Return-Path: <users-return-263115-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id E76E2200D2B
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  2 Nov 2017 14:36:05 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id E65CF160BE5; Thu,  2 Nov 2017 13:36:05 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 0C6A41609EE
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  2 Nov 2017 14:36:04 +0100 (CET)
Received: (qmail 790 invoked by uid 500); 2 Nov 2017 13:36:03 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 779 invoked by uid 99); 2 Nov 2017 13:36:03 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Nov 2017 13:36:03 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 8EDA218060F
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 13:36:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level: 
X-Spam-Status: No, score=0.799 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id vyNioWd_-mWJ for <users@tomcat.apache.org>;
	Thu,  2 Nov 2017 13:35:59 +0000 (UTC)
Received: from thor.wissensbank.com (thor.wissensbank.com [81.169.250.120])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 9B91C60E0E
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 13:35:59 +0000 (UTC)
Received: from thor.wissensbank.com (localhost [127.0.0.1])
	by thor.wissensbank.com (Postfix) with ESMTP id 3208B1E1053CD
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 14:35:53 +0100 (CET)
Received: by thor.wissensbank.com (Postfix, from userid 500)
	id 224731E1053D1; Thu,  2 Nov 2017 14:35:53 +0100 (CET)
Received: from [192.168.245.129] (pd956abfc.dip0.t-ipconnect.de [217.86.171.252])
	(Authenticated sender: andre.warnier@ice-sa.com)
	by thor.wissensbank.com (Postfix) with ESMTPA id 010031E1053CD
	for <users@tomcat.apache.org>; Thu,  2 Nov 2017 14:35:50 +0100 (CET)
Subject: Re: security headers
To: users@tomcat.apache.org
References: <89de0a95-f7ff-cbc3-6e65-aca3b25ade9e@kymsolutions.com>
 <da3e0623-d1fc-be2a-9a90-3afa590fa851@christopherschultz.net>
 <002c01d353d9$e8978890$b9c699b0$@philasd.org>
From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= <aw@ice-sa.com>
Message-ID: <59FB1F32.3090609@ice-sa.com>
Date: Thu, 2 Nov 2017 14:35:46 +0100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101
 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <002c01d353d9$e8978890$b9c699b0$@philasd.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
archived-at: Thu, 02 Nov 2017 13:36:06 -0000

You seem to be responding on the wrong thread, but here are some answers anyway
(will save Christopher some typing)

On 02.11.2017 13:55, Cheltenham, Chris wrote:
> Mr. Shultz,
>
> I really appreciate your detailed answers.
> Helps me out a lot.
>
> I am now thinking big picture because my application does not require APR..
>
> May I ask this , what exactly does APR give me for apache-tomcat?

APR stands for "Apache Portable Run-time".
Here is one explanation :

It is a software library, containing a series of functions which are often used by Apache 
Foundation programs of all kinds (not only tomcat), particularly in what regards network 
interfaces and protocols.
The people who make this APR, make sure that it is available for many platforms (Windows, 
Liux etc.), and that it is really optimised for each of these different platforms.

To access the network, tomcat can do it in 2 different ways :
1) by using standard Java functions, which always work, but are not particularly optimised 
for any platform
or
2) if APR is available, then tomcat can use instead, some calls which exist in the APR 
library, and which may be more optimised fo the current platform on which it is running

When tomcat starts, it will check if APR is available. If yes, tomcat will use it, because 
it is probably a bit faster than the Java alternative.
If APR is not available, tomcat will use the standard Java functions, which are maybe a 
bit slower.
And just to let you know that, it will print a friendly message to the log, to let you 
know that maybe this is not the most optimal solution, in terms of ultimate tomcat 
performance.  But this is just an informational message, and you can decide to ignore it, 
and run tomcat anyway without APR (which many people do, and most of the time they will 
not notice the difference).

There is a secondary effect which needs to be considered when using SSL (HTTPS) :
When tomcat finds and uses APR, it uses APR functions to access SSL sockets. And these APR 
functions rely on the underlying presence of SSL libraries provided by another package, 
named OpenSSL. These OpenSSL libraries require a particular format for the SSL keys and 
key stores.
When tomcat does not find APR, it will use the builtin Java functions for SSL. And these 
builtin functions require another format for the SSL keys and key stores.
So the parameters used in the <Connector> elements are a bit different in each case.
This is well explained in the tomcat on-line documentation.

>
> I am thinking to scrap the whole APR install.
>
> The reason I am trying to install it is because of my anal need to have
> clean logs.

I won't even try to interpret this..

> I can’t stand any messages suggesting or recommending that I do this or
> that.

They are just friendly messages, like the Amazon "other readers who have purchased this 
book, have also liked this : ... "

> I have always tried to accommodate those recommendations.

Ah, ok. I thought you could not stand them ?

> However, in this case it may be the best to ignore the catalane log message
> saying that I should install APR.
>

catalane ? that's been quite a bit in the news lately. But we're quite apolitical here, 
and so is tomcat usually.


>
> ===========================
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Wednesday, November 1, 2017 4:04 PM
> To: users@tomcat.apache.org
> Subject: Re: security headers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Alejandro,
>
> On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:
>> Hello,
>>
>> I recently used on web.xml
>>
>> <filter> <filter-name>httpHeaderSecurity</filter-name>
>> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</fi
> lter-class>
>>
>>   <async-supported>true</async-supported> </filter>
>>
>> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name>
>> <url-pattern>/*</url-pattern> </filter-mapping>
>>
>> to enable some security headers, but it won't enable Content Security
>> Policy header. Is there anyway to enable Content Security Policy at
>> top server level???
>
> What were you expecting that Filter to generate for you? A header which
> disables everything? Not terribly useful.
>
> My recommendation would be to use something like url-rewrite[1] to add
> headers to every outgoing response. url-rewrite has very similar
> capabilities to httpd's mod_headers (and much more, of course).
>
> - -chris
>
> [1] http://tuckey.org/urlrewrite/
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
> pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
> //iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
> WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
> oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
> 98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
> 37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
> CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
> Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
> ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
> wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
> G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
> =j1H+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org