On Thu, May 19, 2022 at 07:09:59AM +0000, Hiran CHAUDHURI wrote: > CONFIDENTIAL & RESTRICTED > > From: Mark Thomas <ma...@apache.org> > Subject: Re: Encryption of Tomcat AJP > > >On 19/05/2022 01:32, Brian Eller wrote: > >> TRADING PARTNER > >> > >> Hello, > >> > >> I am working on a Tomcat install embedded inside a vendor > >> product that uses Apache to pass traffic to Tomcat. My cyber security > >> group is asking if we can encrypt all connections. Does the mod_jk > >> protocol, AJP can be encrypted? > > > >No, AJP does not support encryption. > > > >If you want to encrypt traffic between the reverse proxy and the embedded > >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over > >HTTPS. This requires a little more configuration to get things working. > > > >The main thing to keep in mind is to make sure that the Tomcat instance > >correctly identifies whether the client connection to the reverse proxy was > >over HTTP or HTTPS. > > > >Mark > > I totally agree this is an existing and sufficient mechanism already > available. And I see it popping up in more and more locations. > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > Would it make sense to create a solution with less caveats and up to date > security requirements?
If the OP's cyber security group insists, then maybe they would care to give him their requirements and suggestions for setting up IPSEC. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: PGP signature
