tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hassan Schroeder <hassan.schroe...@gmail.com>
Subject Re: AJP vs HTTP connectors?
Date Tue, 03 Feb 2009 16:08:06 GMT
On Tue, Feb 3, 2009 at 7:38 AM, Eric B. <ebenze@hotmail.com> wrote:

> Is there any documentation / howtos available for securely setting up
> mod_proxy_http and/or mod_proxy_ajp with tomcat?  The little that I
> know/remember about mod_proxy_http is that if you're not careful, you can
> end up with some major security holes in your installation.

Do you have any references to substantiate that?

Because a quick google turns up *one* reference to a DoS attack
vulnerability in Apache httpd 2.0 -- which requires the "attacker" to
*own* the system being proxied to, an unlikely scenario IMHO.

And for the record I prefer mod_proxy_http because I can monitor
all active production connectors with standard http requests using
e.g. Nagios, as well as manually check with a browser.

So I'd definitely be interested in hearing more about any other known
vulnerabilities.

H*
-- 
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message