httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: mod_proxy_ajp or mod_proxy_http?
Date Fri, 22 Jun 2007 02:17:47 GMT

"Bill Stoddard" <> wrote in message
> William A. Rowe, Jr. wrote:
>> Bill Stoddard wrote:
>>> I'm trying to understand why mod_proxy_ajp exists and what it provides
>>> that mod_proxy_http doesn't.
>>> ajp13 is a binary protocol which should make the ajp13 tomcat connector
>>> a bit more efficient than the http11 connector; an incremental
>>> performance improvement. obtained at the expense of added complexity.
>>> Does mod_proxy_ajp provide any other function not available in
>>> mod_proxy_http? I'm trying to decide which horse to put my chips on :-)
>> If it works, mod_proxy_ajp - efficient fast and slightly easier to 
>> secure.
> Thanks for the info everyone!
> Bill,
> mod_proxy_ajp is easier to secure?  Does mod_proxy_ajp support SSL?

There are way too many Bills on this thread :).

At the moment, mod_proxy_ajp (as well as mod_jk) doesn't support encryption 
between httpd and Tomcat/Geronimo/GlassFish.  For most people, this isn't a 
big deal, since the connection is going over an internal network (or even 
localhost), so if the black hats can set up a man-in-the-middle, you have 
way bigger problems on your hands :).  Most people that need encryption 
(e.g. going over a WAN) use SSH tunneling to solve the problem.

Mostly, the 'easier to secure' is that since you can pick your port, you can 
configure firewall rules for that port accordingly.  It looks like 
mod_proxy_ajp supports the 'secret' feature, where Tomcat (properly 
configured) will only respond if mod_proxy_ajp sends the correct 'secret' 
string with the request.  Basically a password auth (somewhat like BASIC), 
that is marginally useful if the port is exposed to the internet, but pretty 
much useless against a man-in-the-middle attack since it is sent in the 

> Bill

View raw message