RE: Is it possible and how

2018-02-28 Thread Caldarale, Charles R 
> From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
> Subject: Re: Is it possible and how

> On 2/28/18 11:12 AM, M. Osama Alghwell wrote:
> > I have a Java application that run on windows and using to Tomcat 
> > (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it).

There was no Tomcat 4.5; 4.1, 5.0, and 5.5 were released, many years ago.

> > Is it possible to move to Linux platform? and is it possible to
> > jump to Tomcat 8.x? what action should be taken?

> While that sounds like a big jump (Windows -> Linux, Tomcat 4.x ->
> 8.x), it shouldn't be a *huge* change. You'll also need a Java upgrade
> as well, of course (Tomcat 8 requires Java 7 or later; I recommend
> Java 8).

Reading the migration guides would also be useful, although they don't go
all the way back to Tomcat 4:
http://tomcat.apache.org/migration.html

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: Is it possible and how

2018-02-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Osama,

Welcome to the community!

On 2/28/18 11:12 AM, M. Osama Alghwell wrote:
> I have a Java application that run on windows and using to Tomcat 
> (unfortunately it is Tomcat 4.5 and I an assigned to upgrade it).
> Is it possible to move to Linux platform? and is it possible to
> jump to Tomcat 8.x? what action should be taken?

While that sounds like a big jump (Windows -> Linux, Tomcat 4.x ->
8.x), it shouldn't be a *huge* change. You'll also need a Java upgrade
as well, of course (Tomcat 8 requires Java 7 or later; I recommend
Java 8).

Installing Tomcat on Linux is straightforward:

Option a) Use your package-manager to install the "tomcat" package (or
whatever it is called in your environment)

Option b) Download apache-tomcat-8.x.y.tar.gz from the ASF web site
and untar the tarball wherever you want.

In this community, we have a slight preference for "Option b" obly
because package-managers often move things around in ways we can't
always predict or have in our brains. The ASF-issued package always
puts files in a predictable place.

Once you've installed Java and Tomcat, installing your web application
should be as easy as:

1. Drop your application's WAR file (or exploded WAR-like directory)
into Tomcat's webapps/ auto-deployment directory

2. Adding any configuration to Tomcat's conf/server.xml you require
(usually  elements)

3. You may have to adjust (or create, if necessary) your application's
META-INF/context.xml file. This is typically where you would configure
any resources such as a JDBC connection pool your application may
require. Most applications deployed on Tomcat 4 put everything into
the server's global configuration, so moving that into
application-specific configuration is a Good Idea.

4. Launch Tomcat (and your application, which should auto-deploy) and
see if there are any errors. Then, run-through your testing plan to
ensure that everything is working.

Please note that you cannot copy any of the following files from your
old Tomcat installation into the new one:

  conf/server.xml
  conf/context.xml
  conf/web.xml

If you have any questions, don't hesitate to post back to this mailing
list. The more specific you can make your question, the better help
you can get.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqW3JgACgkQHPApP6U8
pFhYQBAAnHm9A9swpUJTMZt51L4iD8hrbD+1wBwGZ2Z73w9DKePqs+nuay3Z2Eqe
ZEc004rl5Lejdf6MX6Ea97rkdD3X1mI7z9kZGKFj07VXmEwXjrZrPsPU+JbSI/IJ
Zmg7hge8nhbqEmkn5CB323L/gUIaUF1KCHvqZKrobzyZPFFXxxeL9tDJdmf2kr27
2neRhavwTkQbZoF6KdptDfWI0+Jb4NPfZ9QPV2M9oojK/7s94vgyHlewA3OGD/hT
j6k8Lh0FczHxuImjq+fo2x1P4z3n/Fm/d8oglbLaoU6rt1xwlzwjkDDPv7n4rxP/
kwzvhHeJIJsUWoe4rgo5Ub1Ce9jYqiASOHFoaNEHRTxiBnnKOa6Snq5sZjsgvxoy
WZtZd2HI2N/OYnWAU+TzZWNreAQMdSRAW8ASHvIEWH7lYHmy3RFrnpYIkG0+59tR
DPlh3duyaW+dbHksQhLSWeMUsQt15W5FLm80+DI3IrHPYpiMh85pDcIF58dudRbJ
zAurWiPmYMSoOIej62DeHTCuCcDJxCv9Q7Ie5qHCdrB0j3GdMPFd90GDxpLvMb95
HQQsrPvAzVGWYqHRwGgPzG+ek71po4UzpYJaMf0d+htVqNSxTiOxh2RygWy5OwMy
HhR4tE7rS1Q1kZa1euqDkSdamAC+4sJn069pCQA72T1Nm1Ed2po=
=Pr7p
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security of AJP

2018-02-28 Thread Mark H. Wood 
On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Chris,
> 
> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
> > Since AJP is not really needed by Tomcat; If I comment out the AJP
> > startup line in server.xml will that affect anything.
> > 
> > I still don’t even understand what its for. I have read the apache
> > docs but it doesn’t mean anything to me.. Apache's description
> > doesn't tell me anything.
> > 
> > 
> > The AJP Connector element represents a Connector component that
> > communicates with a web connector via the AJP protocol. This is
> > used for cases where you wish to invisibly integrate Tomcat into an
> > existing (or new) Apache installation, and you want Apache to
> > handle the static content contained in the web application, and/or
> > utilize Apache's SSL processing.
> > 
> > That is mumbo jumbo.
> 
> Is it?

Well, it could be improved.  For example, by using the
widely-understood word "proxy" somewhere, or defining "web connector".
Also by recalling that "Apache" is a huge array of various projects
(including Tomcat!), while "Apache HTTP Server" refers to a specific
web server daemon that can front-end Tomcat.  One could even link
"Apache HTTP Server" to 'http://httpd.apache.org/'.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature

Is it possible and how

2018-02-28 Thread M. Osama Alghwell 
Hi all,

I have a Java application that run on windows and using to Tomcat
(unfortunately it is Tomcat 4.5 and I an assigned to upgrade it). Is it
possible to move to Linux platform? and is it possible to jump to Tomcat
8.x? what action should be taken?

Thank you

-- 
*M. Osama Alghwell*

Re: [OT] Security of AJP

2018-02-28 Thread Olaf Kock 



On 28.02.2018 16:01, Cheltenham, Chris wrote:

In this case are you tunneling into tomcat via 8009 AJP connector?


"tunneling the (unencrypted) AJP connection between Apache httpd and 
Tomcat, so that it's no longer transmitted in clear text." - that's how 
I'd phrase it.


(and thank you Christopher, great input, this goes directly into my toolbox)

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Security of AJP

2018-02-28 Thread Berneburg, Cris J. - US 
Chris and Chris

-Original Message-
> From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
> Sent: Wednesday, February 28, 2018 8:40 AM
> To: Tomcat Users List 
> Subject: RE: Security of AJP
>
> Since AJP is not really needed by Tomcat; If I comment out the AJP startup 
> line in server.xml will that affect anything.
>
> I still don’t even understand what its for.
> I have read the apache docs but it doesn’t mean anything to me..
> Apache's description doesn't tell me anything.
>
>
> The AJP Connector element represents a Connector component that communicates 
> with a web connector via the AJP protocol. This is used for cases where you 
> wish to invisibly integrate Tomcat into an existing (or new) Apache 
> installation, and you want Apache to handle the static content contained in 
> the web application, and/or utilize Apache's SSL processing.
>
> That is mumbo jumbo.



Perhaps is "Apache" were replaced with "Apache web server (httpd)" in the 
documentation that would clarify things.



> ===
>
> Thank You;
>
> Chris Cheltenham
> Technology Services
> The School District of Philadelphia
>
> Work # 215-400-5025
> Cell # 215-301-6571
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, February 27, 2018 4:26 PM
> To: users@tomcat.apache.org
> Subject: Re: Security of AJP
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 2/27/18 3:54 PM, Mark A. Claassen wrote:
> > From what I have read, it seems that the AJP connector is not secure,
> > and is meant to be used in a protective environment.
> > There are lots of things that imply this, like no SSL settings and
> > such, but I cannot find it directly stated anywhere.  I am pretty
> > confident in my read of this, but it is, of course, difficult to say
> > that "all options have been explored and it is not possible".
>
> AJP is definitely a cleartext protocol, and offers no encryption 
> capabilities. If you want to secure it, you will have to use some tunneling 
> technology such as a VPN, stunnel, etc.
>
> > First of all, am I correct in my assertion that it cannot be made
> > secure?
>
> Theoretically, it can be made to be secure, but it would require a great deal 
> of work and honestly, it's probably not worth it. The protocol is mature and 
> nobody really feels like retrofitting encryption into it.
>
> > And, if so, I would invite you (or us, the community!) to consider
> > modifying the documentation to state this.  Maybe something like:
> >
> > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP
> > Connector element represents a Connector component that communicates
> > with a web connector via the AJP protocol. [This is an unencrypted
> > connector, intended for use in protected enviroments.] This is used
> > for cases where you wish to invisibly integrate Tomcat into an
> > existing (or new) Apache installation, and you want Apache to handle
> > the static content contained in the web application, and/or utilize
> > Apache's SSL processing.
>
> That seems reasonable. Care to provide a documentation patch? You'll get your 
> name into the change log ;)
>
> - -chris
>

--
Cris Berneburg, Lead Software Engineer
CACI, IRMA Project
phone: 703-679-5313

RE: Security of AJP

2018-02-28 Thread Cheltenham, Chris 
Chris,

Poor choice of words.
Not meaning it maliciously; just frustrated.
My apologies.

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, February 28, 2018 9:26 AM
To: users@tomcat.apache.org
Subject: Re: Security of AJP

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
> Since AJP is not really needed by Tomcat; If I comment out the AJP
> startup line in server.xml will that affect anything.
>
> I still don’t even understand what its for. I have read the apache
> docs but it doesn’t mean anything to me.. Apache's description doesn't
> tell me anything.
>
>
> The AJP Connector element represents a Connector component that
> communicates with a web connector via the AJP protocol. This is used
> for cases where you wish to invisibly integrate Tomcat into an
> existing (or new) Apache installation, and you want Apache to handle
> the static content contained in the web application, and/or utilize
> Apache's SSL processing.
>
> That is mumbo jumbo.

Is it?

Lots of things sound like "mumbo jumbo" if you have no basic understanding 
of the topic. I'm sure I wouldn't be able to understand a description of 
reverse-transcriptase inhibitors if I had never heard of the germ theory of 
medicine or DNA. But that doesn't make it "mumbo jumbo".

Documentation always requires a basic understanding of the topic before you 
begin. You can't learn English from scratch by simply picking up a 
dictionary and reading it start to finish. That description above is 
intended to be read by people who need to connect servers together, and 
already understand the ideas behind the mechanisms required to do such a 
thing.

AJP is a communications protocol (the third letter - P - stands for 
"protocol", just like in HTTP). Like HTTP, it carries web requests between 
two endpoints where one is the client and the other is the serve r.

The AJP Connector is a Connector (you have to understand what Tomcat means 
by "connector", here) that uses the AJP protocol (instead of HTTP). It only 
makes sense to use AJP with clients who can speak it.
AJP is really only useful between reverse-proxies (you have to understand 
what a reverse-proxy is, here) and Tomcat or other Java-based app servers.

If you don't understand any of these things, you generally don't have to 
worry about them.

If you don't need a reverse-proxy, you don't need AJP or the connector that 
speaks it.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27,
> 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP
>
> Mark,
>
> On 2/27/18 3:54 PM, Mark A. Claassen wrote:
>> From what I have read, it seems that the AJP connector is not secure,
>> and is meant to be used in a protective environment.
>> There are lots of things that imply this, like no SSL settings and
>> such, but I cannot find it directly stated anywhere.  I am pretty
>> confident in my read of this, but it is, of course, difficult to say
>> that "all options have been explored and it is not possible".
>
> AJP is definitely a cleartext protocol, and offers no encryption
> capabilities. If you want to secure it, you will have to use some
> tunneling technology such as a VPN, stunnel, etc.
>
>> First of all, am I correct in my assertion that it cannot be made
>> secure?
>
> Theoretically, it can be made to be secure, but it would require a
> great deal of work and honestly, it's probably not worth it. The
> protocol is mature and nobody really feels like retrofitting
> encryption into it.
>
>> And, if so, I would invite you (or us, the community!) to consider
>> modifying the documentation to state this.  Maybe something like:
>
>> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP
>> Connector element represents a Connector component that communicates
>> with a web connector via the AJP protocol. [This is an unencrypted
>> connector, intended for use in protected enviroments.] This is used
>> for cases where you wish to invisibly integrate Tomcat into an
>> existing (or new) Apache installation, and you want Apache to handle
>> the static content contained in the web application, and/or utilize
>> Apache's SSL processing.
>
> That seems reasonable. Care to provide a documentation patch?
> You'll get your name into the change log ;)
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] Security of AJP

2018-02-28 Thread Cheltenham, Chris 
In this case are you tunneling into tomcat via 8009 AJP connector?


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, February 28, 2018 9:37 AM
To: users@tomcat.apache.org
Subject: Re: [OT] Security of AJP

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 2/28/18 2:46 AM, Olaf Kock wrote:
> On 27.02.2018 23:18, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> Olaf,
>>
>> On 2/27/18 4:33 PM, Olaf Kock wrote:
>>> On 27.02.2018 21:54, Mark A. Claassen wrote: I would /not/ state
>>> that it's /not secure/. But I'm following your later
>>> argument: It's an "unencrypted connector", yes. In order to encrypt
>>> it, it needs to be run through an encrypted tunnel - and doing so is
>>> cumbersome, error prone and unrelated to the unencrypted nature of
>>> this connector.
>> We use stunnel in production to tunnel AJP from AWS-based web servers
>> and our back-end co-located app servers. We haven't had any problems
>> with that set up vis-a-vis connection failures or anything like that.
>> We haven't even had any issues with running out of file-handles for
>> stunnel.
>>
>> So, yes, it's another component to configure and babysit, but I
>> wouldn't call it "cumbersome"... merely "more than you might expect"
>> when HTTPS through mod_proxy_http is an alternative.
>
> Nice. This is the first time that I hear that somebody actually does
> this. It's not surprising that it comes from this direction (e.g. you,
> somebody well known in this community).

I'd offer to do a talk on it at ApacheCon, but it would be a short talk. The 
following config files have 12 lines of effective configuration, 6 of which 
come out of the box in the basic configuration (everything at the top, until 
you get to the "basic TLS stuff" comment):

=== CUT ===

# stunnel configuration file (web server) # boilerplate stuff:
pid=/stunnel.pid
chroot=/var/lib/stunne4l
setuid=stunnel
setgid=stunnel
socket=l:TCL_NODELAY=1
socket=r:TCP_NODELAY=1

# Basic TLS stuff
sslVersion = TLSv1.2
fips=no

# we are a client
client=yes

# Connection information
[ajp13]
accept=localhost:8009
connect=backend.example.com:8010

=== CUT ===

# stunnel configuration file (app server) # boilerplate stuff:
cert=/etc/stunnel/stunnel.pem
pid=/stunnel.pid
chroot=/var/lib/stunne4l
setuid=stunnel
setgid=stunnel
socket=l:TCL_NODELAY=1
socket=r:TCP_NODELAY=1

# Basic TLS stuff
options=NO_SSLv2
options=NO_SSLv3

[ajp13]
accept=8010
connect=localhost:8009

=== CUT ===

stunnel runs on both sides of the connection.

The connection looks like this:

httpd [mod_jk] - AJP13 -> localhost:8009 [stunnel] - TLS ->
backend.example.com:8010 [stunnel] - AJP13 -> localhost:8009

The "TLS" part of the connection goes across the network to the backend 
host. The first "localhost" refers to the web server talking to itself over 
the loopback connection, and the second "localhost"
refers to the app server talking to itself over the loopback connection.

We aren't doing anything with mutual TLS authentication (client certs) 
because we are using IP-based whitelisting. I suppose we could tighten-up 
security a bit by using client certs, but then we'd have more key material 
out on our web servers and, really, how secure is that ?

I assume someone will talk about proxying at ApacheCon. I'll ask them to 
stick in a slide about using stunnel since it's fairly short. Just a picture 
and a sample configuration.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWvpMACgkQHPApP6U8
pFic2g//RW73Z/NyDIDms4KDASzNYxA+zqwYOO2Sb4pv0I/i776azJzMFcRKJkyO
CygbvVEgQosQkrWw8suzpeg67AmcviwE9U21TvcDPZAJGOHE/KVtADnxKzy6QFit
B280c39HDqGGz23T2FxkSmErZ8w29ZqdH3YoGFG+wj46qpJO6oWWq342EXYwLsGo
9HhE6+J1LrRotPZ8eYvGoqbHIWA6VQP+eJ1bIbUGci/tv9ShF6FyoRZl2tBjbXHb
vIBxL1X/z+yEy4ue2L3W4DglgSzRhlOKaPOwV/vKWq5fUgipoQD22K8G64Mj5X5H
2/PvmvENqcM0VhIn1WSSbsKYol+v2xKk4g3IRH5ifDnjZaJkWxR5buxn5uCcgMsh
Ojq4myGFjqp7KHllUWCo+VphE/JrNRoxEYQQnnylyt6Hd2l8nJsO1KK6Ce5beexn
YnKBCJ3Fl45TgVlJloabD5NFpyzRoS7LYB9BKHBqoFeSVoUEsO2Yaog3liKqVYp2
7WfOovoPrVdH6UBRCNkVygJacJwtNul502lV/EdqwyX17qoi0G8wRd5i1Vwe61zV
XZisJsYuk9kCRC08mi1B4Ja5Vt3D1zq9KrIvSLdLeR//Af8lul+kbOvg2ZvWXWUT
ck54nJo70iNNa3gwZ5IfmbNdnYnm3fACVXxeWXo5rNIxrX6mROU=
=0/CI
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Security of AJP

2018-02-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Olaf,

On 2/28/18 2:46 AM, Olaf Kock wrote:
> On 27.02.2018 23:18, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Olaf,
>> 
>> On 2/27/18 4:33 PM, Olaf Kock wrote:
>>> On 27.02.2018 21:54, Mark A. Claassen wrote: I would /not/
>>> state that it's /not secure/. But I'm following your later
>>> argument: It's an "unencrypted connector", yes. In order to 
>>> encrypt it, it needs to be run through an encrypted tunnel -
>>> and doing so is cumbersome, error prone and unrelated to the 
>>> unencrypted nature of this connector.
>> We use stunnel in production to tunnel AJP from AWS-based web
>> servers and our back-end co-located app servers. We haven't had
>> any problems with that set up vis-a-vis connection failures or
>> anything like that. We haven't even had any issues with running
>> out of file-handles for stunnel.
>> 
>> So, yes, it's another component to configure and babysit, but I 
>> wouldn't call it "cumbersome"... merely "more than you might
>> expect" when HTTPS through mod_proxy_http is an alternative.
> 
> Nice. This is the first time that I hear that somebody actually
> does this. It's not surprising that it comes from this direction
> (e.g. you, somebody well known in this community).

I'd offer to do a talk on it at ApacheCon, but it would be a short
talk. The following config files have 12 lines of effective
configuration, 6 of which come out of the box in the basic
configuration (everything at the top, until you get to the "basic TLS
stuff" comment):

=== CUT ===

# stunnel configuration file (web server)
# boilerplate stuff:
pid=/stunnel.pid
chroot=/var/lib/stunne4l
setuid=stunnel
setgid=stunnel
socket=l:TCL_NODELAY=1
socket=r:TCP_NODELAY=1

# Basic TLS stuff
sslVersion = TLSv1.2
fips=no

# we are a client
client=yes

# Connection information
[ajp13]
accept=localhost:8009
connect=backend.example.com:8010

=== CUT ===

# stunnel configuration file (app server)
# boilerplate stuff:
cert=/etc/stunnel/stunnel.pem
pid=/stunnel.pid
chroot=/var/lib/stunne4l
setuid=stunnel
setgid=stunnel
socket=l:TCL_NODELAY=1
socket=r:TCP_NODELAY=1

# Basic TLS stuff
options=NO_SSLv2
options=NO_SSLv3

[ajp13]
accept=8010
connect=localhost:8009

=== CUT ===

stunnel runs on both sides of the connection.

The connection looks like this:

httpd [mod_jk] - AJP13 -> localhost:8009 [stunnel] - TLS ->
backend.example.com:8010 [stunnel] - AJP13 -> localhost:8009

The "TLS" part of the connection goes across the network to the
backend host. The first "localhost" refers to the web server talking
to itself over the loopback connection, and the second "localhost"
refers to the app server talking to itself over the loopback connection.

We aren't doing anything with mutual TLS authentication (client certs)
because we are using IP-based whitelisting. I suppose we could
tighten-up security a bit by using client certs, but then we'd have
more key material out on our web servers and, really, how secure is that
?

I assume someone will talk about proxying at ApacheCon. I'll ask them
to stick in a slide about using stunnel since it's fairly short. Just
a picture and a sample configuration.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWvpMACgkQHPApP6U8
pFic2g//RW73Z/NyDIDms4KDASzNYxA+zqwYOO2Sb4pv0I/i776azJzMFcRKJkyO
CygbvVEgQosQkrWw8suzpeg67AmcviwE9U21TvcDPZAJGOHE/KVtADnxKzy6QFit
B280c39HDqGGz23T2FxkSmErZ8w29ZqdH3YoGFG+wj46qpJO6oWWq342EXYwLsGo
9HhE6+J1LrRotPZ8eYvGoqbHIWA6VQP+eJ1bIbUGci/tv9ShF6FyoRZl2tBjbXHb
vIBxL1X/z+yEy4ue2L3W4DglgSzRhlOKaPOwV/vKWq5fUgipoQD22K8G64Mj5X5H
2/PvmvENqcM0VhIn1WSSbsKYol+v2xKk4g3IRH5ifDnjZaJkWxR5buxn5uCcgMsh
Ojq4myGFjqp7KHllUWCo+VphE/JrNRoxEYQQnnylyt6Hd2l8nJsO1KK6Ce5beexn
YnKBCJ3Fl45TgVlJloabD5NFpyzRoS7LYB9BKHBqoFeSVoUEsO2Yaog3liKqVYp2
7WfOovoPrVdH6UBRCNkVygJacJwtNul502lV/EdqwyX17qoi0G8wRd5i1Vwe61zV
XZisJsYuk9kCRC08mi1B4Ja5Vt3D1zq9KrIvSLdLeR//Af8lul+kbOvg2ZvWXWUT
ck54nJo70iNNa3gwZ5IfmbNdnYnm3fACVXxeWXo5rNIxrX6mROU=
=0/CI
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Security of AJP

2018-02-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
> Since AJP is not really needed by Tomcat; If I comment out the AJP
> startup line in server.xml will that affect anything.
> 
> I still don’t even understand what its for. I have read the apache
> docs but it doesn’t mean anything to me.. Apache's description
> doesn't tell me anything.
> 
> 
> The AJP Connector element represents a Connector component that
> communicates with a web connector via the AJP protocol. This is
> used for cases where you wish to invisibly integrate Tomcat into an
> existing (or new) Apache installation, and you want Apache to
> handle the static content contained in the web application, and/or
> utilize Apache's SSL processing.
> 
> That is mumbo jumbo.

Is it?

Lots of things sound like "mumbo jumbo" if you have no basic
understanding of the topic. I'm sure I wouldn't be able to understand
a description of reverse-transcriptase inhibitors if I had never heard
of the germ theory of medicine or DNA. But that doesn't make it "mumbo
jumbo".

Documentation always requires a basic understanding of the topic
before you begin. You can't learn English from scratch by simply
picking up a dictionary and reading it start to finish. That
description above is intended to be read by people who need to connect
servers together, and already understand the ideas behind the
mechanisms required to do such a thing.

AJP is a communications protocol (the third letter - P - stands for
"protocol", just like in HTTP). Like HTTP, it carries web requests
between two endpoints where one is the client and the other is the serve
r.

The AJP Connector is a Connector (you have to understand what Tomcat
means by "connector", here) that uses the AJP protocol (instead of
HTTP). It only makes sense to use AJP with clients who can speak it.
AJP is really only useful between reverse-proxies (you have to
understand what a reverse-proxy is, here) and Tomcat or other
Java-based app servers.

If you don't understand any of these things, you generally don't have
to worry about them.

If you don't need a reverse-proxy, you don't need AJP or the connector
that speaks it.

- -chris

> -Original Message- From: Christopher Schultz
> [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27,
> 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of
> AJP
> 
> Mark,
> 
> On 2/27/18 3:54 PM, Mark A. Claassen wrote:
>> From what I have read, it seems that the AJP connector is not
>> secure, and is meant to be used in a protective environment. 
>> There are lots of things that imply this, like no SSL settings
>> and such, but I cannot find it directly stated anywhere.  I am
>> pretty confident in my read of this, but it is, of course,
>> difficult to say that "all options have been explored and it is
>> not possible".
> 
> AJP is definitely a cleartext protocol, and offers no encryption 
> capabilities. If you want to secure it, you will have to use some
> tunneling technology such as a VPN, stunnel, etc.
> 
>> First of all, am I correct in my assertion that it cannot be
>> made secure?
> 
> Theoretically, it can be made to be secure, but it would require a
> great deal of work and honestly, it's probably not worth it. The
> protocol is mature and nobody really feels like retrofitting
> encryption into it.
> 
>> And, if so, I would invite you (or us, the community!) to
>> consider modifying the documentation to state this.  Maybe
>> something like:
> 
>> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP 
>> Connector element represents a Connector component that
>> communicates with a web connector via the AJP protocol. [This is
>> an unencrypted connector, intended for use in protected
>> enviroments.] This is used for cases where you wish to invisibly
>> integrate Tomcat into an existing (or new) Apache installation,
>> and you want Apache to handle the static content contained in the
>> web application, and/or utilize Apache's SSL processing.
> 
> That seems reasonable. Care to provide a documentation patch?
> You'll get your name into the change log ;)
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWu/EACgkQHPApP6U8
pFiKpw/8DV5gNNAHcCvOmjwAL6U7f03w+F2r8NrmMETrTzcUq2hukzOntPoX+1h/
jDjBeD5qq0NDbOotLwbl6KXNc/ZepqLznz2YQm2J/fltngtMmH23EtosbMCyBQTE
TgSMom5+7BMZCxffkzAjPI8gl1pCT8TbU2TVRz6eE7d8f756/KfuMD2mCR7T3UvK

Re: Tomcat 7 - Sporadic problem re: cookies

2018-02-28 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chad,

On 2/27/18 9:02 PM, Chad Stansbury wrote:
> Thanks for your response. Unfortunately it doesn't appear to be a
> bad cookie name or value, as the identical set of cookies are
> passed (and parsed correctly) on requests that immediately precede
> and follow the failing request. That's pretty clear from both the
> Wireshark and Tomcat access logs we have. What we're seeing is that
> the client (which is a browser, usually Chrome) sends a burst of
> requests, and occasionally one of those requests will fail as the
> web app detects that is has no cookies even though the Wireshark
> indicates that there are.  We even added logging to the
> AccessLogValve to log the cookies that we're looking for, and it
> yields an empty value... So we know that the cookie parsing is
> either failing or the cookies get cleared following parsing, but
> before being passed on to the AccessLogValve.

Sounds like you have it at least semi-reproducible. That's great news.

What about logging both the results of request.getCookies() as well as
request.getHeader("Cookie")? If the parsing is failing, you will get
no Cookie objects from request.getCookie(), but you should still get
the header back from the request.

If there is no header in the request... well, then maybe something is
wrong elsewhere with the request, and Tomcat never gets to the Cookie
header at all.

> Also, as a follow-up, we corrected the HTTP/1.0 issue, and see that
> the problem persists even with HTTP/1.1. The one thing that I
> failed to mention on the original note is that we're running Tomcat
> on a Windows server. So I'm not sure if that has anything to do
> with the issue that we're seeing or not...

I wouldn't expect Windows to have anything to do with it, same for
HTTP/1.0 versus HTTP/1.1... headers haven't changed much across HTTP
versions, and Tomcat treats those headers the same regardless of the
advertised version of the protocol. The biggest difference between
HTTP/1.0 and HTTP/1.1 is that HTTP/1.1 has a few required headers.

> That being said, I will double-check the catalina.out to see if we
> can find any cookie parsing related errors.

That would be good. Again, it will probably only be logged a single
time, not every time. But if you have the opportunity to bounce Tomcat
and hit it with a load that will likely cause an error to occur, you
ought to be able to catch an error message -- if indeed Cookie-parsing
is the problem. Or, if request-parsing is the problem, too.

One more question: are you using a reverse-proxy like httpd out in
front? Exactly where are you sampling with Wireshark?

- -chris

> On Tue, Feb 27, 2018 at 3:13 PM, Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Chad,
> 
> On 2/27/18 9:44 AM, Chad Stansbury wrote:
 We've been troubleshooting an issue where our web application
 is getting a very occasional request that contains no cookies
 even though a Wireshark on the application server shows those
 cookies coming in on the request.
 
 I was able to replay the request that was captured via
 Wireshark, and when doing so, everything goes through just
 fine... so that rules out any sort of weird character set /
 header parsing issues.
 
 Environment specifics: Tomcat v7.0.77 running the (http-bio) 
 connector
 
 Now here's the twist: Currently something in the site 
 infrastructure has been configured to proxy to Tomcat with
 HTTP/1.0 instead of 1.1. We're trying to track that down and
 address that issue (for performance reasons), but in the mean
 time, we're wondering whether or not this is a concurrency
 issue related to protocol caching/recycling?
 
 Has anyone ever seen anything like this before? Is there any 
 legitimate scenario(s) where Tomcat will *not* parse out the 
 cookies, but still route the request to the web app? Is this 
 possible an edge condition that that might be caused by the
 use of HTTP/1.0? Could this possibly be caused by the number
 of maxThreads exceeding the `processorCache` value?
> 
> My immediate thought is that the cookie name or value contains a 
> character that causes parsing to fail within Tomcat. Do you have
> any information about which cookies appear to be being ignored by
> Tomcat (that is, not passed-on to the application) versus those
> that ARE available to the application?
> 
> Tomcat will generally log cookie-parsing errors to catalina.log,
> and possibly to the application's log as well, but it may only do
> so once per Tomcat-launch to avoid filling the disk with logs. Are
> you seeing anything in the Tomcat logs which suggest that
> cookie-parsing is failing ?
> 
> Is the client a browser, or some non-human-interface device, such
> as a client-library or something like that?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail:

RE: Security of AJP

2018-02-28 Thread Cheltenham, Chris 
Yes thank you a little bit.
Maybe I need to see It in action to fully understand what its for.



===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: George Stanchev [mailto:gstanc...@serena.com]
Sent: Wednesday, February 28, 2018 9:09 AM
To: Tomcat Users List 
Subject: RE: Security of AJP

It is used, for example, if you want to front Tomcat by Apache Web Server or 
by IIS (among others). In those cases the HTTP processing is done in the 
front system and if necessary it is proxied to Tomcat via AJP. You take HTTP 
request from that system, put it in an AJP record and send it over TCPIP to 
Tomcat's AJP connector.

Is it more clear now?

-Original Message-
From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Wednesday, February 28, 2018 6:40 AM
To: Tomcat Users List 
Subject: RE: Security of AJP

Since AJP is not really needed by Tomcat; If I comment out the AJP startup 
line in server.xml will that affect anything.

I still don’t even understand what its for.
I have read the apache docs but it doesn’t mean anything to me..
Apache's description doesn't tell me anything.


The AJP Connector element represents a Connector component that communicates 
with a web connector via the AJP protocol. This is used for cases where you 
wish to invisibly integrate Tomcat into an existing (or new) Apache 
installation, and you want Apache to handle the static content contained in 
the web application, and/or utilize Apache's SSL processing.

That is mumbo jumbo.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, February 27, 2018 4:26 PM
To: users@tomcat.apache.org
Subject: Re: Security of AJP

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 2/27/18 3:54 PM, Mark A. Claassen wrote:
> From what I have read, it seems that the AJP connector is not secure,
> and is meant to be used in a protective environment.
> There are lots of things that imply this, like no SSL settings and
> such, but I cannot find it directly stated anywhere.  I am pretty
> confident in my read of this, but it is, of course, difficult to say
> that "all options have been explored and it is not possible".

AJP is definitely a cleartext protocol, and offers no encryption 
capabilities. If you want to secure it, you will have to use some tunneling 
technology such as a VPN, stunnel, etc.

> First of all, am I correct in my assertion that it cannot be made
> secure?

Theoretically, it can be made to be secure, but it would require a great 
deal of work and honestly, it's probably not worth it. The protocol is 
mature and nobody really feels like retrofitting encryption into it.

> And, if so, I would invite you (or us, the community!) to consider
> modifying the documentation to state this.  Maybe something like:
>
> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP
> Connector element represents a Connector component that communicates
> with a web connector via the AJP protocol. [This is an unencrypted
> connector, intended for use in protected enviroments.] This is used
> for cases where you wish to invisibly integrate Tomcat into an
> existing (or new) Apache installation, and you want Apache to handle
> the static content contained in the web application, and/or utilize
> Apache's SSL processing.

That seems reasonable. Care to provide a documentation patch? You'll get 
your name into the change log ;)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8
pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp
4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx
hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx
66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e
kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj
6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7
UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+
YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2
bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt
vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7
YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ=
=FAja
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe,

RE: Security of AJP

2018-02-28 Thread George Stanchev 
It is used, for example, if you want to front Tomcat by Apache Web Server or by 
IIS (among others). In those cases the HTTP processing is done in the front 
system and if necessary it is proxied to Tomcat via AJP. You take HTTP request 
from that system, put it in an AJP record and send it over TCPIP to Tomcat's 
AJP connector.

Is it more clear now?

-Original Message-
From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] 
Sent: Wednesday, February 28, 2018 6:40 AM
To: Tomcat Users List 
Subject: RE: Security of AJP

Since AJP is not really needed by Tomcat; If I comment out the AJP startup line 
in server.xml will that affect anything.

I still don’t even understand what its for.
I have read the apache docs but it doesn’t mean anything to me..
Apache's description doesn't tell me anything.


The AJP Connector element represents a Connector component that communicates 
with a web connector via the AJP protocol. This is used for cases where you 
wish to invisibly integrate Tomcat into an existing (or new) Apache 
installation, and you want Apache to handle the static content contained in the 
web application, and/or utilize Apache's SSL processing.

That is mumbo jumbo.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, February 27, 2018 4:26 PM
To: users@tomcat.apache.org
Subject: Re: Security of AJP

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 2/27/18 3:54 PM, Mark A. Claassen wrote:
> From what I have read, it seems that the AJP connector is not secure, 
> and is meant to be used in a protective environment.
> There are lots of things that imply this, like no SSL settings and 
> such, but I cannot find it directly stated anywhere.  I am pretty 
> confident in my read of this, but it is, of course, difficult to say 
> that "all options have been explored and it is not possible".

AJP is definitely a cleartext protocol, and offers no encryption capabilities. 
If you want to secure it, you will have to use some tunneling technology such 
as a VPN, stunnel, etc.

> First of all, am I correct in my assertion that it cannot be made 
> secure?

Theoretically, it can be made to be secure, but it would require a great deal 
of work and honestly, it's probably not worth it. The protocol is mature and 
nobody really feels like retrofitting encryption into it.

> And, if so, I would invite you (or us, the community!) to consider 
> modifying the documentation to state this.  Maybe something like:
>
> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP 
> Connector element represents a Connector component that communicates 
> with a web connector via the AJP protocol. [This is an unencrypted 
> connector, intended for use in protected enviroments.] This is used 
> for cases where you wish to invisibly integrate Tomcat into an 
> existing (or new) Apache installation, and you want Apache to handle 
> the static content contained in the web application, and/or utilize 
> Apache's SSL processing.

That seems reasonable. Care to provide a documentation patch? You'll get your 
name into the change log ;)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8
pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp
4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx
hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx
66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e
kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj
6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7
UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+
YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2
bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt
vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7
YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ=
=FAja
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Security of AJP

2018-02-28 Thread Cheltenham, Chris 
Since AJP is not really needed by Tomcat; If I comment out the AJP startup 
line in server.xml will that affect anything.

I still don’t even understand what its for.
I have read the apache docs but it doesn’t mean anything to me..
Apache's description doesn't tell me anything.


The AJP Connector element represents a Connector component that communicates 
with a web connector via the AJP protocol. This is used for cases where you 
wish to invisibly integrate Tomcat into an existing (or new) Apache 
installation, and you want Apache to handle the static content contained in 
the web application, and/or utilize Apache's SSL processing.

That is mumbo jumbo.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, February 27, 2018 4:26 PM
To: users@tomcat.apache.org
Subject: Re: Security of AJP

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 2/27/18 3:54 PM, Mark A. Claassen wrote:
> From what I have read, it seems that the AJP connector is not secure,
> and is meant to be used in a protective environment.
> There are lots of things that imply this, like no SSL settings and
> such, but I cannot find it directly stated anywhere.  I am pretty
> confident in my read of this, but it is, of course, difficult to say
> that "all options have been explored and it is not possible".

AJP is definitely a cleartext protocol, and offers no encryption 
capabilities. If you want to secure it, you will have to use some tunneling 
technology such as a VPN, stunnel, etc.

> First of all, am I correct in my assertion that it cannot be made
> secure?

Theoretically, it can be made to be secure, but it would require a great 
deal of work and honestly, it's probably not worth it. The protocol is 
mature and nobody really feels like retrofitting encryption into it.

> And, if so, I would invite you (or us, the community!) to consider
> modifying the documentation to state this.  Maybe something like:
>
> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP
> Connector element represents a Connector component that communicates
> with a web connector via the AJP protocol. [This is an unencrypted
> connector, intended for use in protected enviroments.] This is used
> for cases where you wish to invisibly integrate Tomcat into an
> existing (or new) Apache installation, and you want Apache to handle
> the static content contained in the web application, and/or utilize
> Apache's SSL processing.

That seems reasonable. Care to provide a documentation patch? You'll get 
your name into the change log ;)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8
pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp
4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx
hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx
66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e
kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj
6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7
UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+
YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2
bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt
vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7
YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ=
=FAja
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China

Notification: Business Message From Ms. Grace Chen

2018-02-28 Thread Made-in-China.com 
   Notification: Business Message from Grace Chen, --> 
 
  
   Dear Supplier, Made-in-China.com would like to let you know the you have 
just received a new business message which is saved in the Message Centre of 
your member home (Virtual Office) within the next 1 year. We suggest you sign 
in with your Email to view or reply the message. For your convenience, a copy 
of this message is also provided below.
 
Message Details
 
   Message Subject   Inquiry about your product  
  Message ContentDear,

Please check the attached quotation sheet. May I know your email address? If 
you can match our rates then let me know.

I wait for your reply.

Regards,
Grace Chen,
 
   
Message Basics and Contact Details
 
   Message code  QKpaWNoCqLpl
  Date & time sent   2018-02-28 02:09:43 (GMT+08:00) Texas, United States   
 
  Sender Grace Chen, 
  Company SASA Sanayi A.S
  Email  To view the email address, please sign in your account.
 (NOTE: Please login your Virtual Office to reply the message but DO NOT REPLY 
to en_notificat...@made-in-china.com) 
  Telephone  +1 (917) 821-6337   
  Fax
  Country/Region United States   
  Homepage   http://www.made-in-china.com/traderoom/dzm141772436166  
  Sender's IP Address213.136.*.* 
  Sender's IP Location   United States   

 
   
  Note:
 1) Sender's IP information is for reference only, but NOT guaranteed or 
verified by Made-in-China.com;
 2) Send us complaint if you are receiving unsolicited messages (SPAM and/or 
Duplicate Messages), threatening or harassing messages, suspicious messages 
about fee advance or money transfer ... etc.
 * This notification service is provided by http://www.made-in-china.com *
 
  
Source Quality Products Made in China