tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fernando Lozano <ferna...@lozano.eti.br>
Subject Re: Can webapps/tomee directory be deleted for a production environment?
Date Mon, 17 Sep 2012 13:25:04 GMT
Alex,


You could use the Tomcat RemoteAddrValve to restrict this app to only 
the localhost.

I personally like to have some apps (like the manager interface and the 
jmx-proxy) available only to sysadmins, using either the above valve or 
OS firewall rules (such as Linux iptables).

Of course I'd also change those apps config to use SSL (sometimes 
enforcing client certificates) and user authentication (preferably from 
a LDAP directory such as OpenLDAP). Defense in deep is allways nice to 
have, and with this I can provide remote support (preferably through 
OpenVPN or a SSH tunnel) with a certain level of confidence my app 
servers are not open do hackers.


[]s, Fernando Lozano

> Hello,
>
> Can the webapps/tomee directory be deleted for deploying a web app to
> production TomEE/TomEE+ server and exposed to Internet?
> Indeed, when delivering our app with Tomcat, we delete all default web apps
> as part of a list of Tomcat hardening task list.
>
> Is there any TomEE/TomE++ vital content in webapps/tomee directory ?
>
> If the answer is yes, then it means that we cannot just remove
> webapps/tomee, so then is there a way to make this web app inaccessible to
> all network adapters in order to prevent its use by attackers?
>
> Alex.
>


Mime
View raw message