RE: Is it possible and how
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Is it possible and how > On 2/28/18 11:12 AM, M. Osama Alghwell wrote: > > I have a Java application that run on windows and using to Tomcat > > (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it). There was no Tomcat 4.5; 4.1, 5.0, and 5.5 were released, many years ago. > > Is it possible to move to Linux platform? and is it possible to > > jump to Tomcat 8.x? what action should be taken? > While that sounds like a big jump (Windows -> Linux, Tomcat 4.x -> > 8.x), it shouldn't be a *huge* change. You'll also need a Java upgrade > as well, of course (Tomcat 8 requires Java 7 or later; I recommend > Java 8). Reading the migration guides would also be useful, although they don't go all the way back to Tomcat 4: http://tomcat.apache.org/migration.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. smime.p7s Description: S/MIME cryptographic signature
Re: Is it possible and how
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Osama, Welcome to the community! On 2/28/18 11:12 AM, M. Osama Alghwell wrote: > I have a Java application that run on windows and using to Tomcat > (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it). > Is it possible to move to Linux platform? and is it possible to > jump to Tomcat 8.x? what action should be taken? While that sounds like a big jump (Windows -> Linux, Tomcat 4.x -> 8.x), it shouldn't be a *huge* change. You'll also need a Java upgrade as well, of course (Tomcat 8 requires Java 7 or later; I recommend Java 8). Installing Tomcat on Linux is straightforward: Option a) Use your package-manager to install the "tomcat" package (or whatever it is called in your environment) Option b) Download apache-tomcat-8.x.y.tar.gz from the ASF web site and untar the tarball wherever you want. In this community, we have a slight preference for "Option b" obly because package-managers often move things around in ways we can't always predict or have in our brains. The ASF-issued package always puts files in a predictable place. Once you've installed Java and Tomcat, installing your web application should be as easy as: 1. Drop your application's WAR file (or exploded WAR-like directory) into Tomcat's webapps/ auto-deployment directory 2. Adding any configuration to Tomcat's conf/server.xml you require (usually elements) 3. You may have to adjust (or create, if necessary) your application's META-INF/context.xml file. This is typically where you would configure any resources such as a JDBC connection pool your application may require. Most applications deployed on Tomcat 4 put everything into the server's global configuration, so moving that into application-specific configuration is a Good Idea. 4. Launch Tomcat (and your application, which should auto-deploy) and see if there are any errors. Then, run-through your testing plan to ensure that everything is working. Please note that you cannot copy any of the following files from your old Tomcat installation into the new one: conf/server.xml conf/context.xml conf/web.xml If you have any questions, don't hesitate to post back to this mailing list. The more specific you can make your question, the better help you can get. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqW3JgACgkQHPApP6U8 pFhYQBAAnHm9A9swpUJTMZt51L4iD8hrbD+1wBwGZ2Z73w9DKePqs+nuay3Z2Eqe ZEc004rl5Lejdf6MX6Ea97rkdD3X1mI7z9kZGKFj07VXmEwXjrZrPsPU+JbSI/IJ Zmg7hge8nhbqEmkn5CB323L/gUIaUF1KCHvqZKrobzyZPFFXxxeL9tDJdmf2kr27 2neRhavwTkQbZoF6KdptDfWI0+Jb4NPfZ9QPV2M9oojK/7s94vgyHlewA3OGD/hT j6k8Lh0FczHxuImjq+fo2x1P4z3n/Fm/d8oglbLaoU6rt1xwlzwjkDDPv7n4rxP/ kwzvhHeJIJsUWoe4rgo5Ub1Ce9jYqiASOHFoaNEHRTxiBnnKOa6Snq5sZjsgvxoy WZtZd2HI2N/OYnWAU+TzZWNreAQMdSRAW8ASHvIEWH7lYHmy3RFrnpYIkG0+59tR DPlh3duyaW+dbHksQhLSWeMUsQt15W5FLm80+DI3IrHPYpiMh85pDcIF58dudRbJ zAurWiPmYMSoOIej62DeHTCuCcDJxCv9Q7Ie5qHCdrB0j3GdMPFd90GDxpLvMb95 HQQsrPvAzVGWYqHRwGgPzG+ek71po4UzpYJaMf0d+htVqNSxTiOxh2RygWy5OwMy HhR4tE7rS1Q1kZa1euqDkSdamAC+4sJn069pCQA72T1Nm1Ed2po= =Pr7p -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > > Since AJP is not really needed by Tomcat; If I comment out the AJP > > startup line in server.xml will that affect anything. > > > > I still don’t even understand what its for. I have read the apache > > docs but it doesn’t mean anything to me.. Apache's description > > doesn't tell me anything. > > > > > > The AJP Connector element represents a Connector component that > > communicates with a web connector via the AJP protocol. This is > > used for cases where you wish to invisibly integrate Tomcat into an > > existing (or new) Apache installation, and you want Apache to > > handle the static content contained in the web application, and/or > > utilize Apache's SSL processing. > > > > That is mumbo jumbo. > > Is it? Well, it could be improved. For example, by using the widely-understood word "proxy" somewhere, or defining "web connector". Also by recalling that "Apache" is a huge array of various projects (including Tomcat!), while "Apache HTTP Server" refers to a specific web server daemon that can front-end Tomcat. One could even link "Apache HTTP Server" to 'http://httpd.apache.org/'. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Is it possible and how
Hi all, I have a Java application that run on windows and using to Tomcat (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it). Is it possible to move to Linux platform? and is it possible to jump to Tomcat 8.x? what action should be taken? Thank you -- *M. Osama Alghwell*
Re: [OT] Security of AJP
On 28.02.2018 16:01, Cheltenham, Chris wrote: In this case are you tunneling into tomcat via 8009 AJP connector? "tunneling the (unencrypted) AJP connection between Apache httpd and Tomcat, so that it's no longer transmitted in clear text." - that's how I'd phrase it. (and thank you Christopher, great input, this goes directly into my toolbox) Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security of AJP
Chris and Chris -Original Message- > From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] > Sent: Wednesday, February 28, 2018 8:40 AM > To: Tomcat Users List> Subject: RE: Security of AJP > > Since AJP is not really needed by Tomcat; If I comment out the AJP startup > line in server.xml will that affect anything. > > I still don’t even understand what its for. > I have read the apache docs but it doesn’t mean anything to me.. > Apache's description doesn't tell me anything. > > > The AJP Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. This is used for cases where you > wish to invisibly integrate Tomcat into an existing (or new) Apache > installation, and you want Apache to handle the static content contained in > the web application, and/or utilize Apache's SSL processing. > > That is mumbo jumbo. Perhaps is "Apache" were replaced with "Apache web server (httpd)" in the documentation that would clarify things. > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, February 27, 2018 4:26 PM > To: users@tomcat.apache.org > Subject: Re: Security of AJP > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: > > From what I have read, it seems that the AJP connector is not secure, > > and is meant to be used in a protective environment. > > There are lots of things that imply this, like no SSL settings and > > such, but I cannot find it directly stated anywhere. I am pretty > > confident in my read of this, but it is, of course, difficult to say > > that "all options have been explored and it is not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some tunneling > technology such as a VPN, stunnel, etc. > > > First of all, am I correct in my assertion that it cannot be made > > secure? > > Theoretically, it can be made to be secure, but it would require a great deal > of work and honestly, it's probably not worth it. The protocol is mature and > nobody really feels like retrofitting encryption into it. > > > And, if so, I would invite you (or us, the community!) to consider > > modifying the documentation to state this. Maybe something like: > > > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > > Connector element represents a Connector component that communicates > > with a web connector via the AJP protocol. [This is an unencrypted > > connector, intended for use in protected enviroments.] This is used > > for cases where you wish to invisibly integrate Tomcat into an > > existing (or new) Apache installation, and you want Apache to handle > > the static content contained in the web application, and/or utilize > > Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? You'll get your > name into the change log ;) > > - -chris > -- Cris Berneburg, Lead Software Engineer CACI, IRMA Project phone: 703-679-5313
RE: Security of AJP
Chris, Poor choice of words. Not meaning it maliciously; just frustrated. My apologies. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, February 28, 2018 9:26 AM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > Since AJP is not really needed by Tomcat; If I comment out the AJP > startup line in server.xml will that affect anything. > > I still don’t even understand what its for. I have read the apache > docs but it doesn’t mean anything to me.. Apache's description doesn't > tell me anything. > > > The AJP Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. > > That is mumbo jumbo. Is it? Lots of things sound like "mumbo jumbo" if you have no basic understanding of the topic. I'm sure I wouldn't be able to understand a description of reverse-transcriptase inhibitors if I had never heard of the germ theory of medicine or DNA. But that doesn't make it "mumbo jumbo". Documentation always requires a basic understanding of the topic before you begin. You can't learn English from scratch by simply picking up a dictionary and reading it start to finish. That description above is intended to be read by people who need to connect servers together, and already understand the ideas behind the mechanisms required to do such a thing. AJP is a communications protocol (the third letter - P - stands for "protocol", just like in HTTP). Like HTTP, it carries web requests between two endpoints where one is the client and the other is the serve r. The AJP Connector is a Connector (you have to understand what Tomcat means by "connector", here) that uses the AJP protocol (instead of HTTP). It only makes sense to use AJP with clients who can speak it. AJP is really only useful between reverse-proxies (you have to understand what a reverse-proxy is, here) and Tomcat or other Java-based app servers. If you don't understand any of these things, you generally don't have to worry about them. If you don't need a reverse-proxy, you don't need AJP or the connector that speaks it. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, > 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: >> From what I have read, it seems that the AJP connector is not secure, >> and is meant to be used in a protective environment. >> There are lots of things that imply this, like no SSL settings and >> such, but I cannot find it directly stated anywhere. I am pretty >> confident in my read of this, but it is, of course, difficult to say >> that "all options have been explored and it is not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some > tunneling technology such as a VPN, stunnel, etc. > >> First of all, am I correct in my assertion that it cannot be made >> secure? > > Theoretically, it can be made to be secure, but it would require a > great deal of work and honestly, it's probably not worth it. The > protocol is mature and nobody really feels like retrofitting > encryption into it. > >> And, if so, I would invite you (or us, the community!) to consider >> modifying the documentation to state this. Maybe something like: > >> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP >> Connector element represents a Connector component that communicates >> with a web connector via the AJP protocol. [This is an unencrypted >> connector, intended for use in protected enviroments.] This is used >> for cases where you wish to invisibly integrate Tomcat into an >> existing (or new) Apache installation, and you want Apache to handle >> the static content contained in the web application, and/or utilize >> Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? > You'll get your name into the change log ;) > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Security of AJP
In this case are you tunneling into tomcat via 8009 AJP connector? === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, February 28, 2018 9:37 AM To: users@tomcat.apache.org Subject: Re: [OT] Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Olaf, On 2/28/18 2:46 AM, Olaf Kock wrote: > On 27.02.2018 23:18, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> Olaf, >> >> On 2/27/18 4:33 PM, Olaf Kock wrote: >>> On 27.02.2018 21:54, Mark A. Claassen wrote: I would /not/ state >>> that it's /not secure/. But I'm following your later >>> argument: It's an "unencrypted connector", yes. In order to encrypt >>> it, it needs to be run through an encrypted tunnel - and doing so is >>> cumbersome, error prone and unrelated to the unencrypted nature of >>> this connector. >> We use stunnel in production to tunnel AJP from AWS-based web servers >> and our back-end co-located app servers. We haven't had any problems >> with that set up vis-a-vis connection failures or anything like that. >> We haven't even had any issues with running out of file-handles for >> stunnel. >> >> So, yes, it's another component to configure and babysit, but I >> wouldn't call it "cumbersome"... merely "more than you might expect" >> when HTTPS through mod_proxy_http is an alternative. > > Nice. This is the first time that I hear that somebody actually does > this. It's not surprising that it comes from this direction (e.g. you, > somebody well known in this community). I'd offer to do a talk on it at ApacheCon, but it would be a short talk. The following config files have 12 lines of effective configuration, 6 of which come out of the box in the basic configuration (everything at the top, until you get to the "basic TLS stuff" comment): === CUT === # stunnel configuration file (web server) # boilerplate stuff: pid=/stunnel.pid chroot=/var/lib/stunne4l setuid=stunnel setgid=stunnel socket=l:TCL_NODELAY=1 socket=r:TCP_NODELAY=1 # Basic TLS stuff sslVersion = TLSv1.2 fips=no # we are a client client=yes # Connection information [ajp13] accept=localhost:8009 connect=backend.example.com:8010 === CUT === # stunnel configuration file (app server) # boilerplate stuff: cert=/etc/stunnel/stunnel.pem pid=/stunnel.pid chroot=/var/lib/stunne4l setuid=stunnel setgid=stunnel socket=l:TCL_NODELAY=1 socket=r:TCP_NODELAY=1 # Basic TLS stuff options=NO_SSLv2 options=NO_SSLv3 [ajp13] accept=8010 connect=localhost:8009 === CUT === stunnel runs on both sides of the connection. The connection looks like this: httpd [mod_jk] - AJP13 -> localhost:8009 [stunnel] - TLS -> backend.example.com:8010 [stunnel] - AJP13 -> localhost:8009 The "TLS" part of the connection goes across the network to the backend host. The first "localhost" refers to the web server talking to itself over the loopback connection, and the second "localhost" refers to the app server talking to itself over the loopback connection. We aren't doing anything with mutual TLS authentication (client certs) because we are using IP-based whitelisting. I suppose we could tighten-up security a bit by using client certs, but then we'd have more key material out on our web servers and, really, how secure is that ? I assume someone will talk about proxying at ApacheCon. I'll ask them to stick in a slide about using stunnel since it's fairly short. Just a picture and a sample configuration. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWvpMACgkQHPApP6U8 pFic2g//RW73Z/NyDIDms4KDASzNYxA+zqwYOO2Sb4pv0I/i776azJzMFcRKJkyO CygbvVEgQosQkrWw8suzpeg67AmcviwE9U21TvcDPZAJGOHE/KVtADnxKzy6QFit B280c39HDqGGz23T2FxkSmErZ8w29ZqdH3YoGFG+wj46qpJO6oWWq342EXYwLsGo 9HhE6+J1LrRotPZ8eYvGoqbHIWA6VQP+eJ1bIbUGci/tv9ShF6FyoRZl2tBjbXHb vIBxL1X/z+yEy4ue2L3W4DglgSzRhlOKaPOwV/vKWq5fUgipoQD22K8G64Mj5X5H 2/PvmvENqcM0VhIn1WSSbsKYol+v2xKk4g3IRH5ifDnjZaJkWxR5buxn5uCcgMsh Ojq4myGFjqp7KHllUWCo+VphE/JrNRoxEYQQnnylyt6Hd2l8nJsO1KK6Ce5beexn YnKBCJ3Fl45TgVlJloabD5NFpyzRoS7LYB9BKHBqoFeSVoUEsO2Yaog3liKqVYp2 7WfOovoPrVdH6UBRCNkVygJacJwtNul502lV/EdqwyX17qoi0G8wRd5i1Vwe61zV XZisJsYuk9kCRC08mi1B4Ja5Vt3D1zq9KrIvSLdLeR//Af8lul+kbOvg2ZvWXWUT ck54nJo70iNNa3gwZ5IfmbNdnYnm3fACVXxeWXo5rNIxrX6mROU= =0/CI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Security of AJP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Olaf, On 2/28/18 2:46 AM, Olaf Kock wrote: > On 27.02.2018 23:18, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> Olaf, >> >> On 2/27/18 4:33 PM, Olaf Kock wrote: >>> On 27.02.2018 21:54, Mark A. Claassen wrote: I would /not/ >>> state that it's /not secure/. But I'm following your later >>> argument: It's an "unencrypted connector", yes. In order to >>> encrypt it, it needs to be run through an encrypted tunnel - >>> and doing so is cumbersome, error prone and unrelated to the >>> unencrypted nature of this connector. >> We use stunnel in production to tunnel AJP from AWS-based web >> servers and our back-end co-located app servers. We haven't had >> any problems with that set up vis-a-vis connection failures or >> anything like that. We haven't even had any issues with running >> out of file-handles for stunnel. >> >> So, yes, it's another component to configure and babysit, but I >> wouldn't call it "cumbersome"... merely "more than you might >> expect" when HTTPS through mod_proxy_http is an alternative. > > Nice. This is the first time that I hear that somebody actually > does this. It's not surprising that it comes from this direction > (e.g. you, somebody well known in this community). I'd offer to do a talk on it at ApacheCon, but it would be a short talk. The following config files have 12 lines of effective configuration, 6 of which come out of the box in the basic configuration (everything at the top, until you get to the "basic TLS stuff" comment): === CUT === # stunnel configuration file (web server) # boilerplate stuff: pid=/stunnel.pid chroot=/var/lib/stunne4l setuid=stunnel setgid=stunnel socket=l:TCL_NODELAY=1 socket=r:TCP_NODELAY=1 # Basic TLS stuff sslVersion = TLSv1.2 fips=no # we are a client client=yes # Connection information [ajp13] accept=localhost:8009 connect=backend.example.com:8010 === CUT === # stunnel configuration file (app server) # boilerplate stuff: cert=/etc/stunnel/stunnel.pem pid=/stunnel.pid chroot=/var/lib/stunne4l setuid=stunnel setgid=stunnel socket=l:TCL_NODELAY=1 socket=r:TCP_NODELAY=1 # Basic TLS stuff options=NO_SSLv2 options=NO_SSLv3 [ajp13] accept=8010 connect=localhost:8009 === CUT === stunnel runs on both sides of the connection. The connection looks like this: httpd [mod_jk] - AJP13 -> localhost:8009 [stunnel] - TLS -> backend.example.com:8010 [stunnel] - AJP13 -> localhost:8009 The "TLS" part of the connection goes across the network to the backend host. The first "localhost" refers to the web server talking to itself over the loopback connection, and the second "localhost" refers to the app server talking to itself over the loopback connection. We aren't doing anything with mutual TLS authentication (client certs) because we are using IP-based whitelisting. I suppose we could tighten-up security a bit by using client certs, but then we'd have more key material out on our web servers and, really, how secure is that ? I assume someone will talk about proxying at ApacheCon. I'll ask them to stick in a slide about using stunnel since it's fairly short. Just a picture and a sample configuration. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWvpMACgkQHPApP6U8 pFic2g//RW73Z/NyDIDms4KDASzNYxA+zqwYOO2Sb4pv0I/i776azJzMFcRKJkyO CygbvVEgQosQkrWw8suzpeg67AmcviwE9U21TvcDPZAJGOHE/KVtADnxKzy6QFit B280c39HDqGGz23T2FxkSmErZ8w29ZqdH3YoGFG+wj46qpJO6oWWq342EXYwLsGo 9HhE6+J1LrRotPZ8eYvGoqbHIWA6VQP+eJ1bIbUGci/tv9ShF6FyoRZl2tBjbXHb vIBxL1X/z+yEy4ue2L3W4DglgSzRhlOKaPOwV/vKWq5fUgipoQD22K8G64Mj5X5H 2/PvmvENqcM0VhIn1WSSbsKYol+v2xKk4g3IRH5ifDnjZaJkWxR5buxn5uCcgMsh Ojq4myGFjqp7KHllUWCo+VphE/JrNRoxEYQQnnylyt6Hd2l8nJsO1KK6Ce5beexn YnKBCJ3Fl45TgVlJloabD5NFpyzRoS7LYB9BKHBqoFeSVoUEsO2Yaog3liKqVYp2 7WfOovoPrVdH6UBRCNkVygJacJwtNul502lV/EdqwyX17qoi0G8wRd5i1Vwe61zV XZisJsYuk9kCRC08mi1B4Ja5Vt3D1zq9KrIvSLdLeR//Af8lul+kbOvg2ZvWXWUT ck54nJo70iNNa3gwZ5IfmbNdnYnm3fACVXxeWXo5rNIxrX6mROU= =0/CI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > Since AJP is not really needed by Tomcat; If I comment out the AJP > startup line in server.xml will that affect anything. > > I still don’t even understand what its for. I have read the apache > docs but it doesn’t mean anything to me.. Apache's description > doesn't tell me anything. > > > The AJP Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. This is > used for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to > handle the static content contained in the web application, and/or > utilize Apache's SSL processing. > > That is mumbo jumbo. Is it? Lots of things sound like "mumbo jumbo" if you have no basic understanding of the topic. I'm sure I wouldn't be able to understand a description of reverse-transcriptase inhibitors if I had never heard of the germ theory of medicine or DNA. But that doesn't make it "mumbo jumbo". Documentation always requires a basic understanding of the topic before you begin. You can't learn English from scratch by simply picking up a dictionary and reading it start to finish. That description above is intended to be read by people who need to connect servers together, and already understand the ideas behind the mechanisms required to do such a thing. AJP is a communications protocol (the third letter - P - stands for "protocol", just like in HTTP). Like HTTP, it carries web requests between two endpoints where one is the client and the other is the serve r. The AJP Connector is a Connector (you have to understand what Tomcat means by "connector", here) that uses the AJP protocol (instead of HTTP). It only makes sense to use AJP with clients who can speak it. AJP is really only useful between reverse-proxies (you have to understand what a reverse-proxy is, here) and Tomcat or other Java-based app servers. If you don't understand any of these things, you generally don't have to worry about them. If you don't need a reverse-proxy, you don't need AJP or the connector that speaks it. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, > 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of > AJP > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: >> From what I have read, it seems that the AJP connector is not >> secure, and is meant to be used in a protective environment. >> There are lots of things that imply this, like no SSL settings >> and such, but I cannot find it directly stated anywhere. I am >> pretty confident in my read of this, but it is, of course, >> difficult to say that "all options have been explored and it is >> not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some > tunneling technology such as a VPN, stunnel, etc. > >> First of all, am I correct in my assertion that it cannot be >> made secure? > > Theoretically, it can be made to be secure, but it would require a > great deal of work and honestly, it's probably not worth it. The > protocol is mature and nobody really feels like retrofitting > encryption into it. > >> And, if so, I would invite you (or us, the community!) to >> consider modifying the documentation to state this. Maybe >> something like: > >> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP >> Connector element represents a Connector component that >> communicates with a web connector via the AJP protocol. [This is >> an unencrypted connector, intended for use in protected >> enviroments.] This is used for cases where you wish to invisibly >> integrate Tomcat into an existing (or new) Apache installation, >> and you want Apache to handle the static content contained in the >> web application, and/or utilize Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? > You'll get your name into the change log ;) > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWu/EACgkQHPApP6U8 pFiKpw/8DV5gNNAHcCvOmjwAL6U7f03w+F2r8NrmMETrTzcUq2hukzOntPoX+1h/ jDjBeD5qq0NDbOotLwbl6KXNc/ZepqLznz2YQm2J/fltngtMmH23EtosbMCyBQTE TgSMom5+7BMZCxffkzAjPI8gl1pCT8TbU2TVRz6eE7d8f756/KfuMD2mCR7T3UvK
Re: Tomcat 7 - Sporadic problem re: cookies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chad, On 2/27/18 9:02 PM, Chad Stansbury wrote: > Thanks for your response. Unfortunately it doesn't appear to be a > bad cookie name or value, as the identical set of cookies are > passed (and parsed correctly) on requests that immediately precede > and follow the failing request. That's pretty clear from both the > Wireshark and Tomcat access logs we have. What we're seeing is that > the client (which is a browser, usually Chrome) sends a burst of > requests, and occasionally one of those requests will fail as the > web app detects that is has no cookies even though the Wireshark > indicates that there are. We even added logging to the > AccessLogValve to log the cookies that we're looking for, and it > yields an empty value... So we know that the cookie parsing is > either failing or the cookies get cleared following parsing, but > before being passed on to the AccessLogValve. Sounds like you have it at least semi-reproducible. That's great news. What about logging both the results of request.getCookies() as well as request.getHeader("Cookie")? If the parsing is failing, you will get no Cookie objects from request.getCookie(), but you should still get the header back from the request. If there is no header in the request... well, then maybe something is wrong elsewhere with the request, and Tomcat never gets to the Cookie header at all. > Also, as a follow-up, we corrected the HTTP/1.0 issue, and see that > the problem persists even with HTTP/1.1. The one thing that I > failed to mention on the original note is that we're running Tomcat > on a Windows server. So I'm not sure if that has anything to do > with the issue that we're seeing or not... I wouldn't expect Windows to have anything to do with it, same for HTTP/1.0 versus HTTP/1.1... headers haven't changed much across HTTP versions, and Tomcat treats those headers the same regardless of the advertised version of the protocol. The biggest difference between HTTP/1.0 and HTTP/1.1 is that HTTP/1.1 has a few required headers. > That being said, I will double-check the catalina.out to see if we > can find any cookie parsing related errors. That would be good. Again, it will probably only be logged a single time, not every time. But if you have the opportunity to bounce Tomcat and hit it with a load that will likely cause an error to occur, you ought to be able to catch an error message -- if indeed Cookie-parsing is the problem. Or, if request-parsing is the problem, too. One more question: are you using a reverse-proxy like httpd out in front? Exactly where are you sampling with Wireshark? - -chris > On Tue, Feb 27, 2018 at 3:13 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Chad, > > On 2/27/18 9:44 AM, Chad Stansbury wrote: We've been troubleshooting an issue where our web application is getting a very occasional request that contains no cookies even though a Wireshark on the application server shows those cookies coming in on the request. I was able to replay the request that was captured via Wireshark, and when doing so, everything goes through just fine... so that rules out any sort of weird character set / header parsing issues. Environment specifics: Tomcat v7.0.77 running the (http-bio) connector Now here's the twist: Currently something in the site infrastructure has been configured to proxy to Tomcat with HTTP/1.0 instead of 1.1. We're trying to track that down and address that issue (for performance reasons), but in the mean time, we're wondering whether or not this is a concurrency issue related to protocol caching/recycling? Has anyone ever seen anything like this before? Is there any legitimate scenario(s) where Tomcat will *not* parse out the cookies, but still route the request to the web app? Is this possible an edge condition that that might be caused by the use of HTTP/1.0? Could this possibly be caused by the number of maxThreads exceeding the `processorCache` value? > > My immediate thought is that the cookie name or value contains a > character that causes parsing to fail within Tomcat. Do you have > any information about which cookies appear to be being ignored by > Tomcat (that is, not passed-on to the application) versus those > that ARE available to the application? > > Tomcat will generally log cookie-parsing errors to catalina.log, > and possibly to the application's log as well, but it may only do > so once per Tomcat-launch to avoid filling the disk with logs. Are > you seeing anything in the Tomcat logs which suggest that > cookie-parsing is failing ? > > Is the client a browser, or some non-human-interface device, such > as a client-library or something like that? > > -chris >> >> - >> >> To unsubscribe, e-mail:
RE: Security of AJP
Yes thank you a little bit. Maybe I need to see It in action to fully understand what its for. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Wednesday, February 28, 2018 9:09 AM To: Tomcat Users ListSubject: RE: Security of AJP It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over TCPIP to Tomcat's AJP connector. Is it more clear now? -Original Message- From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] Sent: Wednesday, February 28, 2018 6:40 AM To: Tomcat Users List Subject: RE: Security of AJP Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe,
RE: Security of AJP
It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over TCPIP to Tomcat's AJP connector. Is it more clear now? -Original Message- From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] Sent: Wednesday, February 28, 2018 6:40 AM To: Tomcat Users ListSubject: RE: Security of AJP Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security of AJP
Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China
Notification: Business Message From Ms. Grace Chen
Notification: Business Message from Grace Chen, --> Dear Supplier, Made-in-China.com would like to let you know the you have just received a new business message which is saved in the Message Centre of your member home (Virtual Office) within the next 1 year. We suggest you sign in with your Email to view or reply the message. For your convenience, a copy of this message is also provided below. Message Details Message Subject Inquiry about your product Message ContentDear, Please check the attached quotation sheet. May I know your email address? If you can match our rates then let me know. I wait for your reply. Regards, Grace Chen, Message Basics and Contact Details Message code QKpaWNoCqLpl Date & time sent 2018-02-28 02:09:43 (GMT+08:00) Texas, United States Sender Grace Chen, Company SASA Sanayi A.S Email To view the email address, please sign in your account. (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY to en_notificat...@made-in-china.com) Telephone +1 (917) 821-6337 Fax Country/Region United States Homepage http://www.made-in-china.com/traderoom/dzm141772436166 Sender's IP Address213.136.*.* Sender's IP Location United States Note: 1) Sender's IP information is for reference only, but NOT guaranteed or verified by Made-in-China.com; 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or Duplicate Messages), threatening or harassing messages, suspicious messages about fee advance or money transfer ... etc. * This notification service is provided by http://www.made-in-china.com * Source Quality Products Made in China