Chris and Chris -----Original Message----- > From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] > Sent: Wednesday, February 28, 2018 8:40 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: RE: Security of AJP > > Since AJP is not really needed by Tomcat; If I comment out the AJP startup > line in server.xml will that affect anything. > > I still don’t even understand what its for. > I have read the apache docs but it doesn’t mean anything to me.. > Apache's description doesn't tell me anything. > > > The AJP Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. This is used for cases where you > wish to invisibly integrate Tomcat into an existing (or new) Apache > installation, and you want Apache to handle the static content contained in > the web application, and/or utilize Apache's SSL processing. > > That is mumbo jumbo.
Perhaps is "Apache" were replaced with "Apache web server (httpd)" in the documentation that would clarify things. > =========================== > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, February 27, 2018 4:26 PM > To: users@tomcat.apache.org > Subject: Re: Security of AJP > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: > > From what I have read, it seems that the AJP connector is not secure, > > and is meant to be used in a protective environment. > > There are lots of things that imply this, like no SSL settings and > > such, but I cannot find it directly stated anywhere. I am pretty > > confident in my read of this, but it is, of course, difficult to say > > that "all options have been explored and it is not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some tunneling > technology such as a VPN, stunnel, etc. > > > First of all, am I correct in my assertion that it cannot be made > > secure? > > Theoretically, it can be made to be secure, but it would require a great deal > of work and honestly, it's probably not worth it. The protocol is mature and > nobody really feels like retrofitting encryption into it. > > > And, if so, I would invite you (or us, the community!) to consider > > modifying the documentation to state this. Maybe something like: > > > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > > Connector element represents a Connector component that communicates > > with a web connector via the AJP protocol. [This is an unencrypted > > connector, intended for use in protected enviroments.] This is used > > for cases where you wish to invisibly integrate Tomcat into an > > existing (or new) Apache installation, and you want Apache to handle > > the static content contained in the web application, and/or utilize > > Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? You'll get your > name into the change log ;) > > - -chris > -- Cris Berneburg, Lead Software Engineer CACI, IRMA Project phone: 703-679-5313
