tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hassan Schroeder <>
Subject Re: AJP vs HTTP connectors?
Date Tue, 03 Feb 2009 16:08:06 GMT
On Tue, Feb 3, 2009 at 7:38 AM, Eric B. <> wrote:

> Is there any documentation / howtos available for securely setting up
> mod_proxy_http and/or mod_proxy_ajp with tomcat?  The little that I
> know/remember about mod_proxy_http is that if you're not careful, you can
> end up with some major security holes in your installation.

Do you have any references to substantiate that?

Because a quick google turns up *one* reference to a DoS attack
vulnerability in Apache httpd 2.0 -- which requires the "attacker" to
*own* the system being proxied to, an unlikely scenario IMHO.

And for the record I prefer mod_proxy_http because I can monitor
all active production connectors with standard http requests using
e.g. Nagios, as well as manually check with a browser.

So I'd definitely be interested in hearing more about any other known

Hassan Schroeder ------------------------

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message