Re: mod_jk or mod_proxy_ajp - encryption benefits?
James, You could put the stunnel into a while loop that makes it. perhaps you could send yourself an email each time it closed ? stunnel is probably the easiest to setup. I had written a secure version of mod_ajp for apache 1.3 (ie years ago) which did the whole ssl encryption of the traffic with 2 way authentication it wasn't added to the tomcat source as well no one wanted it :( D On Thu, 2008-03-06 at 17:54 -0500, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James, James Ellis wrote: | I have done some goog'ling on IPSec and VPN and I have found three | possibilities: | | 1) OpenSSH and Port Forwarding | | 2) OpenVPN | | 3) Stunnel (thanks little voice) | | What concerns me about all three options is error handling. If my | OpenSSH or OpenVPN or Stunnel connection failed/timed out, the whole | site would go down. There would have to be a VERY good and almost | instant reconnection taking place. | | I am also concerned about performance. | | Any comments? If you want encryption, you have to sacrifice performance, so just forget about that concern right off the bat. Your concerns about robustness are certainly reasonable. You should be able to find information about restarting connections for each of these products by searching their forums, help, etc. Any good VPN should have options for restarting them when a failure is detected (but nothing is ever foolproof). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfQdjIACgkQ9CaO5/Lv0PCfxwCfTDsfjFquhx2Yibw8hKZyTh28 m8sAoJ8eHlCR5KI/br4KeMwKMDNEXPRH =wwmj -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: mod_jk or mod_proxy_ajp - encryption benefits ?
I have done some goog'ling on IPSec and VPN and I have found three possibilities: 1) OpenSSH and Port Forwarding 2) OpenVPN 3) Stunnel (thanks little voice) What concerns me about all three options is error handling. If my OpenSSH or OpenVPN or Stunnel connection failed/timed out, the whole site would go down. There would have to be a VERY good and almost instant reconnection taking place. I am also concerned about performance. Any comments?
Re: mod_jk or mod_proxy_ajp - encryption benefits?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James, James Ellis wrote: | I have done some goog'ling on IPSec and VPN and I have found three | possibilities: | | 1) OpenSSH and Port Forwarding | | 2) OpenVPN | | 3) Stunnel (thanks little voice) | | What concerns me about all three options is error handling. If my | OpenSSH or OpenVPN or Stunnel connection failed/timed out, the whole | site would go down. There would have to be a VERY good and almost | instant reconnection taking place. | | I am also concerned about performance. | | Any comments? If you want encryption, you have to sacrifice performance, so just forget about that concern right off the bat. Your concerns about robustness are certainly reasonable. You should be able to find information about restarting connections for each of these products by searching their forums, help, etc. Any good VPN should have options for restarting them when a failure is detected (but nothing is ever foolproof). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkfQdjIACgkQ9CaO5/Lv0PCfxwCfTDsfjFquhx2Yibw8hKZyTh28 m8sAoJ8eHlCR5KI/br4KeMwKMDNEXPRH =wwmj -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
cough stunnel /cough On Mon, 2008-03-03 at 18:39 -0800, David Rees wrote: On Mon, Mar 3, 2008 at 9:26 AM, James Ellis [EMAIL PROTECTED] wrote: Do you think that little hollow voice can clarify how IPSec would solve this problem by giving an example of a software that I could implement to accomplish this? Google IPSec and VPN and you will find your answer. -Dave - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
A hollow voice whispers, IPSec. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is intuitive he means the exact opposite. pgpXHb0gRtjuo.pgp Description: PGP signature
RE: mod_jk or mod_proxy_ajp - encryption benefits?
Mark, Do you think that little hollow voice can clarify how IPSec would solve this problem by giving an example of a software that I could implement to accomplish this?Thanks,Jim Date: Mon, 3 Mar 2008 12:03:28 -0500 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? A hollow voice whispers, IPSec. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is intuitive he means the exact opposite.
Re: mod_jk or mod_proxy_ajp - encryption benefits?
On Mon, Mar 3, 2008 at 9:26 AM, James Ellis [EMAIL PROTECTED] wrote: Do you think that little hollow voice can clarify how IPSec would solve this problem by giving an example of a software that I could implement to accomplish this? Google IPSec and VPN and you will find your answer. -Dave - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
mod_jk or mod_proxy_ajp - encryption benefits?
I know that mod_jk is the battle tested connector between Apache and Tomcat, but as I understand it the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted. Two questions: 1) Does mod_proxy_ajp provide for any encryption between the web server and the app server (Tomcat) that mod_jk does not? 2) If the answer to number 1 above is NO. Is it possible to keep the server certificates on the app servers and so that the connection from the client to the app server is encrypted all the way through? In this case the apache web server would simply function as a load balancer/failover solution. Thanks, Jim
Re: mod_jk or mod_proxy_ajp - encryption benefits?
James Ellis schrieb: I know that mod_jk is the battle tested connector between Apache and Tomcat, but as I understand it the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted. Two questions: 1) Does mod_proxy_ajp provide for any encryption between the web server and the app server (Tomcat) that mod_jk does not? No, the AJP13 protocol does not support encryption. Both connectors use the same protocol. If you need to use encrypted traffic with AJP13, you could tunnel through an encrypted channel. 2) If the answer to number 1 above is NO. Is it possible to keep the server certificates on the app servers and so that the connection from the client to the app server is encrypted all the way through? In this case the apache web server would simply function as a load balancer/failover solution. Again no. We are talking about a reverse proxy situation and as far as I know, you can't reverse proxy https without having an ssl endpoint on the apache httpd. For a normal (forward) proxy, httpd supports connect, but I don't know how well this works in the real world. You could also ask on the httpd users list, maybe they know better. Thanks, Jim Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: mod_jk or mod_proxy_ajp - encryption benefits?
Inline: Date: Sun, 2 Mar 2008 18:16:24 +0100 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? James Ellis schrieb: I know that mod_jk is the battle tested connector between Apache and Tomcat, but as I understand it the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted. Two questions: 1) Does mod_proxy_ajp provide for any encryption between the web server and the app server (Tomcat) that mod_jk does not? No, the AJP13 protocol does not support encryption. Both connectors use the same protocol. If you need to use encrypted traffic with AJP13, you could tunnel through an encrypted channel. Is this the common practice then when communicating from the web server to the application server? If not, it seems like an awfully big security hole, since the DMZ is supposed be only partly safe. If someone were to crack into the DMZ and could sniff network traffic, then they could in theory listen in to traffic and grab all of it in an unencrypted state (which may include credit card information, usernames, passwords etc). 2) If the answer to number 1 above is NO. Is it possible to keep the server certificates on the app servers and so that the connection from the client to the app server is encrypted all the way through? In this case the apache web server would simply function as a load balancer/failover solution. Again no. We are talking about a reverse proxy situation and as far as I know, you can't reverse proxy https without having an ssl endpoint on the apache httpd. For a normal (forward) proxy, httpd supports connect, but I don't know how well this works in the real world. You could also ask on the httpd users list, maybe they know better. Thanks, Jim Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
James Ellis [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Inline: Date: Sun, 2 Mar 2008 18:16:24 +0100 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? James Ellis schrieb: I know that mod_jk is the battle tested connector between Apache and Tomcat, but as I understand it the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted. Two questions: 1) Does mod_proxy_ajp provide for any encryption between the web server and the app server (Tomcat) that mod_jk does not? No, the AJP13 protocol does not support encryption. Both connectors use the same protocol. If you need to use encrypted traffic with AJP13, you could tunnel through an encrypted channel. Is this the common practice then when communicating from the web server to the application server? It is relatively uncommon (hence why encryption has taken so long to be added to AJP/1.3). However, sites that have to communicate over a WAN do often use SSH tunneling or similar. If not, it seems like an awfully big security hole, since the DMZ is supposed be only partly safe. If someone were to crack into the DMZ and could sniff network traffic, then they could in theory listen in to traffic and grab all of it in an unencrypted state (which may include credit card information, usernames, passwords etc). For most sites, if someone were to crack into the DMZ, they would probably be more interested in querying your DB server for the credit card information, usernames, passwords, etc :). In other words, you would have many much bigger problems to worry about than someone sniffing AJP/1.3 traffic. And this is why it is relatively rare to use tunneling with AJP/1.3. Your resources are usually better spent securing your DMZ. 2) If the answer to number 1 above is NO. Is it possible to keep the server certificates on the app servers and so that the connection from the client to the app server is encrypted all the way through? In this case the apache web server would simply function as a load balancer/failover solution. Again no. We are talking about a reverse proxy situation and as far as I know, you can't reverse proxy https without having an ssl endpoint on the apache httpd. For a normal (forward) proxy, httpd supports connect, but I don't know how well this works in the real world. You could also ask on the httpd users list, maybe they know better. Thanks, Jim Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: mod_jk or mod_proxy_ajp - encryption benefits?
Inline: To: users@tomcat.apache.org From: [EMAIL PROTECTED] Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? Date: Sun, 2 Mar 2008 15:31:21 -0800 James Ellis [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Inline: Date: Sun, 2 Mar 2008 18:16:24 +0100 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? James Ellis schrieb: I know that mod_jk is the battle tested connector between Apache and Tomcat, but as I understand it the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted. Two questions: 1) Does mod_proxy_ajp provide for any encryption between the web server and the app server (Tomcat) that mod_jk does not? No, the AJP13 protocol does not support encryption. Both connectors use the same protocol. If you need to use encrypted traffic with AJP13, you could tunnel through an encrypted channel. Is this the common practice then when communicating from the web server to the application server? It is relatively uncommon (hence why encryption has taken so long to be added to AJP/1.3). However, sites that have to communicate over a WAN do often use SSH tunneling or similar. Wait...so encryption HAS been added or HAS NOT been added to AJP/1.3 ? If not, it seems like an awfully big security hole, since the DMZ is supposed be only partly safe. If someone were to crack into the DMZ and could sniff network traffic, then they could in theory listen in to traffic and grab all of it in an unencrypted state (which may include credit card information, usernames, passwords etc). For most sites, if someone were to crack into the DMZ, they would probably be more interested in querying your DB server for the credit card information, usernames, passwords, etc :). In other words, you would have many much bigger problems to worry about than someone sniffing AJP/1.3 traffic. And this is why it is relatively rare to use tunneling with AJP/1.3. Your resources are usually better spent securing your DMZ. But in most sites, the point of the DMZ is to isolate the web server. The database/application server wouldn't be in the DMZ...just the web server, so they couldn't query the database unless they broke through two firewalls (one facing internet, one facing dmz). From what I am gathering though, they could, however, sniff traffic that has been decrpyted at the web server (where SSL ends) and being sent to the app server (probably to be saved/checked against the database). Is this just an acceptable risk or do most companies use SSL tunneling? 2) If the answer to number 1 above is NO. Is it possible to keep the server certificates on the app servers and so that the connection from the client to the app server is encrypted all the way through? In this case the apache web server would simply function as a load balancer/failover solution. Again no. We are talking about a reverse proxy situation and as far as I know, you can't reverse proxy https without having an ssl endpoint on the apache httpd. For a normal (forward) proxy, httpd supports connect, but I don't know how well this works in the real world. You could also ask on the httpd users list, maybe they know better. Thanks, Jim Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
James/Rainier PCI-DSS calls for encryption on all channels where payment information will be transmitted is the configuration described here non PCI-DSS compliant? ? Martin-- - Original Message - From: James Ellis [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, March 02, 2008 7:15 PM Subject: RE: mod_jk or mod_proxy_ajp - encryption benefits? Inline: To: users@tomcat.apache.org From: [EMAIL PROTECTED] Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? Date: Sun, 2 Mar 2008 15:31:21 -0800 James Ellis [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Inline: Date: Sun, 2 Mar 2008 18:16:24 +0100 From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? James Ellis schrieb: I know that mod_jk is the battle tested connector between Apache and Tomcat, but as I understand it the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted. Two questions: 1) Does mod_proxy_ajp provide for any encryption between the web server and the app server (Tomcat) that mod_jk does not? No, the AJP13 protocol does not support encryption. Both connectors use the same protocol. If you need to use encrypted traffic with AJP13, you could tunnel through an encrypted channel. Is this the common practice then when communicating from the web server to the application server? It is relatively uncommon (hence why encryption has taken so long to be added to AJP/1.3). However, sites that have to communicate over a WAN do often use SSH tunneling or similar. Wait...so encryption HAS been added or HAS NOT been added to AJP/1.3 ? If not, it seems like an awfully big security hole, since the DMZ is supposed be only partly safe. If someone were to crack into the DMZ and could sniff network traffic, then they could in theory listen in to traffic and grab all of it in an unencrypted state (which may include credit card information, usernames, passwords etc). For most sites, if someone were to crack into the DMZ, they would probably be more interested in querying your DB server for the credit card information, usernames, passwords, etc :). In other words, you would have many much bigger problems to worry about than someone sniffing AJP/1.3 traffic. And this is why it is relatively rare to use tunneling with AJP/1.3. Your resources are usually better spent securing your DMZ. But in most sites, the point of the DMZ is to isolate the web server. The database/application server wouldn't be in the DMZ...just the web server, so they couldn't query the database unless they broke through two firewalls (one facing internet, one facing dmz). From what I am gathering though, they could, however, sniff traffic that has been decrpyted at the web server (where SSL ends) and being sent to the app server (probably to be saved/checked against the database). Is this just an acceptable risk or do most companies use SSL tunneling? 2) If the answer to number 1 above is NO. Is it possible to keep the server certificates on the app servers and so that the connection from the client to the app server is encrypted all the way through? In this case the apache web server would simply function as a load balancer/failover solution. Again no. We are talking about a reverse proxy situation and as far as I know, you can't reverse proxy https without having an ssl endpoint on the apache httpd. For a normal (forward) proxy, httpd supports connect, but I don't know how well this works in the real world. You could also ask on the httpd users list, maybe they know better. Thanks, Jim Regards, Rainer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: mod_jk or mod_proxy_ajp - encryption benefits?
On Sun, Mar 2, 2008 at 6:42 PM, Martin Gainty [EMAIL PROTECTED] wrote: PCI-DSS calls for encryption on all channels where payment information will be transmitted is the configuration described here non PCI-DSS compliant? No, PCI-DSS calls for encryption of card data across open, public networks. If your connection between Apache and Tomcat is open and public (not common, typically it is on a secured LAN, then yes, your typical mod_jk or mod_proxy_ajb would not be sufficient. -Dave - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
