On 19.03.2020 12:43, Fritze, Florian wrote:
Dear Tomcat users,

since the Tomcat release with the Ghostcat security fix (Tomcat 8.5.51) me as an admin have the problem using the https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to connect the Apache HTTPD with the Tomcat running on localhost. The attribute secretRequired must be set to „true“ or „false“ with „false“ set the connection is not possible between Tomcat and Apache HTTPD. With „true“ the Apache development is not ready in the current version to work with the „secret“ attribute. Only the next version of Apache 2.4 supports this attribute.

So I want to use the newest Tomcat version and an AJP connector but after the Ghostcat fix release there is this attribute which does not work in my configuration.

Are there any suggestions or solutions available that you can deliver me (links or documentation, etc.)

It all depends on your configuration, and how your front-end Apache httpd server(s) connect to your back-end tomcat server(s).
For example :
- if all your pairs of httpd server/tomcat server are running on the same host, then you do not really have a security issue, and adding a secret will not really bring any additional security - if all your pairs of httpd server/tomcat server are communicating only over an internal (presumed to be fairly safe) network, then you do have a limited security issue (limited by how "safe" your internal network really is), and a secret may help a bit in reducing this already limited security issue - if you have pairs of httpd/tomcat which communicate over a public network, then you do have a security issue, and adding a secret will help, but it is not going to make that security issue really disappear (*).

But if you want to add a secret anyway, then it depends on how httpd communicates with its corresponding tomcat, and there are 2 options :
- using the httpd mod_proxy_ajp module
- using the httpd mod_jk module

As I understand from your message, the current mod_proxy_ajp module released with the current httpd 2.4, does not support that "secret" yet. But the currently available mod_jk module does support that option, and the current mod_jk module is compatible with any httpd 2.4 version.
And, functionally, mod_proxy_ajp and mod_jk can do the same things.
It is just the setup and configuration (at the httpd level) that is somewhat different between the two. (there is no difference at the tomcat level).

So if you are currently using mod_proxy_ajp (**), then if you want to implement this "secret" option, you would have to change your httpd configuration, to use mod_jk instead of mod_proxy_ajp (temporarily, until the appropriate version of mod_proxy_ajp is released).

(*) the secret, if correctly implemented, will block any other host than your own hosts from connecting to the tomcat AJP Connector, and thus from "abusing" your tomcats by sending them invalid or malicious requests. But it would not block someone from intercepting the traffic between your httpds and your tomcats and reading it, because the AJP protocol is not encrypted, and because there is no implementation available that makes this traffic be encrypted.

(**) If you are currently using mod_proxy_ajp, then it is also likely that you are not using the option whereby httpd can do the user authentication, and then pass the authenticated user-id along to tomcat, for tomcat to use it.
That means that you are already avoiding one possible security issue.

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to