tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pid *" <...@pidster.com>
Subject Re: where to put static files?
Date Mon, 21 Nov 2011 19:01:23 GMT
On 21 Nov 2011, at 18:52, "André Warnier" <aw@ice-sa.com> wrote:

> Hi.
>
> What we are trying to say is this :
>
> The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain
files
> that should NOT be accessed by the users.  For example, in the WEB-INF and META-INF
> subdirectories, there are files (like WEB-INF/web.xml) which may contain private
> information (such as, e.g., passwords to access a database system).
> For that reason, Tomcat itself forbids access to the content of these directories.
> If you try to access Tomcat directly via a URL like
> "http://myhost.company.com/mywebapp/WEB-INF/somefile", you will get a "Forbidden"
> response. Always.
>
> But if on the same host, you run another webserver (Apache, nginx,..), and you allow
this
> webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory,
then
> you bypass the Tomcat security and make it useless.
> That means that a user, with a well-crafted URL, will be able to access and display the
> content of those files.  This is a big security hole.
> You can configure the front-end webserver to also forbid this, but it requires additional
> configuration, and you will forget to do it, or do it wrong.
> So don't do that.
>
>

>
> Tomcat will server static resources just fine, usually as fast as Apache or nginx would.
>
> If you insist that you must serve this static content directly from the front-end
> webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot
> of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps
> directory), and use the proxy instructions so that these requests are /not/ forwarded
to
> Tomcat, but served locally.

+1. I would use stronger terms: never allow DocumentRoot and
tomcat/webapps to overlap.


p

> For example :
>
> ProxyPass /mywebapp/images !
> ProxyPass /mywebapp/css !
> ProxyPass /mywebapp ajp://tomcat:8009/mywebapp
>
> will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css
> subdirectories.
>
>
>
> Jan Vávra wrote:
>> Hello,
>> when I started my project others told me to use apache for static
>> content and tomcat for java/jsp.
>> It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So
>> static content gives apache, dynamic tomcat.
>>
>> Jan.
>>
>>> I have a spring project (web app), in my project where should I be
>>> putting
>>> my static files like images/css/javascript?
>>>
>>> In my WEB-INF like:
>>>
>>> /WEB-INF/Assets {images/css/js}
>>>
>>>
>>> I know when I go in production I will have nginx map to this folder to
>>> serve the static files, but I just want to know where I can put them for
>>> development/testing.
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message