httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Lavi" <ml...@sgi.com>
Subject RE: [users@httpd] Apache SSL DMZ mod_jk Security concerns
Date Mon, 12 Feb 2007 23:06:04 GMT
What you have described is the entire purpose for a DMZ: a private
network zone that can only be accessed through known end points on other
networks so that interception from the outside is not possible. If you
can validate your DMZ, then your unencrypted traffic from your web
servers to your application servers should be safe.

If you cannot validate your network, then you need investigate other
methods (like stunnel, as you mentioned) and/or how to audit your
network -- which is entirely out of scope for the Apache users
discussion.

Security is not static: it is only assured so long as you continue to
corroborate that your web application, web servers, server OS, DMZ, and
application servers are intact (through security audits) and up to date
with security patches.

--Mark 
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
-----Original Message-----
From: AFrieze [mailto:AFrieze@simmgene.com] 
Sent: Monday, February 12, 2007 1:37 PM
To: users@httpd.apache.org
Subject: [users@httpd] Apache SSL DMZ mod_jk Security concerns

Hi,

  I am running an apache 2.2.3 web server which is located in the 
firewall's DMZ.  Our web server communicates with several tomcat nodes 
located within  the firewall's internal network via mod_jk 1.2.20.  I 
have successfully configured SSL on our Apache server and would like to 
begin accepting credit card payments.  I understand that the 
communication from the client's browser to the Apache web server will be

encrypted, but the communication from the server to the tomcat nodes 
through mod_jk will not.  My understanding of a DMZ leads me to believe 
that this should be safe.  Am I correct in believing that for someone to

read the unencrypted communication from the apache server to the tomcat 
nodes, one would have to gain access to the DMZ's network, or the 
internal network.  The firewall allows only HTTP and HTTPS into the DMZ 
and nothing is allowed into the internal network except a connection 
from the DMZ on a specific port to the tomcat nodes.  I am slightly 
worried that there is an easy way for someone to monitor the DMZ's 
traffic that I am missing.  I have considered using a stunnel from 
apache to tomcat but would prefer to avoid this if possible.  The server

has also passed a HackerGuardian Scan.

Any advice on my setup would be appreciated, or any notes on other 
possible vulnerabilities. 
 
 Thank you
 AFrieze

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message