Brian,
On 5/19/22 10:29, Brian Eller wrote:
My vendor supports AJP but, I don't know if they support
mod_http_proxy. This is a embedded version of Tomcat 8.5 that is
tightly coupled with the vendor's software and is an installed
subcomponent from the vendor.
Well, have a look a tthe facts:
1. Your vendor definitely supports AJP
2. Your cybersecurity group says you definitely need to encrypt that
connection
3. AJP doesn't support encryption
So you have a couple of options:
1. Encrypt AJP yourself. Your options are:
a. IPsec or similar/VPN
b. stunnel / ssh tunnel
2. Switch to another protocol (i.e. HTTPS)
3. Switch to a different vendor
Which of those would work out best for you?
Another option on the list is:
4. Make this your vendor's problem, since they are the one wanting to
use AJP
This may be helpful to provide to your vendor:
https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http
Hope that helps,
-chris
-----Original Message-----
From: Mark H. Wood <mw...@iupui.edu>
Sent: Thursday, May 19, 2022 6:12 AM
To: users@tomcat.apache.org
Subject: Re: Encryption of Tomcat AJP
On Thu, May 19, 2022 at 07:09:59AM +0000, Hiran CHAUDHURI wrote:
CONFIDENTIAL & RESTRICTED
From: Mark Thomas <ma...@apache.org>
Subject: Re: Encryption of Tomcat AJP
On 19/05/2022 01:32, Brian Eller wrote:
TRADING PARTNER
Hello,
I am working on a Tomcat install embedded inside a vendor
product that uses Apache to pass traffic to Tomcat. My cyber security group is
asking if we can encrypt all connections. Does the mod_jk protocol, AJP can be
encrypted?
No, AJP does not support encryption.
If you want to encrypt traffic between the reverse proxy and the embedded
Tomcat instance I'd recommend using mod_proxy_http and proxy everything over
HTTPS. This requires a little more configuration to get things working.
The main thing to keep in mind is to make sure that the Tomcat instance
correctly identifies whether the client connection to the reverse proxy was
over HTTP or HTTPS.
Mark
I totally agree this is an existing and sufficient mechanism already available.
And I see it popping up in more and more locations.
But as you point out there are some caveats that potentially open security
risks. On the contrary AJP - maybe because it cannot be configured with
encryption - looks simple and straightforward.
Would it make sense to create a solution with less caveats and up to date
security requirements?
If the OP's cyber security group insists, then maybe they would care to give
him their requirements and suggestions for setting up IPSEC.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries.
The details of the sender are listed above. This email, including any
attachments, is meant only for the intended recipient of the transmission and
may contain confidential and/or privileged material. If you received this email
in error, any review, distribution, dissemination or other use of this
information is strictly prohibited. Please notify the sender immediately by
return email and delete the messages from your systems. In addition, this
communication is subject to, and incorporates by reference, additional
disclaimers found in the “Disclaimers” section at www.guidehouse.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
