...
It is not that I am wedded to any particular implementation, it is just each
change requires board approval.
A change for reconfiguring the enabled modules in apache. [we can skip this if
we stay with mod_proxy_ajp, as it was already approved]
A change for opening up a port on the apache box
Personally, in such a case I would see the solution with an SSH or VPN tunnel as much
simpler to put in place, and requiring much less "opening of ports".
You have 2 machines : A running httpd, B running Tomcat.
In machineA, you have a mod_jk setup which says something like
worker.worker1.host=machineB.mydomain.com
worker.worker1.port=8009
So let's say you change this to
worker.worker1.host=localhost
worker.worker1.port=8009
and you set up an SSH or VPN tunnel on localhost, listening on port 8009 and accepting
connections only from localhost. This tunnel connects to machine B, where the receiving
end forwards the data to localhost:8009 on B.
On machine A, you have not opened an additional port (at least not one accessible from
outside of machine A).
On machine B, in all likelihood the SSH port is already open (and if not, you could have
it listen on an arbitrary port, but accepting connections only from machine A).
All the changes are transparent to Apache (apart from the above 1 line) and to Tomcat
(entirely).
And you save yourself the hassle in setting up mod_proxy_http on Apache, and a HTTPS
Connector on Tomcat, with all the baggage attached to it.
And you may save yourself changes in your authentication setup, since it will continue to
use AJP and pass the user credentials as it does right now.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
