TRADING PARTNER
Thank you Mark,
My vendor supports AJP but, I don't know if they support
mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly
coupled with the vendor's software and is an installed subcomponent from the
vendor.
Brian Eller | Senior System Administrator bel...@guidehouse.com
Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com
1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now a
Guidehouse company
-----Original Message-----
From: Mark H. Wood <mw...@iupui.edu>
Sent: Thursday, May 19, 2022 6:12 AM
To: users@tomcat.apache.org
Subject: Re: Encryption of Tomcat AJP
On Thu, May 19, 2022 at 07:09:59AM +0000, Hiran CHAUDHURI wrote:
> CONFIDENTIAL & RESTRICTED
>
> From: Mark Thomas <ma...@apache.org>
> Subject: Re: Encryption of Tomcat AJP
>
> >On 19/05/2022 01:32, Brian Eller wrote:
> >> TRADING PARTNER
> >>
> >> Hello,
> >>
> >> I am working on a Tomcat install embedded inside a vendor
> >> product that uses Apache to pass traffic to Tomcat. My cyber security
> >> group is asking if we can encrypt all connections. Does the mod_jk
> >> protocol, AJP can be encrypted?
> >
> >No, AJP does not support encryption.
> >
> >If you want to encrypt traffic between the reverse proxy and the embedded
> >Tomcat instance I'd recommend using mod_proxy_http and proxy everything over
> >HTTPS. This requires a little more configuration to get things working.
> >
> >The main thing to keep in mind is to make sure that the Tomcat instance
> >correctly identifies whether the client connection to the reverse proxy was
> >over HTTP or HTTPS.
> >
> >Mark
>
> I totally agree this is an existing and sufficient mechanism already
> available. And I see it popping up in more and more locations.
> But as you point out there are some caveats that potentially open security
> risks. On the contrary AJP - maybe because it cannot be configured with
> encryption - looks simple and straightforward.
>
> Would it make sense to create a solution with less caveats and up to date
> security requirements?
If the OP's cyber security group insists, then maybe they would care to give
him their requirements and suggestions for setting up IPSEC.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
NOTICE: This communication is from Guidehouse Inc. or one of its subsidiaries.
The details of the sender are listed above. This email, including any
attachments, is meant only for the intended recipient of the transmission and
may contain confidential and/or privileged material. If you received this email
in error, any review, distribution, dissemination or other use of this
information is strictly prohibited. Please notify the sender immediately by
return email and delete the messages from your systems. In addition, this
communication is subject to, and incorporates by reference, additional
disclaimers found in the “Disclaimers” section at www.guidehouse.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
