On 19.03.2020 12:43, Fritze, Florian wrote:
Dear Tomcat users,
since the Tomcat release with the Ghostcat security fix (Tomcat 8.5.51) me as an admin
have the problem using the https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module
to connect the Apache HTTPD with the Tomcat running on localhost. The attribute
secretRequired must be set to „true“ or „false“ with „false“ set the connection is not
possible between Tomcat and Apache HTTPD. With „true“ the Apache development is not ready
in the current version to work with the „secret“ attribute. Only the next version of
Apache 2.4 supports this attribute.
So I want to use the newest Tomcat version and an AJP connector but after the Ghostcat fix
release there is this attribute which does not work in my configuration.
Are there any suggestions or solutions available that you can deliver me (links or
It all depends on your configuration, and how your front-end Apache httpd server(s)
connect to your back-end tomcat server(s).
For example :
- if all your pairs of httpd server/tomcat server are running on the same host, then you
do not really have a security issue, and adding a secret will not really bring any
- if all your pairs of httpd server/tomcat server are communicating only over an internal
(presumed to be fairly safe) network, then you do have a limited security issue (limited
by how "safe" your internal network really is), and a secret may help a bit in reducing
this already limited security issue
- if you have pairs of httpd/tomcat which communicate over a public network, then you do
have a security issue, and adding a secret will help, but it is not going to make that
security issue really disappear (*).
But if you want to add a secret anyway, then it depends on how httpd communicates with its
corresponding tomcat, and there are 2 options :
- using the httpd mod_proxy_ajp module
- using the httpd mod_jk module
As I understand from your message, the current mod_proxy_ajp module released with the
current httpd 2.4, does not support that "secret" yet.
But the currently available mod_jk module does support that option, and the current mod_jk
module is compatible with any httpd 2.4 version.
And, functionally, mod_proxy_ajp and mod_jk can do the same things.
It is just the setup and configuration (at the httpd level) that is somewhat different
between the two. (there is no difference at the tomcat level).
So if you are currently using mod_proxy_ajp (**), then if you want to implement this
"secret" option, you would have to change your httpd configuration, to use mod_jk instead
of mod_proxy_ajp (temporarily, until the appropriate version of mod_proxy_ajp is released).
(*) the secret, if correctly implemented, will block any other host than your own hosts
from connecting to the tomcat AJP Connector, and thus from "abusing" your tomcats by
sending them invalid or malicious requests.
But it would not block someone from intercepting the traffic between your httpds and your
tomcats and reading it, because the AJP protocol is not encrypted, and because there is no
implementation available that makes this traffic be encrypted.
(**) If you are currently using mod_proxy_ajp, then it is also likely that you are not
using the option whereby httpd can do the user authentication, and then pass the
authenticated user-id along to tomcat, for tomcat to use it.
That means that you are already avoiding one possible security issue.
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org