You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Terence M. Bandoian" <te...@tmbsw.com> on 2018/03/01 13:34:26 UTC
Re: Security of AJP
On 2/28/2018 10:16 AM, Mark H. Wood wrote:
> On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Chris,
>>
>> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
>>> Since AJP is not really needed by Tomcat; If I comment out the AJP
>>> startup line in server.xml will that affect anything.
>>>
>>> I still don’t even understand what its for. I have read the apache
>>> docs but it doesn’t mean anything to me.. Apache's description
>>> doesn't tell me anything.
>>>
>>>
>>> The AJP Connector element represents a Connector component that
>>> communicates with a web connector via the AJP protocol. This is
>>> used for cases where you wish to invisibly integrate Tomcat into an
>>> existing (or new) Apache installation, and you want Apache to
>>> handle the static content contained in the web application, and/or
>>> utilize Apache's SSL processing.
>>>
>>> That is mumbo jumbo.
>> Is it?
> Well, it could be improved. For example, by using the
> widely-understood word "proxy" somewhere, or defining "web connector".
> Also by recalling that "Apache" is a huge array of various projects
> (including Tomcat!), while "Apache HTTP Server" refers to a specific
> web server daemon that can front-end Tomcat. One could even link
> "Apache HTTP Server" to 'http://httpd.apache.org/'.
>
+1. Maybe "...communicates with an HTTP server via..." in the first
sentence? Also, the second sentence could be greatly simplified.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Security of AJP
Posted by "Cheltenham, Chris" <cc...@philasd.org>.
Everyone,
As far as documentation.
We realize it is very difficult to write open source docs because there
are so many different scenarios that will work for a given customer's
environment.
Possibly if you declare your audience , that would help.
Possibly if you specify minimum knowledge requirements , that would help.
To me , if there is no declaration of whom you are speaking to; then its
written for the general populous.
===========================
Thank You;
Chris Cheltenham
Technology Services
The School District of Philadelphia
Work # 215-400-5025
Cell # 215-301-6571
-----Original Message-----
From: Mark A. Claassen [mailto:MClaassen@ocie.net]
Sent: Thursday, March 1, 2018 11:20 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: RE: Security of AJP
Thanks everyone for your feedback. I am the one who unknowingly opened
this can of worms. :)
It seems like there is a bit of momentum for altering the documentation,
so I thought I would offer something that incorporated some of these
suggestions. I left out the part about "why" one would use a reverse
proxy. Maybe it should be referenced here, but that is seems like
something a higher level topic that might be more appropriate somewhere
else. (If it doesn't fit anywhere else either, I can add it back.)
---
The AJP Connector element represents a Connector component that
communicates with a HTTP server via the AJP protocol. This is an
unencrypted protocol and is therefore recommended for use on a protected
network or encrypted by some other means, like SSH tunneling. The most
common configuration for this is when an HTTP server acts as a reverse
proxy in front of one or more Tomcat servers. Besides being a more
efficient protocol that HTTP, there are several configuration options in
this connector designed to allow Tomcat to operate as it would if it were
not running behind a reverse proxy.
---
Mark Claassen
Senior Software Engineer
Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN 46601
E-mail: mailto:mclaassen@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014
Disclaimer:
The opinions provided herein do not necessarily state or reflect those of
Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal
liability or responsibility for the posting.
-----Original Message-----
From: Terence M. Bandoian [mailto:terence@tmbsw.com]
Sent: Thursday, March 1, 2018 8:34 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Security of AJP
On 2/28/2018 10:16 AM, Mark H. Wood wrote:
> On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Chris,
>>
>> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
>>> Since AJP is not really needed by Tomcat; If I comment out the AJP
>>> startup line in server.xml will that affect anything.
>>>
>>> I still don't even understand what its for. I have read the apache
>>> docs but it doesn't mean anything to me.. Apache's description
>>> doesn't tell me anything.
>>>
>>>
>>> The AJP Connector element represents a Connector component that
>>> communicates with a web connector via the AJP protocol. This is used
>>> for cases where you wish to invisibly integrate Tomcat into an
>>> existing (or new) Apache installation, and you want Apache to handle
>>> the static content contained in the web application, and/or utilize
>>> Apache's SSL processing.
>>>
>>> That is mumbo jumbo.
>> Is it?
> Well, it could be improved. For example, by using the
> widely-understood word "proxy" somewhere, or defining "web connector".
> Also by recalling that "Apache" is a huge array of various projects
> (including Tomcat!), while "Apache HTTP Server" refers to a specific
> web server daemon that can front-end Tomcat. One could even link
> "Apache HTTP Server" to 'http://httpd.apache.org/'.
>
+1. Maybe "...communicates with an HTTP server via..." in the first
sentence? Also, the second sentence could be greatly simplified.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Security of AJP
Posted by "Mark A. Claassen" <MC...@ocie.net>.
Chris,
I was planning on working on a patch for this as a smooth way to get more involved. :) My work computer is somewhat locked down, so I was planning to get my home computer setup and then give it a go. The patch instructions I found looked fairly clear. If I have any questions, I will post them to the dev list.
In the meantime, I wanted to get the right wording so that the statement was acceptable.
Thanks for the encouragement!
Mark Claassen
Senior Software Engineer
Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN 46601
E-mail: mailto:mclaassen@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014
Disclaimer:
The opinions provided herein do not necessarily state or reflect
those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and
assumes no legal liability or responsibility for the posting.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, March 1, 2018 11:54 AM
To: users@tomcat.apache.org
Subject: Re: Security of AJP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark(s) and Terence,
On 3/1/18 11:20 AM, Mark A. Claassen wrote:
> Thanks everyone for your feedback. I am the one who unknowingly
> opened this can of worms. :)
>
> It seems like there is a bit of momentum for altering the
> documentation, so I thought I would offer something that incorporated
> some of these suggestions. I left out the part about "why" one would
> use a reverse proxy. Maybe it should be referenced here, but that is
> seems like something a higher level topic that might be more
> appropriate somewhere else. (If it doesn't fit anywhere else either,
> I can add it back.)
Would anyone care to prepare an actual documentation patch? I can help guide you through the process if necessary. I know this one is basically just a copy-paste job, but if you know how to make docs patches in general, maybe you'd be more likely to submit more :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqYMCkACgkQHPApP6U8
pFjn7A//TOlILyK+b3wG3BjkBcpOZf3s1sY1INSB+bx1k84FfjSHVQRBHYhlIW4/
LjmQGdKxNF8UNUUq8zfMUV/l70fXM8QSJzQrcma449QsZqHvwbZACQWpR/hzixL/
9X7Ob/ex9Vd937CUsZOrONK1r9JhZuiaoCcDj1p5XAD6A9YS/PGlJVF5AnLFKiUu
UBQUbMdkCestF0cNB9nSYsj5N2C6CuA+TAhb0PzBq/zh2fKVsuBZsW6TgFZwHw4d
wf5TxT0Q+/VPMhLTbagqL5eanSIU0k0dTjSvKy9JKpejZFiaMOXUvC61A0uw+Qpj
Y/K8tAhl6IM4zFGHv8dbQCrFn3bSg14ULykKdhggclyFsZbr70lNZzY4OuSZnQvL
FRnxNIT6iqArDNuDs4BSTbUI7oZVbnq6ngQOgifjAaKpKZcYvsJ7Zkrk/J+xxtGq
1TmMEQqqmqqKtyrSKOkBhDnRS1QbvgiRncgma0iuEDwGV6lCkIQNIMK5vvz0/zPy
RdtZKpidDOYrV7C53xVO3NI2et98bm90FIlP93yuzr3Pk09M4QqQVJ7OwwEkkMfQ
EiCWny8/j+nnYt7J6CgDtd8By5TmRoKi9eRUeGoC2Kw/2/JriTNShpniEW107sNk
RH9oVhAGaksAjjGc6FFttmGDNvCMSj2ppIuCQIA5ppL2j45raFo=
=ZH9u
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security of AJP
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark(s) and Terence,
On 3/1/18 11:20 AM, Mark A. Claassen wrote:
> Thanks everyone for your feedback. I am the one who unknowingly
> opened this can of worms. :)
>
> It seems like there is a bit of momentum for altering the
> documentation, so I thought I would offer something that
> incorporated some of these suggestions. I left out the part about
> "why" one would use a reverse proxy. Maybe it should be referenced
> here, but that is seems like something a higher level topic that
> might be more appropriate somewhere else. (If it doesn't fit
> anywhere else either, I can add it back.)
Would anyone care to prepare an actual documentation patch? I can help
guide you through the process if necessary. I know this one is
basically just a copy-paste job, but if you know how to make docs
patches in general, maybe you'd be more likely to submit more :)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqYMCkACgkQHPApP6U8
pFjn7A//TOlILyK+b3wG3BjkBcpOZf3s1sY1INSB+bx1k84FfjSHVQRBHYhlIW4/
LjmQGdKxNF8UNUUq8zfMUV/l70fXM8QSJzQrcma449QsZqHvwbZACQWpR/hzixL/
9X7Ob/ex9Vd937CUsZOrONK1r9JhZuiaoCcDj1p5XAD6A9YS/PGlJVF5AnLFKiUu
UBQUbMdkCestF0cNB9nSYsj5N2C6CuA+TAhb0PzBq/zh2fKVsuBZsW6TgFZwHw4d
wf5TxT0Q+/VPMhLTbagqL5eanSIU0k0dTjSvKy9JKpejZFiaMOXUvC61A0uw+Qpj
Y/K8tAhl6IM4zFGHv8dbQCrFn3bSg14ULykKdhggclyFsZbr70lNZzY4OuSZnQvL
FRnxNIT6iqArDNuDs4BSTbUI7oZVbnq6ngQOgifjAaKpKZcYvsJ7Zkrk/J+xxtGq
1TmMEQqqmqqKtyrSKOkBhDnRS1QbvgiRncgma0iuEDwGV6lCkIQNIMK5vvz0/zPy
RdtZKpidDOYrV7C53xVO3NI2et98bm90FIlP93yuzr3Pk09M4QqQVJ7OwwEkkMfQ
EiCWny8/j+nnYt7J6CgDtd8By5TmRoKi9eRUeGoC2Kw/2/JriTNShpniEW107sNk
RH9oVhAGaksAjjGc6FFttmGDNvCMSj2ppIuCQIA5ppL2j45raFo=
=ZH9u
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Security of AJP
Posted by "Mark A. Claassen" <MC...@ocie.net>.
Thanks everyone for your feedback. I am the one who unknowingly opened this can of worms. :)
It seems like there is a bit of momentum for altering the documentation, so I thought I would offer something that incorporated some of these suggestions. I left out the part about "why" one would use a reverse proxy. Maybe it should be referenced here, but that is seems like something a higher level topic that might be more appropriate somewhere else. (If it doesn't fit anywhere else either, I can add it back.)
---
The AJP Connector element represents a Connector component that communicates with a HTTP server via the AJP protocol. This is an unencrypted protocol and is therefore recommended for use on a protected network or encrypted by some other means, like SSH tunneling. The most common configuration for this is when an HTTP server acts as a reverse proxy in front of one or more Tomcat servers. Besides being a more efficient protocol that HTTP, there are several configuration options in this connector designed to allow Tomcat to operate as it would if it were not running behind a reverse proxy.
---
Mark Claassen
Senior Software Engineer
Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN 46601
E-mail: mailto:mclaassen@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014
Disclaimer:
The opinions provided herein do not necessarily state or reflect
those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and
assumes no legal liability or responsibility for the posting.
-----Original Message-----
From: Terence M. Bandoian [mailto:terence@tmbsw.com]
Sent: Thursday, March 1, 2018 8:34 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Security of AJP
On 2/28/2018 10:16 AM, Mark H. Wood wrote:
> On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Chris,
>>
>> On 2/28/18 8:40 AM, Cheltenham, Chris wrote:
>>> Since AJP is not really needed by Tomcat; If I comment out the AJP
>>> startup line in server.xml will that affect anything.
>>>
>>> I still don't even understand what its for. I have read the apache
>>> docs but it doesn't mean anything to me.. Apache's description
>>> doesn't tell me anything.
>>>
>>>
>>> The AJP Connector element represents a Connector component that
>>> communicates with a web connector via the AJP protocol. This is used
>>> for cases where you wish to invisibly integrate Tomcat into an
>>> existing (or new) Apache installation, and you want Apache to handle
>>> the static content contained in the web application, and/or utilize
>>> Apache's SSL processing.
>>>
>>> That is mumbo jumbo.
>> Is it?
> Well, it could be improved. For example, by using the
> widely-understood word "proxy" somewhere, or defining "web connector".
> Also by recalling that "Apache" is a huge array of various projects
> (including Tomcat!), while "Apache HTTP Server" refers to a specific
> web server daemon that can front-end Tomcat. One could even link
> "Apache HTTP Server" to 'http://httpd.apache.org/'.
>
+1. Maybe "...communicates with an HTTP server via..." in the first
sentence? Also, the second sentence could be greatly simplified.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org