httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Unencrypted Channel From Web Server To App Server
Date Sun, 02 Mar 2008 23:59:00 GMT
James Ellis wrote:
> Is it correct to say that in a typical Browser-Apache Web Server-Tomcat 
> App Server setup, the SSL connection generally terminates at the Apache 
> web server and the traffic between Apache and Tomcat (to the AJP 
> connector) is unencrypted?  If I am correct that this is the "usual" 
> setup, then isn't this a pretty big security flaw since the DMZ is 
> supposed be only "partly" safe?
> 
> If someone were to crack into the DMZ and could sniff network traffic, 
> then they could in theory listen in to traffic and grab all of it in an 
> unencrypted state (which may include credit card information, usernames, 
> passwords etc).

Yes.  This design relies on the integrity of the network beyond the DMZ.

A good solution is to use proxy_http over ssl and the https connector for
the last mile, if this is a concern in the environment you have deployed.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message