-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 2/23/2011 10:36 AM, Mark Thomas wrote: > On 23/02/2011 15:32, Christopher Schultz wrote: >> Mladen, >> >> On 2/23/2011 3:00 AM, Mladen Turk wrote: >>> What do you think happens when encrypted data from client comes in and >>> is encrypted again and send to the client? >>> It's unencrypted in the memory and anyone with access to the box >>> can just inspect the content of the httpd process in the same way >>> it can read the data on the socket. >>> So since persons which are authorized to login to the Apache and Tomcat >>> box have the option to view the data, your entire security is still >>> human based. >> >> I think he's talking about network sniffing (like another node on the >> network operating in promiscuous mode), not an untrusted box administrator. >> >>> That's why I see no point of encrypting the data transfer >>> between those boxes cause you can just as well make sure the proper >>> persons have the network access. >> >> I certainly agree with this. >> >> Anyhow, to answer the OP's question, there are really three options: >> >> 1. SSH tunnel >> >> 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if >> necessary while ssh generally won't). >> >> 3. Switch to mod_proxy_http and use an https:// URL with Mark's >> indicated settings. >> >> These options are roughly in order of performance from best to worst: >> setting up an HTTPS connection is expensive and I'm not entirely sure >> how mod_proxy_http does connections, but I suspect it creates and >> tears-down for each request (i.e. no keepalives, or at least limited ones). >> >> Encrypted VPNs are simply more complicated than an SSH tunnel and >> require slightly more overhead. An SSH tunnel is dead simple and only >> negotiates a symmetric key once at connect time (okay, and then >> re-negotiates at intervals) but lacks the robustness of a VPN. > > I disagree with that assessment. mod_proxy_http is by far the simplest > way to go and it does use keep-alive. Good to know that mod_proxy_http uses keepalive. I was recommending the others since the OP seems wedded to AJP. Also, if there is any other traffic to encrypt (JDBC, etc.) the VPN would handle that, too. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lKesACgkQ9CaO5/Lv0PBFRgCfVfwSNBR+hw9goy/jZft92ekx VRQAoICP/Mklk5HmZnyj7EvSdk4dEuGE =6FMQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
