Tomcat v Reverse Proxy pros and cons

[hpl123]

The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.

Yeah but Tomcat can still be accessed from the web? You are blocking it in the firewall or how?

You block access to the AIM server in your firewall. Create access only between reverse proxy and AIM server. The internal IP address should not be accessible from the outside world as this defeats the purpose of the reverse proxy.

The firewall would want to allow
80 and 443 access to the reverse proxy from external
8080 access between the reverse proxy and AIM
3306 access between AIM and the Database.

You probably also want
22 to the AIM server so that you can tunnel with SSH for access to the AIM desktop (unless you are operating headless in which case you'd use SSH for terminal access) and to connect remotely to the database. Though you may want to set up a separate server that is spun up only when you want to use SSH access to ensure that you have adequately isolated the AIM server from everything but the proxy

Yes, this is what I thought and I haven't done this. Thanks for detailing ports.

[PointsWell]

3306 access between AIM and the Database.

Yes, this is what I thought and I haven't done this. Thanks for detailing ports.

Obv that is the MySQL/Maria port I don't know what the MSSQLS port is.

Also if you are using the Config Tool remotely from your AIM server then you have different challenges to deal with as you need a bunch of other ports open and you'd want to be able to access the AIM server and it would basically undo a bunch of the isolation protection you gain from the reverse proxy route.

[PointsWell]

I just thought of this a minute ago.

If you only use one server for your development and use it for production then you have to expose your AIM/Tomcat server to the internet anyway - unless you can think of some fancy pants way to route the config tools port calls to the AIM server.

If you are doing your dev on a remote server there's probably a whole bunch of other challenges that you face as well - such as maintaining the server connection. I suppose if you were doing that you'd probably be using Remote Desktop.

[intra]

Well here's my train of thought.

If its a single box for everything and you are running the config tool remotely...

Why not use a reverse proxy to do the normal security thing, then use a VPN to run the rest of the stuff.

<Internet> -> 443 (Bidirectional) -> [Instance]

<Internet for Config Tool> -> [VPN] -> [Instance]

[PointsWell]

AIM does not have a function to decommission published apps https://awareim.com/forum/viewtopic.php?f=1&t=10198

Using a Reverse Proxy allows you to control access at a granular level to individual Apps

For example:

App.mydomain.com can direct a user to a specific app or when I decommission this app I can point this sub domain to an HTML page instead.

[Jaymer]

Henrik
I don't know if this was covered elsewhere (like in another nginx thread), but there is ABSOLUTELY no reason to continue using 8080 in Aware.
In this [thread] context, you simply use Tomcat on 80/443 and forget about remapping all these ports.

[hpl123]

Henrik
I don't know if this was covered elsewhere (like in another nginx thread), but there is ABSOLUTELY no reason to continue using 8080 in Aware.
In this [thread] context, you simply use Tomcat on 80/443 and forget about remapping all these ports.

I can't remember the specifics of this discussion but I use IIS as a reverse proxy using HTTPS i.e 443 "in" to the server and then IIS maps that to localhost:8080..... . Do you mean this isn't the best config and if so, what is better (and why)?

[Jaymer]

my only point is that I NEVER use 8080 - it looks stupid to the user, and its unnecessary. Tomcat runs fine on 80 so I always change it.

[hpl123]

my only point is that I NEVER use 8080 - it looks stupid to the user, and its unnecessary. Tomcat runs fine on 80 so I always change it.

Aha, yeah I agree and when using the reverse proxy the end user doesn't see ports etc. They do however see the ugly other URL fragments that Aware creates like NEW_TAB and a lot of other useless and confusing things. I am fairly sure I or someone else have logged a FR to fix this but was a long time ago. Still badly needed today IMO.