tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yoav Shapira" <yo...@apache.org>
Subject Re: mod_proxy_ajp vs mod_jk
Date Wed, 18 Oct 2006 14:21:30 GMT
Hi,
Fred, I think you may be confusing IPFilter (the Solaris-specific
package) with a generic IP filter.  I might be misunderstanding Mladen
myself, but I think he meant a simple configuration of Tomcat's Remote
Address Valve (http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html)
or a similar component at the javax.servlet.Filter level.

Yoav

On 10/18/06, fredk2 <fredk2@gmail.com> wrote:
>
> Hi Mladen,
>
> <my apologies for the reply format>
>
> I am curious about your last statement.
> I understant that an ip filter is more secure. However, if I am not
> mistaken, to setup IPFilter you need to be a sysadmin (aka Root) and you can
> lock yourself out if you do not have physical access to the server(s), right
> ?
>
> So why not a secret word ? It is easy to set and correct. If the file access
> permissions are applied properly you can then be certain that the tomcat
> will only communicate with the proper Apache(s).  I am sure that the
> security gurus would like to see SSL, but that is another thread:)
>
> Thanks - Fred
>
> (Interesting, I just saw that IPFilter is now bundled in Solaris 10, but
> many Linux ship with IPTables :(
>
>
> Mladen Turk wrote:
> >
> > Rainer Jung wrote:
> >> Hi,
> >>
> >> fredk2 wrote:
> >>> The question is - how can you set secret in mod_proxy_ajp ?
> >>
> >> Not at the moment.
> >>
> >>> If this feature is not (yet) implemented, can this be easily added -
> >>> aka can
> >>> we expect this in a later version :) ?
> >>>
> >>> Please let me know if this post should be made on apache-httpd dev
> >>> forum.
> >>
> >> You'll reach Mladen, who ported mod_jk to mod_proxy_* on this list, but
> >> you should better post to httpd-dev to make sure, all the other
> >> developers are able to read it.
> >>
> >
> > This feature is pretty much useless and gives no higher
> > security whatsoever. The same thing can be done by IP Filter
> > in Tomcat, that would give much higher security then this.
> >
> > Regards,
> > Mladen.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/mod_proxy_ajp-vs-mod_jk-tf2463710.html#a6877291
> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message