Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 62647 invoked from network); 2 Mar 2008 20:23:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Mar 2008 20:23:28 -0000 Received: (qmail 38131 invoked by uid 500); 2 Mar 2008 20:23:11 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 38102 invoked by uid 500); 2 Mar 2008 20:23:10 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 38091 invoked by uid 99); 2 Mar 2008 20:23:10 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Mar 2008 12:23:10 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ellisje22@hotmail.com designates 65.55.175.188 as permitted sender) Received: from [65.55.175.188] (HELO blu139-omc2-s18.blu139.hotmail.com) (65.55.175.188) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Mar 2008 20:22:34 +0000 Received: from BLU104-W18 ([65.55.162.184]) by blu139-omc2-s18.blu139.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 2 Mar 2008 12:22:43 -0800 Message-ID: Content-Type: multipart/alternative; boundary="_ddf9f04f-c3f5-4455-9b8e-fe5926b65fbf_" X-Originating-IP: [69.250.47.102] From: James Ellis To: Tomcat Users List Subject: RE: mod_jk or mod_proxy_ajp - encryption benefits? Date: Sun, 2 Mar 2008 20:22:42 +0000 Importance: Normal In-Reply-To: <47CAE0E8.7020702@kippdata.de> References: <47CAE0E8.7020702@kippdata.de> MIME-Version: 1.0 X-OriginalArrivalTime: 02 Mar 2008 20:22:43.0018 (UTC) FILETIME=[2B6DAAA0:01C87CA3] X-Virus-Checked: Checked by ClamAV on apache.org --_ddf9f04f-c3f5-4455-9b8e-fe5926b65fbf_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Inline: > Date: Sun, 2 Mar 2008 18:16:24 +0100 > From: rainer.jung@kippdata.de > To: users@tomcat.apache.org > Subject: Re: mod_jk or mod_proxy_ajp - encryption benefits? >=20 > James Ellis schrieb: > > I know that mod_jk is the battle tested connector between Apache and > > Tomcat, but as I understand it the SSL connection generally > > terminates at the Apache web server and the traffic between Apache > > and Tomcat (to the AJP connector) is unencrypted. Two questions: > >=20 > > 1) Does mod_proxy_ajp provide for any encryption between the web > > server and the app server (Tomcat) that mod_jk does not? >=20 > No, the AJP13 protocol does not support encryption. Both connectors use=20 > the same protocol. If you need to use encrypted traffic with AJP13, you=20 > could tunnel through an encrypted channel. Is this the common practice then when communicating from the web server to = the application server? =20 If not, it seems like an awfully big security hole, since the DMZ is suppos= ed be only "partly" safe. If someone were to crack into the DMZ and could = sniff network traffic, then they could in theory listen in to traffic and g= rab all of it in an unencrypted state (which may include credit card inform= ation, usernames, passwords etc). >=20 > > 2) If the > > answer to number 1 above is "NO". Is it possible to keep the server > > certificates on the app servers and so that the connection from the > > client to the app server is encrypted all the way through? In this > > case the apache web server would simply function as a load > > balancer/failover solution. >=20 > Again no. We are talking about a reverse proxy situation and as far as I= =20 > know, you can't reverse proxy https without having an ssl endpoint on=20 > the apache httpd. >=20 > For a normal (forward) proxy, httpd supports connect, but I don't know=20 > how well this works in the real world. >=20 > You could also ask on the httpd users list, maybe they know better. >=20 > > Thanks, Jim >=20 > Regards, >=20 > Rainer >=20 >=20 > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org >=20 --_ddf9f04f-c3f5-4455-9b8e-fe5926b65fbf_--