0

Within development I start Wildfly 8 as standalone. Then I copy all my WAR files to /standalone/deployments and run them over http://localhost:8080/projectname/.

When thinking of a productive server environment, how would Wildfly 8 be run best? Would it be a good approach to automatically start the /bin/standalone.sh after system boot?

Socrates
  • 241
  • 4
  • 13
  • 1
    I'm assuming you're asking how to run in production, rather than development. There isn't really a "best", the question is what is appropriate for you. One thing you shouldn't do in production is leave the deployment scanner running. It is better to deploy/undeploy with the CLI. – Mike Feb 19 '15 at 14:49
  • Hi @Mike ! Thanks for your reply! Yep, it's Wildfly's production use I am looking for. How would I disable the deployment scanner? How would I deploy/undeploy with the CLI? Any good link to a stepwise instruction? – Socrates Feb 24 '15 at 16:53
  • Try using Google to search for answers. There is a lot of documentation. A useful feature of the CLI is gui mode: `jboss-cli.sh --gui` https://developer.jboss.org/wiki/CommandLineInterface – Mike Feb 25 '15 at 10:36

1 Answers1

2

Leaving the deployment scanner on is a security risk.

Set scan-enabled="false" like so:

 <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
     <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-enabled="false"/>
 </subsystem>

How you start and stop JBoss is really up to you and how you like to manage your server. There are more important things to consider when running JBoss or WildFly in production. This blog post goes over some stuff for JBoss 5. Some things have changed since then, but there is some still relevant stuff there.

One thing I notice is that you are serving requests over port 8080, directly from WildFly. There is a blog post here about securing JBoss EAP 6 , which will still apply to WildFly. The preferred way to do this, however, would be to front your server with a web server or load balancer (Apache or Nginx would do) and completely lock down your WildFly host from any external requests apart from those coming from Apache.

This is a huge topic, to be quite honest, so you will need to spend a lot of time analysing risk and making sure you understand things before potentially leaving security holes in production.

Mike
  • 212
  • 3
  • 13
  • "Leaving the deployment scanner on is a security risk." What is the risk of that? How can it be abused? – Socrates Mar 04 '15 at 12:29
  • There have been known exploits (I can't find any right now) which let the attacker have some limited access to the file system. If an attacker can get filesystem access, then they can upload files to your file system. If you leave the deployment scanner on, they can also upload a malicious WAR file, which will then be deployed and run by your server. Things like this is why I say it's such a huge topic. There's a lot of detail to get right even in this small scenario and there are many, many more scenarios to cover. – Mike Mar 04 '15 at 13:37