On 23/02/2011 15:32, Christopher Schultz wrote: > Mladen, > > On 2/23/2011 3:00 AM, Mladen Turk wrote: >> What do you think happens when encrypted data from client comes in and >> is encrypted again and send to the client? >> It's unencrypted in the memory and anyone with access to the box >> can just inspect the content of the httpd process in the same way >> it can read the data on the socket. >> So since persons which are authorized to login to the Apache and Tomcat >> box have the option to view the data, your entire security is still >> human based. > > I think he's talking about network sniffing (like another node on the > network operating in promiscuous mode), not an untrusted box administrator. > >> That's why I see no point of encrypting the data transfer >> between those boxes cause you can just as well make sure the proper >> persons have the network access. > > I certainly agree with this. > > Anyhow, to answer the OP's question, there are really three options: > > 1. SSH tunnel > > 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if > necessary while ssh generally won't). > > 3. Switch to mod_proxy_http and use an https:// URL with Mark's > indicated settings. > > These options are roughly in order of performance from best to worst: > setting up an HTTPS connection is expensive and I'm not entirely sure > how mod_proxy_http does connections, but I suspect it creates and > tears-down for each request (i.e. no keepalives, or at least limited ones). > > Encrypted VPNs are simply more complicated than an SSH tunnel and > require slightly more overhead. An SSH tunnel is dead simple and only > negotiates a symmetric key once at connect time (okay, and then > re-negotiates at intervals) but lacks the robustness of a VPN.
I disagree with that assessment. mod_proxy_http is by far the simplest way to go and it does use keep-alive. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
