tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark A. Claassen" <MClaas...@ocie.net>
Subject RE: Security of AJP
Date Thu, 01 Mar 2018 16:20:29 GMT
Thanks everyone for your feedback.  I am the one who unknowingly opened this can of worms.
:)

It seems like there is a bit of momentum for altering the documentation, so I thought I would
offer something that incorporated some of these suggestions.  I left out the part about "why"
one would use a reverse proxy.  Maybe it should be referenced here, but that is seems like
something a higher level topic that might be more appropriate somewhere else.  (If it doesn't
fit anywhere else either, I can add it back.)

---

The AJP Connector element represents a Connector component that communicates with a HTTP server
via the AJP protocol.  This is an unencrypted protocol and is therefore recommended for use
on a protected network or encrypted by some other means, like SSH tunneling.  The most common
configuration for this is when an HTTP server acts as a reverse proxy in front of one or more
Tomcat servers.  Besides being a more efficient protocol that HTTP, there are several configuration
options in this connector designed to allow Tomcat to operate as it would if it were not running
behind a reverse proxy.

---

Mark Claassen
Senior Software Engineer

Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, INĀ  46601
E-mail: mailto:mclaassen@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014

Disclaimer:
The opinions provided herein do not necessarily state or reflect 
those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and 
assumes no legal liability or responsibility for the posting. 
-----Original Message-----
From: Terence M. Bandoian [mailto:terence@tmbsw.com] 
Sent: Thursday, March 1, 2018 8:34 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Security of AJP

On 2/28/2018 10:16 AM, Mark H. Wood wrote:
> On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Chris,
>>
>> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
>>> Since AJP is not really needed by Tomcat; If I comment out the AJP 
>>> startup line in server.xml will that affect anything.
>>>
>>> I still don't even understand what its for. I have read the apache 
>>> docs but it doesn't mean anything to me.. Apache's description 
>>> doesn't tell me anything.
>>>
>>>
>>> The AJP Connector element represents a Connector component that 
>>> communicates with a web connector via the AJP protocol. This is used 
>>> for cases where you wish to invisibly integrate Tomcat into an 
>>> existing (or new) Apache installation, and you want Apache to handle 
>>> the static content contained in the web application, and/or utilize 
>>> Apache's SSL processing.
>>>
>>> That is mumbo jumbo.
>> Is it?
> Well, it could be improved.  For example, by using the 
> widely-understood word "proxy" somewhere, or defining "web connector".
> Also by recalling that "Apache" is a huge array of various projects 
> (including Tomcat!), while "Apache HTTP Server" refers to a specific 
> web server daemon that can front-end Tomcat.  One could even link 
> "Apache HTTP Server" to 'http://httpd.apache.org/'.
>

+1.  Maybe "...communicates with an HTTP server via..." in the first
sentence?  Also, the second sentence could be greatly simplified.

-Terence Bandoian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message