tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: Tomcat 3.2.2 beta 4 (problem with shutdown code)
Date Fri, 04 May 2001 20:57:20 GMT
>> >Problem: shutdown script always connects to "localhost" to 
>> >send shutdown command.
>> >It is a problem on a "multihomed" machine running multiple 
>> >tomcats where
>> >tomcats use same port numbers but bound to different IP 
>> >adresses using inet=""
>> >configuration option in server.xml.
>> 
>> Hey do you really want someone outside you machine send a shutdown
>> command to your tomcats ? 
>I think it is very common configuration where Ajp connector is 
>bound to something other than "127.0.0.1".
>Here are couple of examples: It is possible and some times 
>desired to have
>Apache web server load balance tomcat servers that run on 
>physically different
>machines; It is possible and some times useful to run mutiple Tomcat
>instances on the same box that has multiple IP's (this may be good for
>testing/developement).

I agree you could run multiples tomcat on the same box, and
in that case each JVM will listen AJP12 to handle shutdown
on a differents port.

>> Warning, Warning here. The "localhost" is used here for security
>I strongly disagree with this:) If you configure your Ajp 
>connector to listen
>to a particular interface someone _CAN_ send you shutdown 
>command regardless
>of your shutdown code abilities.

Let's be prudent here. The standard configuration must avoid 
security hole. Many users will have tomcat in front and we
must avoid someone outside shutdown their TC boxes. 

>If you want security - you need to think about your network 
>configuration,
>not the shutdown code. This is what sys admins are for:)

Actually TC with it's localhost shutdown scheme is secure
and why did you want to open the door to bad boys ?:)

>A good example would be a machine that has multiple interfaces with
>non-routable addresses (a developement machine) Or load 
>balanced machines behind the firewall.

>I don't mean to enumerate all the possibilities here - this is 
>just a few
>examples.
>
>> reasons. I didn't understand why your multihomed machine couldn't
>> listen on localhost ?
>> 
>> Thanks to give us more informations, for example did you use 
>multiples
>> JVMs ?
>
>Our configuration:
>We have a developement machine with multiple interfaces 
>running multiple
>instances of Tomcat. It is behind the firewall. These 
>different interfaces
>have different internal DNS names and you can't hit them from outside:)
>
>There are 2 ways to set up Tomcat here:
>	1) All Ajp connectors bound to the same 127.0.0.1 but 
>on different ports.
>	2) Ports are the same but Ajp connectors are bound to 
>different IP's

I'm ok for the solution 1 and -1 for the solution 2.

>We prefer second case. Why? - It's a matter of taste&style.
>The problem is that in this case shutdown code misbehaves as 
>you may guess:)
>Solution to this is very simple and I had it attached to 
>previous E-Mail.

Don't forget that in web-server -> tomcat farm, web-servers
will be in the 'sensible zone' and if they are compromized 
the attacker could just send the AJP12 command to shutdown
all your Tomcat


Next is a standard schema to protect Tomcat behind firewall and web server !

 INTERNET ---> FIREWALL EXT -------> WEB SERVER  --------------> FIREWALL
INT ---------------> TOMCAT FARMS
                                                   AJP12+AJP13
AJP13 ONLY 
 
NO AJP12 HERE

In that case you're secure, nobody could send AJP12 shutdown from outside :)



Mime
View raw message