tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Secure AJP over ssl
Date Wed, 23 Feb 2011 19:56:27 GMT
> It is not that I am wedded to any particular implementation, it is just each
> change requires board approval.
> A change for reconfiguring the enabled modules in apache. [we can skip this if
> we stay with mod_proxy_ajp, as it was already approved]
> A change for opening up a port on the apache box

Personally, in such a case I would see the solution with an SSH or VPN tunnel as much 
simpler to put in place, and requiring much less "opening of ports".

You have 2 machines : A running httpd, B running Tomcat.
In machineA, you have a mod_jk setup which says something like

So let's say you change this to

and you set up an SSH or VPN tunnel on localhost, listening on port 8009 and accepting 
connections only from localhost. This tunnel connects to machine B, where the receiving 
end forwards the data to localhost:8009 on B.

On machine A, you have not opened an additional port (at least not one accessible from 
outside of machine A).
On machine B, in all likelihood the SSH port is already open (and if not, you could have 
it listen on an arbitrary port, but accepting connections only from machine A).

All the changes are transparent to Apache (apart from the above 1 line) and to Tomcat 
And you save yourself the hassle in setting up mod_proxy_http on Apache, and a HTTPS 
Connector on Tomcat, with all the baggage attached to it.
And you may save yourself changes in your authentication setup, since it will continue to

use AJP and pass the user credentials as it does right now.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message