CONFIDENTIAL & RESTRICTED From: Mark Thomas <ma...@apache.org> Subject: Re: Encryption of Tomcat AJP
>On 19/05/2022 01:32, Brian Eller wrote: >> TRADING PARTNER >> >> Hello, >> >> I am working on a Tomcat install embedded inside a vendor >> product that uses Apache to pass traffic to Tomcat. My cyber security group >> is asking if we can encrypt all connections. Does the mod_jk protocol, AJP >> can be encrypted? > >No, AJP does not support encryption. > >If you want to encrypt traffic between the reverse proxy and the embedded >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over >HTTPS. This requires a little more configuration to get things working. > >The main thing to keep in mind is to make sure that the Tomcat instance >correctly identifies whether the client connection to the reverse proxy was >over HTTP or HTTPS. > >Mark I totally agree this is an existing and sufficient mechanism already available. And I see it popping up in more and more locations. But as you point out there are some caveats that potentially open security risks. On the contrary AJP - maybe because it cannot be configured with encryption - looks simple and straightforward. Would it make sense to create a solution with less caveats and up to date security requirements? Hiran IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise protected from disclosure under applicable laws . If the reader of this transmission is not the intended recipient, you are hereby notified that any dissemination, printing, distribution, copying, disclosure or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this transmission in error, please immediately notify us by reply e-mail or using the address below and delete the message and any attachments from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6 85435 Erding Germany.
