https://bz.apache.org/bugzilla/show_bug.cgi?id=53098
--- Comment #16 from Yann Ylavic <[email protected]> --- (In reply to [email protected] from comment #14) > We want to use the attribute. We'll worry about the separate issue of > protected transport elsewhere. Make sense? (In reply to Dmitry A. Bakshaev from comment #15) > this patch just adds lost functionality to mod_proxy_ajp, a lot of time > working in mod_jk+tomcat. Fair enough, there seem to (still) be attraction to it, so committed in r1738878, let's see what others say... > > a typical usage scenario: > client(browser) - https(internet) - apache > httpd(ssl-termination-acceleration) - mod_proxy_ajp - ajp - > localhost(trusted area) - apache tomcat(application) > > "secret" need to "bind" multiple url on apache httpd to multiple tomcat > instances or connectors one-to-one, to protect from fake ajp requests from > other application and users from same host(localhost). I can grok the "isolation" argument (prevent requests from reaching unexpected services), but not the security one. This is definitively not a security feature (like SSLv2 isn't anymore), and shouldn't be presented as such. As I said earlier, either localhost is trusted or it is not, and in the latter case "secret" won't change anything (significantly). > > "secret" works like "identification", not crypto-blablabla... > > ssl,encryption&etc is separate question. This is called "authentification" in crypto, not blah, and it's probably the only way to achieve security goals, if any... -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
