httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat
Date Tue, 12 Apr 2016 23:44:00 GMT

--- Comment #16 from Yann Ylavic <> ---
(In reply to from comment #14)
> We want to use the attribute. We'll worry about the separate issue of
> protected transport elsewhere. Make sense?

(In reply to Dmitry A. Bakshaev from comment #15)
> this patch just adds lost functionality to mod_proxy_ajp, a lot of time
> working in mod_jk+tomcat.

Fair enough, there seem to (still) be attraction to it, so committed in
r1738878, let's see what others say...

> a typical usage scenario:
> client(browser) - https(internet) - apache
> httpd(ssl-termination-acceleration) - mod_proxy_ajp - ajp -
> localhost(trusted area) - apache tomcat(application)
> "secret" need to "bind" multiple url on apache httpd to multiple tomcat
> instances or connectors one-to-one, to protect from fake ajp requests from
> other application and users from same host(localhost).

I can grok the "isolation" argument (prevent requests from reaching unexpected
services), but not the security one.
This is definitively not a security feature (like SSLv2 isn't anymore), and
shouldn't be presented as such.
As I said earlier, either localhost is trusted or it is not, and in the latter
case "secret" won't change anything (significantly).

> "secret" works like "identification", not crypto-blablabla...
> ssl,encryption&etc is separate question.

This is called "authentification" in crypto, not blah, and it's probably the
only way to achieve security goals, if any...

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message