From users-return-263993-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Wed Feb 28 15:25:58 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 6ECAC180657 for ; Wed, 28 Feb 2018 15:25:57 +0100 (CET) Received: (qmail 30244 invoked by uid 500); 28 Feb 2018 14:25:55 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 30233 invoked by uid 99); 28 Feb 2018 14:25:55 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Feb 2018 14:25:55 +0000 Received: from Christophers-MacBook-Pro.local (pool-173-66-117-24.washdc.fios.verizon.net [173.66.117.24]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 4A8C4D1E for ; Wed, 28 Feb 2018 14:25:54 +0000 (UTC) Subject: Re: Security of AJP To: users@tomcat.apache.org References: <4d9f4d14-3383-e6ee-cca6-7cd2ec0829ef@christopherschultz.net> <002601d3b099$a1746100$e45d2300$@philasd.org> From: Christopher Schultz Message-ID: <75bb5515-3e53-32ab-ad8a-ed20c0bb17a0@christopherschultz.net> Date: Wed, 28 Feb 2018 09:25:53 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <002601d3b099$a1746100$e45d2300$@philasd.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chris, On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > Since AJP is not really needed by Tomcat; If I comment out the AJP > startup line in server.xml will that affect anything. > > I still don’t even understand what its for. I have read the apache > docs but it doesn’t mean anything to me.. Apache's description > doesn't tell me anything. > > > The AJP Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. This is > used for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to > handle the static content contained in the web application, and/or > utilize Apache's SSL processing. > > That is mumbo jumbo. Is it? Lots of things sound like "mumbo jumbo" if you have no basic understanding of the topic. I'm sure I wouldn't be able to understand a description of reverse-transcriptase inhibitors if I had never heard of the germ theory of medicine or DNA. But that doesn't make it "mumbo jumbo". Documentation always requires a basic understanding of the topic before you begin. You can't learn English from scratch by simply picking up a dictionary and reading it start to finish. That description above is intended to be read by people who need to connect servers together, and already understand the ideas behind the mechanisms required to do such a thing. AJP is a communications protocol (the third letter - P - stands for "protocol", just like in HTTP). Like HTTP, it carries web requests between two endpoints where one is the client and the other is the serve r. The AJP Connector is a Connector (you have to understand what Tomcat means by "connector", here) that uses the AJP protocol (instead of HTTP). It only makes sense to use AJP with clients who can speak it. AJP is really only useful between reverse-proxies (you have to understand what a reverse-proxy is, here) and Tomcat or other Java-based app servers. If you don't understand any of these things, you generally don't have to worry about them. If you don't need a reverse-proxy, you don't need AJP or the connector that speaks it. - -chris > -----Original Message----- From: Christopher Schultz > [mailto:chris@christopherschultz.net] Sent: Tuesday, February 27, > 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of > AJP > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: >> From what I have read, it seems that the AJP connector is not >> secure, and is meant to be used in a protective environment. >> There are lots of things that imply this, like no SSL settings >> and such, but I cannot find it directly stated anywhere. I am >> pretty confident in my read of this, but it is, of course, >> difficult to say that "all options have been explored and it is >> not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some > tunneling technology such as a VPN, stunnel, etc. > >> First of all, am I correct in my assertion that it cannot be >> made secure? > > Theoretically, it can be made to be secure, but it would require a > great deal of work and honestly, it's probably not worth it. The > protocol is mature and nobody really feels like retrofitting > encryption into it. > >> And, if so, I would invite you (or us, the community!) to >> consider modifying the documentation to state this. Maybe >> something like: > >> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP >> Connector element represents a Connector component that >> communicates with a web connector via the AJP protocol. [This is >> an unencrypted connector, intended for use in protected >> enviroments.] This is used for cases where you wish to invisibly >> integrate Tomcat into an existing (or new) Apache installation, >> and you want Apache to handle the static content contained in the >> web application, and/or utilize Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? > You'll get your name into the change log ;) > > -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqWu/EACgkQHPApP6U8 pFiKpw/8DV5gNNAHcCvOmjwAL6U7f03w+F2r8NrmMETrTzcUq2hukzOntPoX+1h/ jDjBeD5qq0NDbOotLwbl6KXNc/ZepqLznz2YQm2J/fltngtMmH23EtosbMCyBQTE TgSMom5+7BMZCxffkzAjPI8gl1pCT8TbU2TVRz6eE7d8f756/KfuMD2mCR7T3UvK dxSyD9YvYoE0j4aTg/MqiT1vcJg5ucxPFh3W1SsmzmHfnwABu4kLjF74LCW/LueP v7xQEJipCRXUKRbkjyr02AWtzI+YssuCvbPq4BgGzifdpRA+XrAGSWLwcOcYOdxE BVgcJVQMYV/EXSx2ljUh9GV+c8bIT+JAJ5Eusc3XYsSXv11Kj44+JwqtKxCbhkSM TEPpF+l3U72p0FI8KfAlxmkff8jzWixZFY7UOga9YEX3z+lfSRw1J317w7PF1SFy vBvYSqCE7MgMvmLLcvfize+qdWg2hjXg2oMdTKUScpCqmWIkquKvNec9xRZuST9x YnhOT76frXhrJy6ldspVMS3nHXG/z/d5A87o8Wbg/7UBvqnxMKLfYNQxFCXJulGx uyDdwSIb728BuUBx1qu6GZWzMGAg12keWrLGz8iKoNUz65wiy9NO9iFwj85MOhIf Oi/SJu0/dc49rpFtjDTg4zV5uh3cozmjTcvxVEgaaTz6SDOBjgI= =oeNE -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org