tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark A. Claassen" <>
Subject RE: Security of AJP
Date Thu, 01 Mar 2018 16:20:29 GMT
Thanks everyone for your feedback.  I am the one who unknowingly opened this can of worms.

It seems like there is a bit of momentum for altering the documentation, so I thought I would
offer something that incorporated some of these suggestions.  I left out the part about "why"
one would use a reverse proxy.  Maybe it should be referenced here, but that is seems like
something a higher level topic that might be more appropriate somewhere else.  (If it doesn't
fit anywhere else either, I can add it back.)


The AJP Connector element represents a Connector component that communicates with a HTTP server
via the AJP protocol.  This is an unencrypted protocol and is therefore recommended for use
on a protected network or encrypted by some other means, like SSH tunneling.  The most common
configuration for this is when an HTTP server acts as a reverse proxy in front of one or more
Tomcat servers.  Besides being a more efficient protocol that HTTP, there are several configuration
options in this connector designed to allow Tomcat to operate as it would if it were not running
behind a reverse proxy.


Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, INĀ  46601
Voice: (574)232-3784
Fax: (574)232-4014

The opinions provided herein do not necessarily state or reflect 
those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and 
assumes no legal liability or responsibility for the posting. 
-----Original Message-----
From: Terence M. Bandoian [] 
Sent: Thursday, March 1, 2018 8:34 AM
To: Tomcat Users List <>
Subject: Re: Security of AJP

On 2/28/2018 10:16 AM, Mark H. Wood wrote:
> On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
>> Hash: SHA256
>> Chris,
>> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
>>> Since AJP is not really needed by Tomcat; If I comment out the AJP 
>>> startup line in server.xml will that affect anything.
>>> I still don't even understand what its for. I have read the apache 
>>> docs but it doesn't mean anything to me.. Apache's description 
>>> doesn't tell me anything.
>>> The AJP Connector element represents a Connector component that 
>>> communicates with a web connector via the AJP protocol. This is used 
>>> for cases where you wish to invisibly integrate Tomcat into an 
>>> existing (or new) Apache installation, and you want Apache to handle 
>>> the static content contained in the web application, and/or utilize 
>>> Apache's SSL processing.
>>> That is mumbo jumbo.
>> Is it?
> Well, it could be improved.  For example, by using the 
> widely-understood word "proxy" somewhere, or defining "web connector".
> Also by recalling that "Apache" is a huge array of various projects 
> (including Tomcat!), while "Apache HTTP Server" refers to a specific 
> web server daemon that can front-end Tomcat.  One could even link 
> "Apache HTTP Server" to ''.

+1.  Maybe "...communicates with an HTTP server via..." in the first
sentence?  Also, the second sentence could be greatly simplified.

-Terence Bandoian

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message