tl;dr – I have a rooted linux box that I want to run tomcat on as a server (No Apache Web Server) how would you set this up avoiding common security pitfalls?
I've written a Grails App that I want to run on a VPS I rent. The VPS has very little memory and I am using it for the sole purpose of running this application so I don't need the apache web server.
This is my first venture into Server administration and I'm sure to fall into some well known traps.
- Should I use iptables to redirect
requests from port 80 to 8080? - Should
I run tomcat as root or as its own
user? - What configuration settings
would be good for a low memory system
expecting less than 10 concurrent
users?
Hopefully an easy one for you! Anyone who could link to a tutorial would be a personal hero destined for great things no doubt.
Gav
Best Answer
Run tomcat as the tomcat user. I don't think you should ever run tomcat as root. It exposes the potential for a larger security risk than running it as an unprivileged user.
Tomcat's HTTP serving is a bit lacking for some stuff, so i'd always suggest that you have a http server as a frontend. If you don't want apache, there's always Nginx. This is especially true if you wanted HTTP Basic or Digest auth.
I'd suggest that you start off with tomcat's default memory settings, then tune them as and when you need to. With no knowledge of the app's memory profile, it's difficult to give you any hard and fast figures.
If you're using Ubuntu on your vps, you can just apt-get install tomcat6 and it should work out of the "box". Even on Centos5.4, the tomcat5 package from yum works with minimal config changes.
I seriously advise that you use a lightweight server in front of your tomcat instance though. This gives you better granular control over security than Tomcat's "Security Manager"
I have Tomcat6 running on a Virtual Machine which runs my hudson CI server, I think i've given it about 256MB of RAM, and it's perfectly happy.