Squarebox

CatDV Web Access via a DMZ

This page describes how to configure secure public web access to CatDV Server using a DMZ-based deployment. Internet security is a wide topic and it is strongly recommended that customers seek professional internet security advice to ensure their security arrangements are appropriate. Organisations wishing to provide public Internet access to their systems commonly make use of a DMZ (De-Militarized Zone) network architecture to reduce the risk of attacks.  Only servers in the DMZ are accessible from the public Internet, and these machines can be locked down to provide a single, or very small number, or defined services, so reducing their attack surface. The internal firewall, between the DMZ and the internal network, is configured to only allow very specific traffic from these machines.  A typical CatDV Server installation, running in a DMZ environment, is shown below: This installation contains a number of components:

http://www.squarebox.com/wp-content/uploads/2014/02/2017-11-08-14_49_37-mod_proxy-security.pptx-Protected-View-PowerPoint-1024x765.png

1. CatDV Server itself running on an internal server

2. A web server, running in the DMZ, with just Apache running on it. No application software is installed on this server

3. mod_proxy – the Apache-Tomcat connection technology configured on both the DMZ machine and the CatDV server.

4. Appropriate firewall rules to control traffic between the web servers

1. CatDV Server

Please enable the AJP13 protocol on the CatDV server in the Web Server Section of the Catdv Server Setup wizard

http://www.squarebox.com/wp-content/uploads/2014/02/2017-11-07-13_48_33-Edit-Post-%E2%80%B9-Squarebox-%E2%80%94-WordPress.png

2.  Web Server in the DMZ

Apache is an industry standard web server and there are many online guides for how to install and configure Apache. Installation instructions and downloads are available here.

3. Apache Tomcat Connector

The Apache Tomcat Connector (mod_proxy)  is a standard component for connecting Apache and Tomcat using a binary protocol called AJP13 it is usually included in recent Apache distributions. mod_proxy needs to be configured on both the Apache server in the DMZ.

Apache Configuration

The following needs to be added to Apache’s httpd.conf:

Uncomment and edit or add the line in /etc/httpd/conf/httpd.conf for the DMZ tomcat replacing <server_ip_address> with the ip address of the catdv server

<IfModule proxy_wstunnel_module>

    ProxyPass /catdv/notifications ws://<catdv_server_ip_address>:8080/catdv/notifications

    ProxyPassReverse /catdv/notifications ws:// <catdv_server_ip_address>:8080/catdv/notifications

</IfModule>

<IfModule proxy_ajp_module>

    ProxyPass /catdv ajp:// <catdv_server_ip_address>:8009/catdv

    ProxyPassReverse /catdv ajp:// <catdv_server_ip_address>:8009/catdv

</IfModule>

This tells Apache to forward all requests to the CatDV web server over ajp13 and tells mod_proxy_ajp the address and port (default 8009) of the CatDV web server.

 4. Firewall Rules

How to set firewall rules will be determined by the type and manufacturer of your firewall. However you will need to create a rule to allow TCP traffic, from the Apache server, over port 8009 (or whatever port you choose for AJP13) to the CatDV server. Further assistance. Square Box Systems can provide technical assistance to set up this kind of deployment via its professional services team. Please contact us at [email protected] for further information.