-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jürgen,
On 3/5/20 01:59, "Jürgen Göres" wrote: > > Hi, > >>> If it is, what is the recommended mitigation? We consider using >>> the "secret" feature (the filtering by request attributes is >>> infeasible for us), but that would be a bit of effort and we >>> are in a hurry. >>> >> >> We're in the same position as you. External web servers talking >> to Tomcat servers on other boxes via AJP. >> >> We've looked at a few options, none of which seemed great: >> >> * The current stable version of Apache doesn't support the >> 'secret' attribute for AJP connectors in mod_proxy. > > we will use the "secret" approach. Since we use mod_jk which > supports it, this will offer the least trouble when deploying in > customer environments. We will generate a random secret for each > tomcat instance. Uhh. That will be a serious management headache. > Since our apps already register in our service registry,we can > just add the secret there. Our Apache HTTPD resp. a little tooling > we wrote for it that generates the Apache config from information > in the registry and can pick up the secret from there as well. Interesting. So less of a headache. Still. I would highly recommend that the entire world migrate away from AJP. It's just a magic protocol which nobody understands and does not need to exist anymore. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5hlowACgkQHPApP6U8 pFhf1A/9HxCzPy1J8oxwC2au3VJowVbt6xU5A4Z4gEbnXjQDh2D6hYLMwuM2pE7x iYBiOCLuCa/6Iw2VI8LntFUmSK0TAVussLigylMFNivdvYtXEIe+fVt3ODWIOfxb fddCQI2ey3fUKUtIAeyd6lHhJqJ8tXdiVfzOz0sy1XgvV/NTDF3m9EaZE5ftnAz8 KQrmeLPe6JVjj2tenCANfzymz5mMnwqtH7KrjCBSR3rLciyae4i/j/T1kq1tFdBp dHzxXAYpQVH1AmNR7bpmHpe/FKnaFFlfG1Ri0zG9rJXywbxvyW/DcCmlIWfa0Gfp 2P5a/CaDr4MKR5hOtVshHP49cbnoKmNijEqA4XtkINsSDeZv0oIZDnfrGX02pGAU 3Ijv90lNT+5P3UEY02jurxb4uF3ejlnjc4aoSjDvnTZ2IaHHqaZ0kwov4FwEtLCX BCo2cl/DIN0ywbvKQ2rHj4mgnDCRS++WlL2bXoRImdUHMiljAV5Ji2xqPRNZol0R fFpmJBPLjswxUtUClcXM9PzUdNDwqhI0GNJsykpxEDepnMoLfXzQsC0dif1F/IHb doFqNBHvHHQg4z8EET+GYT5LyQghojq5zjRA9CDuBQ96Y6x8pCtwyJo4hycE1/xg fdvgzat70W7GO1PoxpZscx4FSWToQeoGVmTQXx+poEpOtFAIb7A= =dQB6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
