[users@httpd] Apache SSL DMZ mod_jk Security concerns

[AFrieze <AF...@simmgene.com>]

Hi,

  I am running an apache 2.2.3 web server which is located in the 
firewall's DMZ.  Our web server communicates with several tomcat nodes 
located within  the firewall's internal network via mod_jk 1.2.20.  I 
have successfully configured SSL on our Apache server and would like to 
begin accepting credit card payments.  I understand that the 
communication from the client's browser to the Apache web server will be 
encrypted, but the communication from the server to the tomcat nodes 
through mod_jk will not.  My understanding of a DMZ leads me to believe 
that this should be safe.  Am I correct in believing that for someone to 
read the unencrypted communication from the apache server to the tomcat 
nodes, one would have to gain access to the DMZ's network, or the 
internal network.  The firewall allows only HTTP and HTTPS into the DMZ 
and nothing is allowed into the internal network except a connection 
from the DMZ on a specific port to the tomcat nodes.  I am slightly 
worried that there is an easy way for someone to monitor the DMZ's 
traffic that I am missing.  I have considered using a stunnel from 
apache to tomcat but would prefer to avoid this if possible.  The server 
has also passed a HackerGuardian Scan.

Any advice on my setup would be appreciated, or any notes on other 
possible vulnerabilities. 
 
 Thank you
 AFrieze

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org