Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 14940 invoked from network); 10 Jan 2007 14:18:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 10 Jan 2007 14:18:45 -0000 Received: (qmail 40364 invoked by uid 500); 10 Jan 2007 14:18:39 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 40159 invoked by uid 500); 10 Jan 2007 14:18:38 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 40148 invoked by uid 99); 10 Jan 2007 14:18:38 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jan 2007 06:18:38 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [63.240.77.81] (HELO sccrmhc11.comcast.net) (63.240.77.81) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jan 2007 06:18:28 -0800 Received: from [192.168.1.47] (c-69-143-26-154.hsd1.va.comcast.net[69.143.26.154]) by comcast.net (sccrmhc11) with ESMTP id <20070110141806011007sjaqe>; Wed, 10 Jan 2007 14:18:06 +0000 Message-ID: <45A4F614.6030807@christopherschultz.net> Date: Wed, 10 Jan 2007 09:20:04 -0500 From: Christopher Schultz User-Agent: Thunderbird 2.0b1 (Windows/20061206) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: the best method to secure Apache/tomcat communication References: <8255815.post@talk.nabble.com> In-Reply-To: <8255815.post@talk.nabble.com> X-Enigmail-Version: 0.94.1.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lmk, lmk wrote: > I have a question concerning the use of Apache server in front of tomcat, at > the present time, we use tomcat 4, AJP, apache 2.2 and mod_jk to manage load > balancing. it work roughly fine; but new security rules require [encrypting] the > traffic between 2 web servers. > we cant use solution like IPSEC or VPN tunnel. so, i think to replace > mod_jk with mod_proxy ,but, how to replace mod_jk load balancer? What about using an ssh tunnel? The only problem with that is you will need to monitor the ssh connection for disconnects and reconnect if necessary. Are all your servers in the same data center? Often, server farms will have a primary network interface used for communicating with the Internet, and then a secondary network interface to a private network that includes nothing but your own servers. Often, you can use a faster network than is available to the outside (perhaps gigabit ethernet if the rest of the center runs on 100baseT, or even better if your data center will provide it). Then, your servers can communicate on their own private network. As long as you trust that network, you can avoid encryption and enjoy better performance. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFpPYU9CaO5/Lv0PARAuHTAKCOG98BuTnZNm8EUaxrX9lme51yowCfSxrj I7If0C50/V2oGz93LL79fa8= =gLAI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org