httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Allen <s...@ardishealth.com>
Subject Re: [users@httpd] Unencrypted Channel From Web Server To App Server
Date Mon, 03 Mar 2008 04:07:26 GMT

On Mar 2, 2008, at 7:20 PM, James Ellis wrote:

> Inline:
>
> > Date: Sun, 2 Mar 2008 17:59:00 -0600
> > From: wrowe@rowe-clan.net
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] Unencrypted Channel From Web Server To  
> App Server
> >
> > James Ellis wrote:
> > > Is it correct to say that in a typical Browser-Apache Web Server- 
> Tomcat
> > > App Server setup, the SSL connection generally terminates at the  
> Apache
> > > web server and the traffic between Apache and Tomcat (to the AJP
> > > connector) is unencrypted? If I am correct that this is the  
> "usual"
> > > setup, then isn't this a pretty big security flaw since the DMZ is
> > > supposed be only "partly" safe?
> > >
> > > If someone were to crack into the DMZ and could sniff network  
> traffic,
> > > then they could in theory listen in to traffic and grab all of  
> it in an
> > > unencrypted state (which may include credit card information,  
> usernames,
> > > passwords etc).
> >
> > Yes. This design relies on the integrity of the network beyond the  
> DMZ.
>
> I am assuming the following design:
>
> browser
> FIREWALL (BEGIN DMZ)
> web server
> FIREWALL (END DMZ)
> app server/database server
>
> You say it relies on the integrity of the network "beyond" the DMZ,  
> but my point is that doesn't this design also rely on the integrity  
> WITHIN the DMZ?  Since SSL is ending at the web server  
> here...traffic from the web server to the app server would be  
> unencrypted...
>
> >
> > A good solution is to use proxy_http over ssl and the https  
> connector for
> > the last mile, if this is a concern in the environment you have  
> deployed.

And this right here:

>  A good solution is to use proxy_http over ssl and the https  
> connector for
> > the last mile

States exactly that, running the webserver to app server via an ssl  
proxy rather than just regular http proxy.




Mime
View raw message