Tomcat v Reverse Proxy pros and cons

Contains tips for configurators working with Aware IM
hpl123
Posts: 2334
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Hiding or blocking Tomcat?

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 10:06 pm
hpl123 wrote: Thu Feb 25, 2021 1:13 pm
PointsWell wrote: Thu Feb 25, 2021 12:15 am

The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.
Yeah but Tomcat can still be accessed from the web? You are blocking it in the firewall or how?
You block access to the AIM server in your firewall. Create access only between reverse proxy and AIM server. The internal IP address should not be accessible from the outside world as this defeats the purpose of the reverse proxy.

The firewall would want to allow
80 and 443 access to the reverse proxy from external
8080 access between the reverse proxy and AIM
3306 access between AIM and the Database.

You probably also want
22 to the AIM server so that you can tunnel with SSH for access to the AIM desktop (unless you are operating headless in which case you'd use SSH for terminal access) and to connect remotely to the database. Though you may want to set up a separate server that is spun up only when you want to use SSH access to ensure that you have adequately isolated the AIM server from everything but the proxy
Yes, this is what I thought and I haven't done this. Thanks for detailing ports.
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1067
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Hiding or blocking Tomcat?

Post by PointsWell »

hpl123 wrote: Thu Feb 25, 2021 10:44 pm
PointsWell wrote: Thu Feb 25, 2021 10:06 pm 3306 access between AIM and the Database.
Yes, this is what I thought and I haven't done this. Thanks for detailing ports.
Obv that is the MySQL/Maria port I don't know what the MSSQLS port is.

Also if you are using the Config Tool remotely from your AIM server then you have different challenges to deal with as you need a bunch of other ports open and you'd want to be able to access the AIM server and it would basically undo a bunch of the isolation protection you gain from the reverse proxy route.
PointsWell
Posts: 1067
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Not practical if Dev and Prod are same server - Proxy Con

Post by PointsWell »

I just thought of this a minute ago.

If you only use one server for your development and use it for production then you have to expose your AIM/Tomcat server to the internet anyway - unless you can think of some fancy pants way to route the config tools port calls to the AIM server.

If you are doing your dev on a remote server there's probably a whole bunch of other challenges that you face as well - such as maintaining the server connection. I suppose if you were doing that you'd probably be using Remote Desktop.
Post Reply