"Bill Stoddard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > William A. Rowe, Jr. wrote: >> Bill Stoddard wrote: >> >>> I'm trying to understand why mod_proxy_ajp exists and what it provides >>> that mod_proxy_http doesn't. >>> >>> ajp13 is a binary protocol which should make the ajp13 tomcat connector >>> a bit more efficient than the http11 connector; an incremental >>> performance improvement. obtained at the expense of added complexity. >>> Does mod_proxy_ajp provide any other function not available in >>> mod_proxy_http? I'm trying to decide which horse to put my chips on :-) >>> >> >> If it works, mod_proxy_ajp - efficient fast and slightly easier to >> secure. >> > Thanks for the info everyone! > > Bill, > mod_proxy_ajp is easier to secure? Does mod_proxy_ajp support SSL? >
There are way too many Bills on this thread :). At the moment, mod_proxy_ajp (as well as mod_jk) doesn't support encryption between httpd and Tomcat/Geronimo/GlassFish. For most people, this isn't a big deal, since the connection is going over an internal network (or even localhost), so if the black hats can set up a man-in-the-middle, you have way bigger problems on your hands :). Most people that need encryption (e.g. going over a WAN) use SSH tunneling to solve the problem. Mostly, the 'easier to secure' is that since you can pick your port, you can configure firewall rules for that port accordingly. It looks like mod_proxy_ajp supports the 'secret' feature, where Tomcat (properly configured) will only respond if mod_proxy_ajp sends the correct 'secret' string with the request. Basically a password auth (somewhat like BASIC), that is marginally useful if the port is exposed to the internet, but pretty much useless against a man-in-the-middle attack since it is sent in the clear. > Bill >
