On 29/05/2012 17:30, John Renne wrote:
>
>> Anyone who considers AJP a secure protocol is clearly clueless when
>> it comes to security.
>>
> Anyone that thinks he can judge security without knowing any of the
> requirements is plain wrong. As I wrote in a previous answer. It all
> depends on req
> Anyone who considers AJP a secure protocol is clearly clueless when it comes
> to security.
>
Anyone that thinks he can judge security without knowing any of the
requirements is plain wrong. As I wrote in a previous answer. It all depends on
requirements and what you want to accomplish.
Jo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Al,
On 5/28/12 1:35 AM, al so wrote:
> It would be nice if I can hear from someone who has done such
> familiar setup. Have you seen any performance issues in setting up
> SSL both at Tomcat and Apache?
As Aristedes states: only you know your environ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Al,
On 5/27/12 2:43 PM, al so wrote:
> I've used standalone Tomcat to serve as web server+SSL+web
> container in the past.
>
> Now, I am trying to front Tomcat with apache reverse proxy+SSL.
>
> 1. Is it not redundant to configure the SSL in the Tom
John Renne wrote:
>Can I ask you what you consider insecure about AJP by the way?
AJP is, apart from some simple encoding of a few headers which are easily
decoded, a plain text protocol. There is zero encryption. Hence it is not
secure.
I suggest you read the AJP protocol definition in the d
> What is the typical setup in the enterprise apps? Do they just SSL
> terminate at the reverse proxy OR do they setup SSL at both apache and
> tomcat? In the former case, obviously the link is insecure between apache
> and tomcat.
>
The most common setup I've seen is to terminate the SSL connect
What is the typical setup in the enterprise apps? Do they just SSL
terminate at the reverse proxy OR do they setup SSL at both apache and
tomcat? In the former case, obviously the link is insecure between apache
and tomcat.
seeking pretty basic clarification..
On Mon, May 28, 2012 at 12:30 AM, A
What problem are you trying to solve by doing this? It seems to serve little
purpose. Decrypt the traffic from the browser using Apache httpd, then
re-encrypt the data and pass it onto tomcat. Why? I am sure it will work fine,
but your performance will depend on the traffic you have. No one can
It would be nice if I can hear from someone who has done such familiar
setup. Have you seen any performance issues in setting up SSL both at
Tomcat and Apache? Do you use same keys/certs at both Tomcat and Apache?
On Sun, May 27, 2012 at 11:43 AM, al so wrote:
> I've used standalone Tomcat to se
On May 28, 2012, at 12:11 AM, al so wrote:
> Well, AJP is not SSL. So, the link is insecure between rev proxy and tomcat
> if you don't use SSL.
It all depends on what your requirements are. If a binary protocol will you,
you can use AJP. If you don't consider it secure, you can choose to go fo
Well, AJP is not SSL. So, the link is insecure between rev proxy and tomcat
if you don't use SSL.
On Sun, May 27, 2012 at 3:02 PM, John Renne wrote:
>
> > How about the security concerns in having HTTP between reverse proxy and
> > Tomcat?
> >
> You don't you can use AJP between HTTP and Tomcat
> How about the security concerns in having HTTP between reverse proxy and
> Tomcat?
>
You don't you can use AJP between HTTP and Tomcat.
John
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional comma
How about the security concerns in having HTTP between reverse proxy and
Tomcat?
On Sun, May 27, 2012 at 11:47 AM, John Renne wrote:
> >
> > Now, I am trying to front Tomcat with apache reverse proxy+SSL.
> > 1. Is it not redundant to configure the SSL in the Tomcat as well when
> the
> > fronti
>
> Now, I am trying to front Tomcat with apache reverse proxy+SSL.
> 1. Is it not redundant to configure the SSL in the Tomcat as well when the
> fronting reverse proxy is already configured to handle SSL.
>I see lot of posts on the internet which configure SSL at both Tomcat
> and Reverse pr
14 matches
Mail list logo
