tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Security of AJP
Date Wed, 28 Feb 2018 14:25:53 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris,

On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
> Since AJP is not really needed by Tomcat; If I comment out the AJP
> startup line in server.xml will that affect anything.
> 
> I still don’t even understand what its for. I have read the apache
> docs but it doesn’t mean anything to me.. Apache's description
> doesn't tell me anything.
> 
> 
> The AJP Connector element represents a Connector component that
> communicates with a web connector via the AJP protocol. This is
> used for cases where you wish to invisibly integrate Tomcat into an
> existing (or new) Apache installation, and you want Apache to
> handle the static content contained in the web application, and/or
> utilize Apache's SSL processing.
> 
> That is mumbo jumbo.

Is it?

Lots of things sound like "mumbo jumbo" if you have no basic
understanding of the topic. I'm sure I wouldn't be able to understand
a description of reverse-transcriptase inhibitors if I had never heard
of the germ theory of medicine or DNA. But that doesn't make it "mumbo
jumbo".

Documentation always requires a basic understanding of the topic
before you begin. You can't learn English from scratch by simply
picking up a dictionary and reading it start to finish. That
description above is intended to be read by people who need to connect
servers together, and already understand the ideas behind the
mechanisms required to do such a thing.

AJP is a communications protocol (the third letter - P - stands for
"protocol", just like in HTTP). Like HTTP, it carries web requests
between two endpoints where one is the client and the other is the serve
r.

The AJP Connector is a Connector (you have to understand what Tomcat
means by "connector", here) that uses the AJP protocol (instead of
HTTP). It only makes sense to use AJP with clients who can speak it.
AJP is really only useful between reverse-proxies (you have to
understand what a reverse-proxy is, here) and Tomcat or other
Java-based app servers.

If you don't understand any of these things, you generally don't have
to worry about them.

If you don't need a reverse-proxy, you don't need AJP or the connector
that speaks it.

- -chris

> -----Original Message----- From: Christopher Schultz
> [mailto:chris@christopherschultz.net] Sent: Tuesday, February 27,
> 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of
> AJP
> 
> Mark,
> 
> On 2/27/18 3:54 PM, Mark A. Claassen wrote:
>> From what I have read, it seems that the AJP connector is not
>> secure, and is meant to be used in a protective environment. 
>> There are lots of things that imply this, like no SSL settings
>> and such, but I cannot find it directly stated anywhere.  I am
>> pretty confident in my read of this, but it is, of course,
>> difficult to say that "all options have been explored and it is
>> not possible".
> 
> AJP is definitely a cleartext protocol, and offers no encryption 
> capabilities. If you want to secure it, you will have to use some
> tunneling technology such as a VPN, stunnel, etc.
> 
>> First of all, am I correct in my assertion that it cannot be
>> made secure?
> 
> Theoretically, it can be made to be secure, but it would require a
> great deal of work and honestly, it's probably not worth it. The
> protocol is mature and nobody really feels like retrofitting
> encryption into it.
> 
>> And, if so, I would invite you (or us, the community!) to
>> consider modifying the documentation to state this.  Maybe
>> something like:
> 
>> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP 
>> Connector element represents a Connector component that
>> communicates with a web connector via the AJP protocol. [This is
>> an unencrypted connector, intended for use in protected
>> enviroments.] This is used for cases where you wish to invisibly
>> integrate Tomcat into an existing (or new) Apache installation,
>> and you want Apache to handle the static content contained in the
>> web application, and/or utilize Apache's SSL processing.
> 
> That seems reasonable. Care to provide a documentation patch?
> You'll get your name into the change log ;)
> 
> -chris
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWu/EACgkQHPApP6U8
pFiKpw/8DV5gNNAHcCvOmjwAL6U7f03w+F2r8NrmMETrTzcUq2hukzOntPoX+1h/
jDjBeD5qq0NDbOotLwbl6KXNc/ZepqLznz2YQm2J/fltngtMmH23EtosbMCyBQTE
TgSMom5+7BMZCxffkzAjPI8gl1pCT8TbU2TVRz6eE7d8f756/KfuMD2mCR7T3UvK
dxSyD9YvYoE0j4aTg/MqiT1vcJg5ucxPFh3W1SsmzmHfnwABu4kLjF74LCW/LueP
v7xQEJipCRXUKRbkjyr02AWtzI+YssuCvbPq4BgGzifdpRA+XrAGSWLwcOcYOdxE
BVgcJVQMYV/EXSx2ljUh9GV+c8bIT+JAJ5Eusc3XYsSXv11Kj44+JwqtKxCbhkSM
TEPpF+l3U72p0FI8KfAlxmkff8jzWixZFY7UOga9YEX3z+lfSRw1J317w7PF1SFy
vBvYSqCE7MgMvmLLcvfize+qdWg2hjXg2oMdTKUScpCqmWIkquKvNec9xRZuST9x
YnhOT76frXhrJy6ldspVMS3nHXG/z/d5A87o8Wbg/7UBvqnxMKLfYNQxFCXJulGx
uyDdwSIb728BuUBx1qu6GZWzMGAg12keWrLGz8iKoNUz65wiy9NO9iFwj85MOhIf
Oi/SJu0/dc49rpFtjDTg4zV5uh3cozmjTcvxVEgaaTz6SDOBjgI=
=oeNE
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message