tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Clustering considerations - single server, multiple Tomcat instances - in the cloud
Date Tue, 18 Apr 2017 08:56:25 GMT
On 17/04/17 22:59, Mitch Claborn wrote:
> I'm trying to think through the security implications of this
> configuration: a single cloud server (Digital Ocean) with 2 Tomcat 8.5
> instances in a cluster, for session replication.
> 
> I can bind the Receiver element to 127.0.0.1, which I think should
> protect the actual session data from prying eyes. Is that accurate?
> 
> The multicast-based Membership element seems to be more of a risk. I
> really like the convenience of the mutlicast setup, but is that a
> security risk? Should I go with static membership instead?

It depends how isolated the network used by your cloud provider is. With
just two instances I'd probably go with static membership.

> I found this discussion of static membership,but it is a bit old.  Does
> anyone know of a more recent doc?
> https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2009794
> 
> 
> Are there other security considerations that I'm not thinking of?

Not really. By far the most important consideration is the underlying
assumption that Tomcat makes that the network used for clustering is
secure/trusted.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message