tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cheltenham, Chris" <ccheltenham-...@philasd.org>
Subject RE: Security of AJP
Date Wed, 28 Feb 2018 15:04:15 GMT
Chris,

Poor choice of words.
Not meaning it maliciously; just frustrated.
My apologies.

===========================

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, February 28, 2018 9:26 AM
To: users@tomcat.apache.org
Subject: Re: Security of AJP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris,

On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
> Since AJP is not really needed by Tomcat; If I comment out the AJP
> startup line in server.xml will that affect anything.
>
> I still don’t even understand what its for. I have read the apache
> docs but it doesn’t mean anything to me.. Apache's description doesn't
> tell me anything.
>
>
> The AJP Connector element represents a Connector component that
> communicates with a web connector via the AJP protocol. This is used
> for cases where you wish to invisibly integrate Tomcat into an
> existing (or new) Apache installation, and you want Apache to handle
> the static content contained in the web application, and/or utilize
> Apache's SSL processing.
>
> That is mumbo jumbo.

Is it?

Lots of things sound like "mumbo jumbo" if you have no basic understanding 
of the topic. I'm sure I wouldn't be able to understand a description of 
reverse-transcriptase inhibitors if I had never heard of the germ theory of 
medicine or DNA. But that doesn't make it "mumbo jumbo".

Documentation always requires a basic understanding of the topic before you 
begin. You can't learn English from scratch by simply picking up a 
dictionary and reading it start to finish. That description above is 
intended to be read by people who need to connect servers together, and 
already understand the ideas behind the mechanisms required to do such a 
thing.

AJP is a communications protocol (the third letter - P - stands for 
"protocol", just like in HTTP). Like HTTP, it carries web requests between 
two endpoints where one is the client and the other is the serve r.

The AJP Connector is a Connector (you have to understand what Tomcat means 
by "connector", here) that uses the AJP protocol (instead of HTTP). It only 
makes sense to use AJP with clients who can speak it.
AJP is really only useful between reverse-proxies (you have to understand 
what a reverse-proxy is, here) and Tomcat or other Java-based app servers.

If you don't understand any of these things, you generally don't have to 
worry about them.

If you don't need a reverse-proxy, you don't need AJP or the connector that 
speaks it.

- -chris

> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: Tuesday, February 27,
> 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP
>
> Mark,
>
> On 2/27/18 3:54 PM, Mark A. Claassen wrote:
>> From what I have read, it seems that the AJP connector is not secure,
>> and is meant to be used in a protective environment.
>> There are lots of things that imply this, like no SSL settings and
>> such, but I cannot find it directly stated anywhere.  I am pretty
>> confident in my read of this, but it is, of course, difficult to say
>> that "all options have been explored and it is not possible".
>
> AJP is definitely a cleartext protocol, and offers no encryption
> capabilities. If you want to secure it, you will have to use some
> tunneling technology such as a VPN, stunnel, etc.
>
>> First of all, am I correct in my assertion that it cannot be made
>> secure?
>
> Theoretically, it can be made to be secure, but it would require a
> great deal of work and honestly, it's probably not worth it. The
> protocol is mature and nobody really feels like retrofitting
> encryption into it.
>
>> And, if so, I would invite you (or us, the community!) to consider
>> modifying the documentation to state this.  Maybe something like:
>
>> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP
>> Connector element represents a Connector component that communicates
>> with a web connector via the AJP protocol. [This is an unencrypted
>> connector, intended for use in protected enviroments.] This is used
>> for cases where you wish to invisibly integrate Tomcat into an
>> existing (or new) Apache installation, and you want Apache to handle
>> the static content contained in the web application, and/or utilize
>> Apache's SSL processing.
>
> That seems reasonable. Care to provide a documentation patch?
> You'll get your name into the change log ;)
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWu/EACgkQHPApP6U8
pFiKpw/8DV5gNNAHcCvOmjwAL6U7f03w+F2r8NrmMETrTzcUq2hukzOntPoX+1h/
jDjBeD5qq0NDbOotLwbl6KXNc/ZepqLznz2YQm2J/fltngtMmH23EtosbMCyBQTE
TgSMom5+7BMZCxffkzAjPI8gl1pCT8TbU2TVRz6eE7d8f756/KfuMD2mCR7T3UvK
dxSyD9YvYoE0j4aTg/MqiT1vcJg5ucxPFh3W1SsmzmHfnwABu4kLjF74LCW/LueP
v7xQEJipCRXUKRbkjyr02AWtzI+YssuCvbPq4BgGzifdpRA+XrAGSWLwcOcYOdxE
BVgcJVQMYV/EXSx2ljUh9GV+c8bIT+JAJ5Eusc3XYsSXv11Kj44+JwqtKxCbhkSM
TEPpF+l3U72p0FI8KfAlxmkff8jzWixZFY7UOga9YEX3z+lfSRw1J317w7PF1SFy
vBvYSqCE7MgMvmLLcvfize+qdWg2hjXg2oMdTKUScpCqmWIkquKvNec9xRZuST9x
YnhOT76frXhrJy6ldspVMS3nHXG/z/d5A87o8Wbg/7UBvqnxMKLfYNQxFCXJulGx
uyDdwSIb728BuUBx1qu6GZWzMGAg12keWrLGz8iKoNUz65wiy9NO9iFwj85MOhIf
Oi/SJu0/dc49rpFtjDTg4zV5uh3cozmjTcvxVEgaaTz6SDOBjgI=
=oeNE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message