You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by fredk2 <fr...@gmail.com> on 2006/10/18 04:35:44 UTC
mod_proxy_ajp vs mod_jk
Hi,
I have read many postings about this topic, but one mod_proxy_ajp
configuration detail eludes me.
When using mod_jk you can ensure that the apache and tomcat are restricted
to each other with the use of a unique secret word. In the
workers.properties documentation the directive secret says:
http://tomcat.apache.org/connectors-doc/config/workers.html
secret - If set to AJP Connector secret keyword, only request with this
keyword are successfull responding. Use request.useSecret="true" and
request.secret="secret key word" at your tomcat ajp Connector configuration.
The question is - how can you set secret in mod_proxy_ajp ?
If this feature is not (yet) implemented, can this be easily added - aka can
we expect this in a later version :) ?
Please let me know if this post should be made on apache-httpd dev forum.
In advance thank you for you replies,
Fred
--
View this message in context: http://www.nabble.com/mod_proxy_ajp-vs-mod_jk-tf2463710.html#a6868349
Sent from the Tomcat - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: mod_proxy_ajp vs mod_jk
Posted by Yoav Shapira <yo...@apache.org>.
Hi,
Fred, I think you may be confusing IPFilter (the Solaris-specific
package) with a generic IP filter. I might be misunderstanding Mladen
myself, but I think he meant a simple configuration of Tomcat's Remote
Address Valve (http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html)
or a similar component at the javax.servlet.Filter level.
Yoav
On 10/18/06, fredk2 <fr...@gmail.com> wrote:
>
> Hi Mladen,
>
> <my apologies for the reply format>
>
> I am curious about your last statement.
> I understant that an ip filter is more secure. However, if I am not
> mistaken, to setup IPFilter you need to be a sysadmin (aka Root) and you can
> lock yourself out if you do not have physical access to the server(s), right
> ?
>
> So why not a secret word ? It is easy to set and correct. If the file access
> permissions are applied properly you can then be certain that the tomcat
> will only communicate with the proper Apache(s). I am sure that the
> security gurus would like to see SSL, but that is another thread:)
>
> Thanks - Fred
>
> (Interesting, I just saw that IPFilter is now bundled in Solaris 10, but
> many Linux ship with IPTables :(
>
>
> Mladen Turk wrote:
> >
> > Rainer Jung wrote:
> >> Hi,
> >>
> >> fredk2 wrote:
> >>> The question is - how can you set secret in mod_proxy_ajp ?
> >>
> >> Not at the moment.
> >>
> >>> If this feature is not (yet) implemented, can this be easily added -
> >>> aka can
> >>> we expect this in a later version :) ?
> >>>
> >>> Please let me know if this post should be made on apache-httpd dev
> >>> forum.
> >>
> >> You'll reach Mladen, who ported mod_jk to mod_proxy_* on this list, but
> >> you should better post to httpd-dev to make sure, all the other
> >> developers are able to read it.
> >>
> >
> > This feature is pretty much useless and gives no higher
> > security whatsoever. The same thing can be done by IP Filter
> > in Tomcat, that would give much higher security then this.
> >
> > Regards,
> > Mladen.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> >
> >
>
> --
> View this message in context: http://www.nabble.com/mod_proxy_ajp-vs-mod_jk-tf2463710.html#a6877291
> Sent from the Tomcat - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: mod_proxy_ajp vs mod_jk
Posted by fredk2 <fr...@gmail.com>.
Hi Mladen,
<my apologies for the reply format>
I am curious about your last statement.
I understant that an ip filter is more secure. However, if I am not
mistaken, to setup IPFilter you need to be a sysadmin (aka Root) and you can
lock yourself out if you do not have physical access to the server(s), right
?
So why not a secret word ? It is easy to set and correct. If the file access
permissions are applied properly you can then be certain that the tomcat
will only communicate with the proper Apache(s). I am sure that the
security gurus would like to see SSL, but that is another thread:)
Thanks - Fred
(Interesting, I just saw that IPFilter is now bundled in Solaris 10, but
many Linux ship with IPTables :(
Mladen Turk wrote:
>
> Rainer Jung wrote:
>> Hi,
>>
>> fredk2 wrote:
>>> The question is - how can you set secret in mod_proxy_ajp ?
>>
>> Not at the moment.
>>
>>> If this feature is not (yet) implemented, can this be easily added -
>>> aka can
>>> we expect this in a later version :) ?
>>>
>>> Please let me know if this post should be made on apache-httpd dev
>>> forum.
>>
>> You'll reach Mladen, who ported mod_jk to mod_proxy_* on this list, but
>> you should better post to httpd-dev to make sure, all the other
>> developers are able to read it.
>>
>
> This feature is pretty much useless and gives no higher
> security whatsoever. The same thing can be done by IP Filter
> in Tomcat, that would give much higher security then this.
>
> Regards,
> Mladen.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/mod_proxy_ajp-vs-mod_jk-tf2463710.html#a6877291
Sent from the Tomcat - Dev mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: mod_proxy_ajp vs mod_jk
Posted by Mladen Turk <mt...@apache.org>.
Rainer Jung wrote:
> Hi,
>
> fredk2 wrote:
>> The question is - how can you set secret in mod_proxy_ajp ?
>
> Not at the moment.
>
>> If this feature is not (yet) implemented, can this be easily added -
>> aka can
>> we expect this in a later version :) ?
>>
>> Please let me know if this post should be made on apache-httpd dev forum.
>
> You'll reach Mladen, who ported mod_jk to mod_proxy_* on this list, but
> you should better post to httpd-dev to make sure, all the other
> developers are able to read it.
>
This feature is pretty much useless and gives no higher
security whatsoever. The same thing can be done by IP Filter
in Tomcat, that would give much higher security then this.
Regards,
Mladen.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: mod_proxy_ajp vs mod_jk
Posted by Rainer Jung <ra...@kippdata.de>.
Hi,
fredk2 wrote:
> The question is - how can you set secret in mod_proxy_ajp ?
Not at the moment.
> If this feature is not (yet) implemented, can this be easily added - aka can
> we expect this in a later version :) ?
>
> Please let me know if this post should be made on apache-httpd dev forum.
You'll reach Mladen, who ported mod_jk to mod_proxy_* on this list, but
you should better post to httpd-dev to make sure, all the other
developers are able to read it.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org