Re: mod_jk - apache to tomcat using SSL
On Tue, Mar 16, 2010 at 9:53 PM, Campbell, Lance la...@illinois.edu wrote: I have a web server and an application server. I use mod_jk to communicate between apache2.0 and tomcat 6. I don't believe the communication between apache and tomcat is secured by default. Is there a way to have it send the information in a secure way. hm, first thing popping up in my mind: why encrypting the traffic between httpd and tomcat (frontend / backend) anyways? ain't it sufficient to ssl the traffic between client and frontend (httpd)? just wondering... gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
On 03/18/2010 04:14 PM, Caldarale, Charles R wrote: From: 2smart4u [mailto:rc4...@googlemail.com] Subject: Re: mod_jk - apache to tomcat using SSL why encrypting the traffic between httpd and tomcat (frontend / backend) anyways? Depends on the location of the two boxes, the accessibility of the network connection between them, and how much trust you have of those who do have access... And if the boxes are inside CIA or KGB premisses you might have spies in the house already :) Cheers -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
Campbell, Lance wrote: I have a web server and an application server. I use mod_jk to communicate between apache2.0 and tomcat 6. I don't believe the communication between apache and tomcat is secured by default. Is there a way to have it send the information in a secure way. Taking your question strictly as phrased, I don't think so, because the mod_jk/Tomcat AJP protocol is not encrypted. If you really needed to do this, you could use an SSH tunnel however. If you really needed to and the physical constraints allow it, you could also link your Apache with the back-end Tomcat with a dedicated LAN, and avoid the overhead of SSL. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
On 16/03/2010 21:07, André Warnier wrote: Campbell, Lance wrote: I have a web server and an application server. I use mod_jk to communicate between apache2.0 and tomcat 6. I don't believe the communication between apache and tomcat is secured by default. Is there a way to have it send the information in a secure way. Taking your question strictly as phrased, I don't think so, because the mod_jk/Tomcat AJP protocol is not encrypted. If you really needed to do this, you could use an SSH tunnel however. If you really needed to and the physical constraints allow it, you could also link your Apache with the back-end Tomcat with a dedicated LAN, and avoid the overhead of SSL. mod_proxy_http configured to use https is usually an easier way to do this. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: mod_jk - apache to tomcat using SSL
What group is responsible for the Tomcat AJP protocol? Is there a way to request a feature to add SSL encryption to the protocol? Thanks, Lance Campbell Software Architect/DBA/Project Manager Web Services at Public Affairs 217-333-0382 -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, March 16, 2010 4:08 PM To: Tomcat Users List Subject: Re: mod_jk - apache to tomcat using SSL Campbell, Lance wrote: I have a web server and an application server. I use mod_jk to communicate between apache2.0 and tomcat 6. I don't believe the communication between apache and tomcat is secured by default. Is there a way to have it send the information in a secure way. Taking your question strictly as phrased, I don't think so, because the mod_jk/Tomcat AJP protocol is not encrypted. If you really needed to do this, you could use an SSH tunnel however. If you really needed to and the physical constraints allow it, you could also link your Apache with the back-end Tomcat with a dedicated LAN, and avoid the overhead of SSL. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
On 03/16/2010 10:23 PM, Campbell, Lance wrote: What group is responsible for the Tomcat AJP protocol? Is there a way to request a feature to add SSL encryption to the protocol? You can try, but the answer will be no. Like people already said, use either tunnelling or mod_proxy_http Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
Campbell, Lance wrote: I have a web server and an application server. I use mod_jk to communicate between apache2.0 and tomcat 6. I don't believe the communication between apache and tomcat is secured by default. Is there a way to have it send the information in a secure way. I do not presume to know the sensitivity of the data passing between your webserver and your application server, not the physical topology of your network, nor the real possibility of the data being compromised, nor the real capabilities of your servers. But if you were to make an SSL connection between the front-end and the back-end, you would more than double the encryption overhead. Supposedly, the clients already connect to Apache via HTTPS, and Apache has to decrypt the data on the way in, and encrypt it on the way out to/from the client. That will remain the case anyway. But if Apache has to communicate with the Tomcat back-end via SSL, it will need to do the same encryption/decryption for all the data a second time, and Tomcat at its end also. That is true no matter which method you would use, tunnel or HTTPS proxy. It may be a necessity, and it may be affordable, but it should not be a decision taken lightly thinking it is free of consequences. A crossover cable is less exciting, but may be much cheaper. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
