Before you begin
The following strategy combines two techniques: one for separating your users into those who connect over HTTP and those who connect over HTTPS, and another one for securing the HTTPS connection behind a firewall.
First, set up your application server (Tomcat) to listen on one IP address and port using HTTP; then, set up another Web server to listen on a different IP address or port using HTTPS. Set up the second (front end) server to act as a reverse proxy and feed any requests it gets to the first instance above. Enforce security on the proxy server with a firewall.
The sequence for setting up these measures might be as follows:
Procedure
- Make
machine1:8080 your normal Tomcat instance. All the internal WorldServer users should go to http://machine1:8080/ws/login.
Note: For instructions about setting up Tomcat for SSL, see
<WS_home>\tomcat\conf\server.xml.orig. You will be instructed to “Uncomment the SSL HTTP/1.1 Connector entry in
$CATALINA_HOME/conf/server.xml and tweak as necessary.” Then, find and uncomment the following:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
- Set up a front end Web server listening on a different IP address or port, such as
machine2:443. Configure this machine as a proxy server, forwarding requests to machine1.
Note: Apache Tomcat has out-of-the-box features that allow Web servers to be set up this way.
- After you have set up your infrastructure like this, set up your firewall to only allow access to machine2 via SSL and block any external access to machine1. This allows you to force any external user to go through the secure connection to WorldServer.
Results
The following figure illustrates this setup.
Figure 1. Secure WorldServer Connection Setup