-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not > secure, and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to > say that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. [This is an > unencrypted connector, intended for use in protected enviroments.] > This is used for cases where you wish to invisibly integrate Tomcat > into an existing (or new) Apache installation, and you want Apache > to handle the static content contained in the web application, > and/or utilize Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org