Version Tutorial: Load Balancing Spectrum Spatial Services. Contents:

esync - Receiving data over HTTPS

Intro to Load-Balancing Tomcat with httpd and mod_jk

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

mod_cluster A new httpd-based load balancer Brian Stansberry JBoss, a division of Red Hat

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

HP Business Service Management

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion

Painless Web Proxying with Apache mod_proxy

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Installing Rails 2.3 Under Windows XP and Apache 2.2

Example Apache Server Installation for Centricity Electronic Medical Record browser & mobile access

Apache 2.2 and mod_proxy_balancer

High Availability Configuration of ActiveVOS Central with Apache Load Balancer

Apache httpd v2.4: Reverse Proxy. (The Hidden Gem) Jim Jagielski

To enable https for appliance

SecuritySpy Setting Up SecuritySpy Over SSL

Integrating Apache Web Server with Tomcat Application Server

AA enabling a closed source legacy application

1Intro. Apache is an open source HTTP web server for Unix, Apache

Content. Global Delivery Network: Folders

Running Multiple Shibboleth IdP Instances on a Single Host

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Open Source Apache <WAF> Web Application Firewall

Addressing Application Layer Attacks with Mod Security

Sticky Session Setup and Troubleshooting

Securing the OpenAdmin Tool for Informix web server with HTTPS

Apache Tomcat & Reverse Proxies

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.2 Web Applications Deployed on BEA WebLogic Server 9.2

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Internet Banking System Web Application Penetration Test Report

XCP APP FAILOVER CONFIGURATION FOR WEBLOGIC CLUSTER AND APACHE WEBSERVER

Creating X.509 Certificates With OpenSSL

2013 IBM SINGLE SIGN-ON WITH CA SITEMINDER FOR SAMPLE WEB APPLICATION

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date: 19 Apr 2011

Accelerator Control-System Network Diamond Light Source. Mike Leech, Controls Group Computer Systems Manager

Scalability of web applications. CSCI 470: Web Science Keith Vertanen

Oracle HTTP Server powered by Apache

Implementing a Weblogic Architecture with High Availability

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Network and Scalability Whitepaper

Apache Tomcat. Load-balancing and Clustering. Mark Thomas, 20 November Pivotal Software, Inc. All rights reserved.

Implementing the Application Control Engine Service Module

SITEMINDER SSO FOR EMC DOCUMENTUM REST

UNICORE GATEWAY. UNICORE Team. Document Version: Component Version: Date:

HP Cloud Service Automation Deployment Architectures

This section is intended to provide sample configurations and script examples common to long-term operation of a Jive SBS installation.

High Availability Low Dollar Load Balancing

Parallels Panel. Administrator's Guide to Configuring Apache on Servers Running Parallels Plesk Panel 10. Revision 1.0

Setting up an Apache Server in Conjunction with the SAP Sybase OData Server

Apache 2 mod_ssl by example

Implementation of Web Application Firewall

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Configuring Apache Web Server for x509 User Authentication

GlobalSign Enterprise Solutions Google Apps Authentication User Guide

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

Configure Security for SAP Mobile Platform (MP5)

How To Use The Cisco Ace Module For A Load Balancing System

10972-Administering the Web Server (IIS) Role of Windows Server

Web Intrusion Detection with ModSecurity. Ivan Ristic

Setting Up CAS with Ofbiz 5

CA Workload Automation DE

Technical specification

Apache web server magic on IBM i. Alan Seiden Consulting alanseiden.com

Enterprise SSL Support

STREAMEZZO RICH MEDIA SERVER

Protect your CollabNet TeamForge site

How to Make the Client IP Address Available to the Back-end Server

Implementing HTTPS in CONTENTdm 6 September 5, 2012

CumuLogic Load Balancer Overview Guide. March CumuLogic Load Balancer Overview Guide 1

APACHE HTTP SERVER 2.2.8

Oracle Collaboration Suite

Configuring Nex-Gen Web Load Balancer

GlobalSign Solutions

ID205 IBM Lotus inotes High Availability Customer Case Study and Successful Web Deployment Best Practices

Transcription:

Cookbook Secure Failover for Tomcat Application Server Use Apache, mod_proxy, mod_security, mod_ssl to offer secure application delivery [vijay.sarvepalli@ericavijay.net] Vijay Sarvepalli

Introduction There is number of applications today written to be delivered over the web. These applications are written in.net, JAVA and PHP in the backend. The challenge has been securing these applications from popular attacks such as Cross Site Scripting, SQL Injection and Session Hijacking. These attacks are mitigated first level by providing a secure architecture for delivering such services. Here I have chosen Tomcat and Apache most popular application and web server platforms to illustrate how security and high availability can be combined for an application. This design document covers how to build a web application tier that is both secure and scalable. The example here shows building 1. An SSL offloader using Apache 2. A secure reverse proxy using mod_security 3. A load balancer using mod_proxy_balancer and ajp based balance manager. High Availability design for Web servers (Network level failover between webservers is not covered here) Technology: Apache + Mod_Security + Balancer with Active/Active setup using rules in the LoadBalancer. milky1 milky2 Apache configured with reverse proxy MOD Security Apache module Balancer modules (primary to andromeda2) Apache configured with reverse proxy MOD Security Apache module Balancer modules (Primary andromeda2) andromeda1 andromeda2 1. Configure modsecurity and virtualhost on milky1 server. (Package add apache2, gcc and libgcc and then from source modsecurity www.modsecurity.org ) # httpd.conf LoadModule security2_module modules/mod_security2.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so # Include modsecurity configuration Include conf/modsec_rules/*.conf #All of modules #Virtualhost configuration on milky1 <VirtualHost *:443> # Turn on SSL engine SSLEngine on # Primary servername for https://securefailover.example.com/myapp ServerName securefailover.example.com # These are just references so you can troubleshoot with other hostnames ServerAlias milky1.example.com Serveralias milky2.example.com # Enforce SSL with minimum SSLv3 or TLSv1 SSLProtocol -All +SSLv3 +TLSv1 # Do not accept ciphers that are not encrypted SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM # Server certificate related files SSLCertificateFile certs/server_public.crt # Protect access to this file. SSLCertificateKeyFile certs/server_private.key SSLCACertificateFile certs/trustedroot_full.crt #ProxyPass decides all the request for /myapp will be forwarded to a virtual worker #with name mycluster. #Sticky sessions are enabled and implemented using cookie JSESSIONID. ProxyPass /myapp balancer://mycluster stickysession=jsessionid <Proxy balancer://mycluster> # Make both server as participants of this load balancingusing Apache Jserv # Protocl AJP, a name and a loadfactor is given to each member of the # Balancer BalancerMember ajp://andromeda1:8009/myapp route=andromeda1 BalancerMember ajp://andromeda2:8009/myapp route= andromeda2 </Proxy> # This /balance-manager is a self healing part of Apache which allows you to # check and retire the system that are removed or not active. <Location /balancer-manager> SetHandler balancer-manager </Location> ### End Balancer </VirtualHost> 2. Configure modsecurity and virtualhost on milky2 server. (Package add apache2, gcc and libgcc and then from source modsecurity www.modsecurity.org )

# httpd.conf LoadModule security2_module modules/mod_security2.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so # Include modsecurity configuration Include conf/modsec_rules/*.conf #All of modules #Virtualhost configuration on milky1 <VirtualHost *:443> # Turn on SSL engine SSLEngine on # Primary servername for https://securefailover.example.com/myapp ServerName securefailover.example.com # These are just references so you can troubleshoot with other hostnames ServerAlias milky2.example.com Serveralias milky1.example.com # Enforce SSL with minimum SSLv3 or TLSv1 SSLProtocol -All +SSLv3 +TLSv1 # Do not accept ciphers that are not encrypted SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM # Server certificate related files SSLCertificateFile certs/server_public.crt # Protect access to this file. SSLCertificateKeyFile certs/server_private.key SSLCACertificateFile certs/trustedroot_full.crt #ProxyPass decides all the request for /myapp will be forwarded to a virtual worker #with name mycluster. #Sticky sessions are enabled and implemented using cookie JSESSIONID. ProxyPass /myapp balancer://mycluster stickysession=jsessionid <Proxy balancer://mycluster> # Make both server as participants of this load balancingusing Apache Jserv # Protocl AJP, a name and a loadfactor is given to each member of the # Balancer. Note: the order is reversed from milky1 BalancerMember ajp://andromeda2:8009/myapp route=andromeda1 BalancerMember ajp://andromeda3:8009/myapp route= andromeda2 </Proxy> # This /balance-manager is a self healing part of Apache which allows you to # check and retire the system that are removed or not active. <Location /balancer-manager> SetHandler balancer-manager </Location> ### End Balancer </VirtualHost>

4. Configure jvmroute on andromeda1 server, tomcat configuration. Define the tomcat engine name in the Tomcat server.xml. The loadfactor can be a number between 1 and 100. The tomcat server.xml in conf/ folder should have this configuration: <Engine name="catalina" defaulthost="localhost" jvmroute=" andromeda1"> 5. Configure jvmroute on andromeda2 server. Define the tomcat engine name in the Tomcat server.xml. The loadfactor can be a number between 1 and 100. The tomcat server.xml in conf/ folder should have this configuration: <Engine name="catalina" defaulthost="localhost" jvmroute=" andromeda2"> 6. Configure Logging for access log in tomcat to catch remote IP address that access your applications. The configuration in `server.xml, enables logging and extends logging of the additional X-Forwarded-For header submitted by Apache <Valve classname="org.apache.catalina.valves.accesslogvalve" directory= logs" prefix="localhost_access_log." suffix=".txt" pattern="%{x- Forwarded-For}i %l %u %t %r %s %b %{Referer}i %{User-agent}i " resolvehosts="false"/> Now allow your browser to go to http://milky1.example.com/myapp, you should see the application. Now go to Apache logs and tomcat logs to make sure the application logs that help you track the access to web application Apache Logs 127.0.0.1 - - [14/Jul/2009:12:36:07-0400] "GET /myapp HTTP/1.1" 200 2324 Tomcat Logs 10.203.11.94 - - [14/Jul/2009:12:36:07-0400] GET /myapp HTTP/1.1 200 2324 http://localhost/demo/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1. 9.0.5) Gecko/2008120122 Firefox/3.0.5 In this example, apache logs are saving only Common format; whereas tomcat logs extensively log details. Other advanced topics such as cookie logging, enhanced monitoring of this solution using balance-manager, integration of this availability and security monitoring to NOC and SOC are not covered in this article. Enjoy tomcat and apache development platform with security and scalability.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information