tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
Date Wed, 23 Sep 2015 21:05:04 GMT
srini_

On 23.09.2015 19:03, Srinivasan Raman wrote:
> Hi Graham,
> Unfortunately, the data needs to be encrypted if the communication is over TCP, even
if it is to a process in the same VM.
> Any alternatives that you can suggest for getting Unix domain sockets to work with Tomcat?
I did come across mention of a connector, JK, that mentions Unix Domain sockets - that's what
got me interested in this.
> Thanks,
> srini_
>

You already got a response from Christopher, one of the Tomcat Committers.
Re-read it.

It basically boils down to this :
either
- you write this yourself from scratch, both at the Apache httpd (mod_jk/mod_proxy_ajp) 
and at the Tomcat level (AJP Connector)
or
- you convince whoever wrote that requirement, that an internal TCP connection within the

same host, is no less secure than a Unix Domain socket

Your choice.

(Otherwise, look at "socat" : http://www.dest-unreach.org/socat/)
(I am just kidding; you would end up with two local TCP connections instead of one. But it

/would/ use a UDS in-between. And internally, it must be doing the kind of things needed 
to "adapt" TCP to UDS and vice-versa. So maybe looking at the source code may give you an

idea of what would be involved).


>> Subject: Re: Need help understanding support for Unix Domain Sockets in Tomcat 7.0.x
>> From: minfrin@sharp.fm
>> Date: Wed, 23 Sep 2015 18:11:06 +0200
>> To: users@tomcat.apache.org
>>
>> On 23 Sep 2015, at 5:55 PM, Srinivasan Raman <srini_biz_@hotmail.com> wrote:
>>
>>> Sorry, I should have provided more details while posting the query.
>>> Due to a security policy that mandates that a certain type of sensitive data
flowing over a communication channel must be encrypted, we are using SSL. If the communication
channel were to be Unix Domain sockets, we do not need to encrypt the data, based on the data
classification for this use-case.
>>
>> Would it be possible to confirm the need for encrypting traffic over localhost?
>>
>> Regards,
>> Graham
>> —
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>   		 	   		
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message