-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mladen,
On 2/23/2011 3:00 AM, Mladen Turk wrote: > What do you think happens when encrypted data from client comes in and > is encrypted again and send to the client? > It's unencrypted in the memory and anyone with access to the box > can just inspect the content of the httpd process in the same way > it can read the data on the socket. > So since persons which are authorized to login to the Apache and Tomcat > box have the option to view the data, your entire security is still > human based. I think he's talking about network sniffing (like another node on the network operating in promiscuous mode), not an untrusted box administrator. > That's why I see no point of encrypting the data transfer > between those boxes cause you can just as well make sure the proper > persons have the network access. I certainly agree with this. Anyhow, to answer the OP's question, there are really three options: 1. SSH tunnel 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if necessary while ssh generally won't). 3. Switch to mod_proxy_http and use an https:// URL with Mark's indicated settings. These options are roughly in order of performance from best to worst: setting up an HTTPS connection is expensive and I'm not entirely sure how mod_proxy_http does connections, but I suspect it creates and tears-down for each request (i.e. no keepalives, or at least limited ones). Encrypted VPNs are simply more complicated than an SSH tunnel and require slightly more overhead. An SSH tunnel is dead simple and only negotiates a symmetric key once at connect time (okay, and then re-negotiates at intervals) but lacks the robustness of a VPN. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1lKIQACgkQ9CaO5/Lv0PA3AACeLMsHtTuiodq/s1ITyUJYS0Go LrEAnRRTPcVpDkPw9sXYP0vggDSz4fa3 =UJv2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
