Chris, Am Dienstag, den 14.04.2020, 10:56 -0400 schrieb Christopher Schultz: > Frank, > > On 4/12/20 10:20, Frank Tornack wrote: > > It is possible to replace AJP with normal HTTP or HTTPs. > > > > AJP has an advantage, it needs less bandwidth. > > Reference? https://marc.info/?l=tomcat-user&m=123404294317780 I think AJP has less overhead.
> > > But it shouldn't make too much difference with today's computer > > networks. If you need the bandwidth advantage, you can certainly > > use the module ModSecurity for Apache HTTPD to protect your > > application server. But an advanced solution would be to protect > > AJP with the IPTables firewall. AJP is mostly used in conjunction > > with HTTPD and if you only allow access to these, it should be > > pretty secure. > > While a firewall (iptables) can be used to protect AJP, a much better > solution would be mutually-authenticated stunnel. Even better, switch > to mutually-authenticated https, which doesn't require a separate > package to add the security layer. why not both? > > -chris > > > Am Freitag, den 10.04.2020, 15:45 +0000 schrieb David Cleary: > > > Some of our customers are currently using the AJP connector. > > > Given the vulnerability and breaking change to address it, now > > > may be a good time to prompt them look at alternatives. One > > > requirement is HTTPS support. What are the alternatives when > > > hosting Tomcat behind Apache httpd, nginx, or IIS? I do remember > > > a presentation I thought was pretty good at Apachecon in Miami on > > > connectors a few years ago. Has there been anything new that has > > > come out since then? Are there any recommendations on what is > > > best to replace AJP13? > > > > > > Thanks Dave > > > > ----------------------------------------------------------------- > > ---- > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
