httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Wang <aw...@ptc.com>
Subject Re: [users@httpd] Secured connection between Apache Httpd and Tomcat over AJP protocol
Date Wed, 25 May 2016 15:12:59 GMT


On 05/25/2016 09:16 AM, Mohanavelu Subramanian wrote:
> Hi All,
>
> Good Morning.
>
> I have Httpd process and Tomcat instances both running on 2 different
> machines. The communication between them happens through AJP protocol
> (mod_jk) which doesnt support encryption. But we are using some features
> of mod_jk like automatic passing of security information like SSL
> certificate to tomcat which inturn is accessed in our application,
> validated and verified.
>
> Now, we have requirement to make the communication between them as Secured.
> Since AJP doesnt support encryption, I came to know that we need to use
> SSH, IPSec. But I could not find any proper document to configure SSH or
> IPSec for AJP. Could please share if you any.
>
> I have considered mod_proxy_http as well for supporting security which
> is easy to configure as well. But as I mentioned above we are already
> making use mod_jk features. Again it will require more efforts to
> migrate from mod_jk to mod_proxy_http.
>
> Any other suggestions please.
>
> Thanks in Advance.

There is no tomcat specific documentation to configure ssh or ipsec.

IPSec is an infrastructure solution where you're basically creating a 
secure vpn tunnel between two ip endpoints.  That seems massive overkill 
to encrypt AJP.

For SSH, you're simply creating a tunnel via ssh between a local port 
and a remote port.  There's nothing tomcat specific about it other than 
knowing what ports to pick for each end of the tunnel.  See
http://www.revsys.com/writings/quicktips/ssh-tunnel.html
(or google ssh tunnel for your own examples).

Another common tool for this purpose is stunnel which is similar in 
fashion to an ssh tunnel but a tool specificaly designed for creating 
tunneling plaintext protocols in SSL.

Andy


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message