You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Campbell, Lance" <la...@illinois.edu> on 2010/03/16 21:53:43 UTC
mod_jk - apache to tomcat using SSL
I have a web server and an application server. I use mod_jk to
communicate between apache2.0 and tomcat 6. I don't believe the
communication between apache and tomcat is secured by default. Is there
a way to have it send the information in a secure way.
Thanks,
Lance Campbell
Software Architect/DBA/Project Manager
Web Services at Public Affairs
217-333-0382
Re: mod_jk - apache to tomcat using SSL
Posted by André Warnier <aw...@ice-sa.com>.
Campbell, Lance wrote:
> I have a web server and an application server. I use mod_jk to
> communicate between apache2.0 and tomcat 6. I don't believe the
> communication between apache and tomcat is secured by default. Is there
> a way to have it send the information in a secure way.
>
I do not presume to know the sensitivity of the data passing between
your webserver and your application server, not the physical topology of
your network, nor the real possibility of the data being compromised,
nor the real capabilities of your servers.
But if you were to make an SSL connection between the front-end and the
back-end, you would more than double the encryption overhead.
Supposedly, the clients already connect to Apache via HTTPS, and Apache
has to decrypt the data on the way in, and encrypt it on the way out
to/from the client. That will remain the case anyway. But if Apache has
to communicate with the Tomcat back-end via SSL, it will need to do the
same encryption/decryption for all the data a second time, and Tomcat at
its end also.
That is true no matter which method you would use, tunnel or HTTPS proxy.
It may be a necessity, and it may be affordable, but it should not be a
decision taken lightly thinking it is free of consequences.
A crossover cable is less exciting, but may be much cheaper.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
Posted by Mark Thomas <ma...@apache.org>.
On 16/03/2010 21:07, André Warnier wrote:
> Campbell, Lance wrote:
>> I have a web server and an application server. I use mod_jk to
>> communicate between apache2.0 and tomcat 6. I don't believe the
>> communication between apache and tomcat is secured by default. Is there
>> a way to have it send the information in a secure way.
>>
> Taking your question strictly as phrased, I don't think so, because the
> mod_jk/Tomcat AJP protocol is not encrypted.
> If you really needed to do this, you could use an SSH tunnel however.
> If you really needed to and the physical constraints allow it, you could
> also link your Apache with the back-end Tomcat with a dedicated LAN, and
> avoid the overhead of SSL.
mod_proxy_http configured to use https is usually an easier way to do this.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
Posted by Mladen Turk <mt...@apache.org>.
On 03/16/2010 10:23 PM, Campbell, Lance wrote:
> What group is responsible for the Tomcat AJP protocol? Is there a way to request a feature to add SSL encryption to the protocol?
>
You can try, but the answer will be no.
Like people already said, use either tunnelling or mod_proxy_http
Regards
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: mod_jk - apache to tomcat using SSL
Posted by "Campbell, Lance" <la...@illinois.edu>.
What group is responsible for the Tomcat AJP protocol? Is there a way to request a feature to add SSL encryption to the protocol?
Thanks,
Lance Campbell
Software Architect/DBA/Project Manager
Web Services at Public Affairs
217-333-0382
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Tuesday, March 16, 2010 4:08 PM
To: Tomcat Users List
Subject: Re: mod_jk - apache to tomcat using SSL
Campbell, Lance wrote:
> I have a web server and an application server. I use mod_jk to
> communicate between apache2.0 and tomcat 6. I don't believe the
> communication between apache and tomcat is secured by default. Is there
> a way to have it send the information in a secure way.
>
Taking your question strictly as phrased, I don't think so, because the
mod_jk/Tomcat AJP protocol is not encrypted.
If you really needed to do this, you could use an SSH tunnel however.
If you really needed to and the physical constraints allow it, you could
also link your Apache with the back-end Tomcat with a dedicated LAN, and
avoid the overhead of SSL.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
Posted by André Warnier <aw...@ice-sa.com>.
Campbell, Lance wrote:
> I have a web server and an application server. I use mod_jk to
> communicate between apache2.0 and tomcat 6. I don't believe the
> communication between apache and tomcat is secured by default. Is there
> a way to have it send the information in a secure way.
>
Taking your question strictly as phrased, I don't think so, because the
mod_jk/Tomcat AJP protocol is not encrypted.
If you really needed to do this, you could use an SSH tunnel however.
If you really needed to and the physical constraints allow it, you could
also link your Apache with the back-end Tomcat with a dedicated LAN, and
avoid the overhead of SSL.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: mod_jk - apache to tomcat using SSL
Posted by Mladen Turk <mt...@apache.org>.
On 03/18/2010 04:14 PM, Caldarale, Charles R wrote:
>> From: 2smart4u [mailto:rc46fi@googlemail.com]
>> Subject: Re: mod_jk - apache to tomcat using SSL
>>
>> why encrypting the traffic between httpd and tomcat (frontend /
>> backend) anyways?
>
> Depends on the location of the two boxes, the accessibility of the network connection between them, and how much trust you have of those who do have access...
>
And if the boxes are inside CIA or KGB premisses you might
have spies in the house already :)
Cheers
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: mod_jk - apache to tomcat using SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: 2smart4u [mailto:rc46fi@googlemail.com]
> Subject: Re: mod_jk - apache to tomcat using SSL
>
> why encrypting the traffic between httpd and tomcat (frontend /
> backend) anyways?
Depends on the location of the two boxes, the accessibility of the network connection between them, and how much trust you have of those who do have access...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: mod_jk - apache to tomcat using SSL
Posted by 2smart4u <rc...@googlemail.com>.
On Tue, Mar 16, 2010 at 9:53 PM, Campbell, Lance <la...@illinois.edu> wrote:
> I have a web server and an application server. I use mod_jk to
> communicate between apache2.0 and tomcat 6. I don't believe the
> communication between apache and tomcat is secured by default. Is there
> a way to have it send the information in a secure way.
>
hm, first thing popping up in my mind:
why encrypting the traffic between httpd and tomcat (frontend /
backend) anyways? ain't it sufficient to ssl the traffic between
client and frontend (httpd)?
just wondering...
gregor
--
just because you're paranoid, don't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available
@ http://pgpkeys.pca.dfn.de:11371
@ http://pgp.mit.edu:11371/
skype:rc46fi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org