> Hi,
>
> Way back to technic ;-)
Great too see that.
> When linking apache to tomcats in an untrusted networks, ajp12/ajp13
> streams are in clear.
>
> What about crypt stream between apache and tomcat ? Something like
> DES with a known key between the two or something like a ticket ?
>
> Actually in my site I could look at everything between APACHE and TC with
> a tool like ethereal.
>
> More we could add mod_jk a list of URLs to encrypt to avoid overload
> non sensible URL.
>
> What about ?
I think Dan is the authority in this, but I'll add my 2c anyway.
- it's not a bad idea - as long as it's an option
- maybe there are ways to do it without too much code change - you can use
tunnels ( and you can get that done even in hardware ). Cryptography is
slow and hard to implement it the right way, so I would rather prefer to
use existing solutions.
- Having a group of URLs sent over a different protocol is certainly a
good thing ( for example you could have the encrypted tunnel on a
different port ) - and should be coordinated with the load balancing stuff
( where it can also be usefull)
- BTW, SSH or SSL tunnels are very easy to set and available to most
people.
- Proably the best contribution to resolve this problem will not be code
added to mod_jk, but a documentation describing how to do that with
available tools, and maybe some way to automate it.
Costin
