tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: SSl Query-- please help
Date Sun, 21 Oct 2012 15:20:46 GMT
Aladin Dajani wrote:
> Hello,
> Terminating SSL at the Apache level assumes all tomcat servers behind
> Apache are on a secure, externally inaccessible, network.  

My response assumed that, and assumed that the OP wanted to continue using mod_jk for 
whatever reason.

But In
> cloud-based, hosted systems, there is no guarantee someone isn't
> listening.  Does this make a case for securing Apache<->tomcat
> communication?

One could easily argue that if those servers are on different "cloud-based, hosted 
systems", any thought of a high level of security is a bit of a stretch anyway.

And that anyone who manages to usefully listen on those links, is probably already so deep

inside your cloud infrastructure that this is not the worst they're doing.

Or that the risk of ditto, compared to the risk constituted by umpteen buggy and 
virus-infected user workstations, pales into insignificance.

In an absolute sense though, you are right.  If you want to really secure the 
Apache-Tomcats link, then you will have to re-encrypt the data at the Apache level and 
decrypt it at the Tomcat level.
You could probably do this using mod_proxy_http instead of mod_jk (and a HTTPS Connector 
in Tomcat).  But you should then also accept the overhead.

Or you could set up SSL tunnel connections for AJP between Apache and Tomcat, but the 
overhead would still be there.

> 
> 
> On Oct 21, 2012, at 6:09 AM, "vicky007aggarwal@yahoo.co.in"
> <vicky007aggarwal@yahoo.co.in> wrote:
> 
>> Thanks André for such a elaborate reply.
>> Just want to check another thing, is it possible to setup SSL at  tomcat level using
mod_proxy module.. But i think it does not work in load balancing case. Does my understanding
is correct??
>>
>> Thanks for your support,
>> Vicky
>>
>>
>>
>> On Oct 20, 2012, at 7:21 PM, André Warnier <aw@ice-sa.com> wrote:
>>
>>> vivek aggarwal wrote:
>>>> Hello All,
>>>> I need to setup the SSL over my tomcat ,which i am able to do it by generating
Self signed certificate using Keytool
>>>> But when  i am redirecting the request form apache using "mod_jk "module
its not working.
>>>> I am not sure how to make Apache & Tomcat work in SSL when using Mod_jk
module as i need load balancing
>>>> Can someone please share the steps for doing ssl setup when apache is used
along with Tomcat
>>> A simplified graphical view of the recommended setup :
>>>
>>> browser <- HTTPS -> Apache + mod_jk <- AJP -> Tomcat-1 (AJP Connector)
>>>                                   <- AJP -> Tomcat-2 (AJP Connector)
>>>                                   ...
>>>                                   <- AJP -> Tomcat-n (AJP Connector)
>>>
>>> In other words, you should handle the HTTPS/SSL at the front-end Apache httpd
level, not at the Tomcat level.  (This is also sometimes called "terminating SSL at the Apache
level").
>>> The reason is that the AJP protocol does not support HTTPS/SSL (so, there is
no way to set up the AJP Connector in Tomcat for SSL) (and no way to set up mod_jk to "talk
SSL to Tomcat").
>>> What the Apache/mod_jk combination can do however, is pass on all the required
SSL headers of the original requests to Tomcat, over the AJP connection, so that a Tomcat
application could make use of them.
>>>
>>> To see how to set up Apache for SSL, check the Apache httpd on-line documentation.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message