Apache Tomcat Puns

Hi everyone,

I'm still at the embryonnary stage of a project, but already started discussing the feasability with IT teams of the company i work at.

So they told me that they're OK with deploying my Django app and the SQL database (SQL SERVER). They already deployed a Dash project so they're familiar with this apparently.

I thought deploying my Django app would be as simple as just uploading my package into a server that runs Python. But the things they told made me quite confused.

So they told me that my app could be deployed on an APACHE TOMCAT 9 server. To deploy the app i should give them a .WAR package file.

Isn't there any simplier solution for deployment i could propose to them?

Hey all,

I work at a small company where I inherited some existing infrastructure. They currently host some php and Java web app on a few apache & tomcat servers. The servers have static IPs that map directly outside, and use different ports for the servers that host multiple sites/apps. SSL is also setup for most apps as well with certbot.

Recently we stood up some new docker apps along with an nginx reverse proxy that has been working great so I figured we might as well use nginx for the other servers, mainly for security but also to cut down on all the firewall rules.

Would it be as simple as pointing nginx to the internal servers and then updating dns? Or am I re-writing/translating the exist rules to nginx and moving the certbot over as well? Is one better than the other? Some of these servers will eventually be decommissioned (I hope) which is why I don’t want to spend too much time with this but just looking to have a discussion about the best path forward.

I spoke with the previous msp who built the system, they suggested I go the re-write path but I’ve seen documentation that says running both are fine.

Requirement: Leverage mTLS to protect REST calls from middleware to Tomcat.

Steps taken: Exchanged security certificates, configured server.xml with appropriate SSLHostConfig block.

Issue: Since this is a global setting, all traffic bound to that port requires mTLS. Both the end users (UI) and REST utilize the same secure port (different endpoints).

Question: I cannot rewrite the application (packaged software), but if I add a proxy server between Tomcat and the end users and that leverages mTLS with Tomcat… will that solve the problem of multiple end users not having mTLS with Tomcat? Is there a better way?

Many thanks in advance.

Hello,

I'm trying to set up a fail2ban rule for airsonic running on tomcat9 in debian. I've tried to follow the instructions in this post.

I have modified the user's line to make it correspond to my apache setup, so changing the line "logpath = /config/log/nginx/access.log" to "logpath = /var/log/apache2/access.log"

In Apache2's log I see my testing IP is showing up in errors like this:

IP.XXX.XXX.XXX - - [13/Jan/2021:21:23:46 +0100] "GET /airsonic/login?error=1 HTTP/1.1" 200 1620 "https://myserver.com/airsonic/login" "Mozilla/5.0 (iPhone; CPU iPhone OS 14_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Mobile/15E148 Safari/604.1"

Could anyone advise how to arrange the original's post's airsonic-auth.conf to make it work with the login error I found in my apache log ? The solution offered was like this:

[Definition]

failregex = ^<HOST> \- \S+ \[\] \"GET \/login\?error.*$

datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?

^[^\[]*\[({DATE})

{^LN-BEG}

Thank you very much

I'm using Eclipse version 2020-12. When I add a new server and expand "Apache" in the list, I see only up to Apache 8.0

I have gone to the Marketplace and installed "Eclipse JST Server Adapters" but that only gave me up to Apache version 8. Am I missing something?

Any help would be appreciated, thanks!

Anyone get Apache Tomcat and Microsoft SQL Server encryption working?

Looking for any links and tips.

Thanks for the replies.

Upon startup of Tomcat I am getting the following message in catalina.out -

 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib]

My website comes up and functions fine so this is not any kind of critical issue that I know of.

I did some searching but could really not find out what it does and how to remedy it.

Any help as to why I get this and how to resolve it?

I am running Apache Tomcat/9.0.41

Here is a snippet of the connector part of my server.xml:

 <Connector port="80" protocol="HTTP/1.1"
               redirectPort="443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->

             <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="2000" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLSv1.2"
               compression="off"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,application/xml,text/javascript,text/css"
               useSendfile="false"
               keystoreFile="/usr/local/tomcat/conf/my-keystore.jks"
               keystorePass="xxxxxxx" />

             <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="2000" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLSv1.2"
               compression="off"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,application/xml,text/javascript,text/css"

There used to be a site that suggested secure starting points for apache/tomcat and I think even IIS configs. It was moved around to a few different providers and was unavailable for a while.

In particular it gave sample configs, particularly of ciphers

Anyone know a quick and easy way for detect any instances of Apache Tomcat on a corporate network? We often see Tomcat vulnerabilities published as CVEs. For example, we just got word of this one.

http://mail-archives.us.apache.org/mod_mbox/www-announce/202101.mbox/%3Cf3765f21-969d-7f21-e34a-efc106175373%40apache.org%3E

While we primarily run Windows Server and IIS for our web servers, we know there are instances of Tomcat in our servers that we didn't explicitly install but did get installed when we installed other third party software. For example, Visual SVN Server uses Tomcat as its web server according to the documentation. When we install visual svn on windows, it shows up as an installed application. But Tomcat doesn't appear as installed as a separate application on that same server. If I drill down into the svn folder, I do see a Tomcat folder and I can see processes running out of that Tomcat folder. So it's there but we had to look for it. I'm wondering if there is an easy to scan all servers and clients and find either running active Tomcat servers or find evidence of Tomcat. So we know which third party vendors to follow up with when we hear about Tomcat vulnerabilities.

Thanks in advance .

Hi, Folks!

I have several small F-Series out in the field now. I'm generally deploying them with Full-SSL-Inspection/IPS/AV/WebFilter, in flow mode. Mix of 6.2.x and 6.4.x still.

Across all of them, I'm getting a fair amount of IPS hits, as "Apache.Tomcat.HTTP2.DoS" - often to spotify. (Please see image for a sample..)

Last run I took at the TAC about this was unsuccessful in coming to any kind of resolution; I understand that whatever the traffic is, it's matching the IPS filter, but this much -- seems to be a false positive to me. I've doubled down on checking that the workstations generating the traffic are free of infection with multiple A/V products.

Anyone else seeing this? Am I the lone, special FortiAdmin out here with this issue at multiple small clients?

I could omit Spotify from the SSL-Inspection, obviously.. that'll make the alerts go away. :)

https://preview.redd.it/oth95c9asl161.jpg?width=1013&format=pjpg&auto=webp&s=e59bee1c838dd4724360971608dc785ebb327b35

Hello,

This is a deployment of Apache Tomcat as an application server on Ubuntu 10. This has previously been running without much issue for years. I've inherited this issue today and do not know the version of Apache Tomcat running.

When trying to start up the Apache Tomcat service with command:

root@localhost:~# usr/local/tomcat# ./startup.sh

the service fails to start. Here is a screenshot of the response.

I am extremely new to Linux and any advice or things to try would be greatly appreciated!

Hi there, I am configuring an Apache front end that will host multiple websites.

One of this website will have a java web application.

I have installed tomcat on a separate machine within the same local network as Apache(Reason: my Java web app is resource intensive)

When am configuring ajp13_worker.host=localhost, I want this to point to the local LAN address.

I searched around the web and all examples point to a host with a web address like www.x.com

Can I use LAN IP here? Or is there a syntax am missing?

Right now, with LAN IP, am getting 404 not found error.

Hi everyone,

I'm still at the embryonnary stage of a project, but already started discussing the feasability with IT teams of the company i work at.

So they told me that they're OK with deploying my Django app and the SQL database (SQL SERVER). They already deployed a Dash project so they're familiar with this apparently.

I thought deploying my Django app would be as simple as just uploading my package into a server that runs Python. But the things they told made me quite confused.

So they told me that my app could be deployed on an APACHE TOMCAT 9 server. To deploy the app i should give them a .WAR package file.

Isn't there any simplier solution for deployment i could propose to them?

Hi everyone,

I'm still at the embryonnary stage of a project, but already started discussing the feasability with IT teams of the company i work at.

So they told me that they're OK with deploying my Django app and the SQL database (SQL SERVER). They already deployed a Dash project so they're familiar with this apparently.

I thought deploying my Django app would be as simple as just uploading my package into a server that runs Python. But the things they told made me quite confused.

So they told me that my app could be deployed on an APACHE TOMCAT 9 server. To deploy the app i should give them a .WAR package file.

Isn't there any simplier solution for deployment i could propose to them?