RE: Security of AJP
Everyone, As far as documentation. We realize it is very difficult to write open source docs because there are so many different scenarios that will work for a given customer's environment. Possibly if you declare your audience , that would help. Possibly if you specify minimum knowledge requirements , that would help. To me , if there is no declaration of whom you are speaking to; then its written for the general populous. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Mark A. Claassen [mailto:mclaas...@ocie.net] Sent: Thursday, March 1, 2018 11:20 AM To: Tomcat Users List Subject: RE: Security of AJP Thanks everyone for your feedback. I am the one who unknowingly opened this can of worms. :) It seems like there is a bit of momentum for altering the documentation, so I thought I would offer something that incorporated some of these suggestions. I left out the part about "why" one would use a reverse proxy. Maybe it should be referenced here, but that is seems like something a higher level topic that might be more appropriate somewhere else. (If it doesn't fit anywhere else either, I can add it back.) --- The AJP Connector element represents a Connector component that communicates with a HTTP server via the AJP protocol. This is an unencrypted protocol and is therefore recommended for use on a protected network or encrypted by some other means, like SSH tunneling. The most common configuration for this is when an HTTP server acts as a reverse proxy in front of one or more Tomcat servers. Besides being a more efficient protocol that HTTP, there are several configuration options in this connector designed to allow Tomcat to operate as it would if it were not running behind a reverse proxy. --- Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Thursday, March 1, 2018 8:34 AM To: Tomcat Users List Subject: Re: Security of AJP On 2/28/2018 10:16 AM, Mark H. Wood wrote: > On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Chris, >> >> On 2/28/18 8:40 AM, Cheltenham, Chris wrote: >>> Since AJP is not really needed by Tomcat; If I comment out the AJP >>> startup line in server.xml will that affect anything. >>> >>> I still don't even understand what its for. I have read the apache >>> docs but it doesn't mean anything to me.. Apache's description >>> doesn't tell me anything. >>> >>> >>> The AJP Connector element represents a Connector component that >>> communicates with a web connector via the AJP protocol. This is used >>> for cases where you wish to invisibly integrate Tomcat into an >>> existing (or new) Apache installation, and you want Apache to handle >>> the static content contained in the web application, and/or utilize >>> Apache's SSL processing. >>> >>> That is mumbo jumbo. >> Is it? > Well, it could be improved. For example, by using the > widely-understood word "proxy" somewhere, or defining "web connector". > Also by recalling that "Apache" is a huge array of various projects > (including Tomcat!), while "Apache HTTP Server" refers to a specific > web server daemon that can front-end Tomcat. One could even link > "Apache HTTP Server" to 'http://httpd.apache.org/'. > +1. Maybe "...communicates with an HTTP server via..." in the first sentence? Also, the second sentence could be greatly simplified. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security of AJP
Chris, I was planning on working on a patch for this as a smooth way to get more involved. :) My work computer is somewhat locked down, so I was planning to get my home computer setup and then give it a go. The patch instructions I found looked fairly clear. If I have any questions, I will post them to the dev list. In the meantime, I wanted to get the right wording so that the statement was acceptable. Thanks for the encouragement! Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Thursday, March 1, 2018 11:54 AM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark(s) and Terence, On 3/1/18 11:20 AM, Mark A. Claassen wrote: > Thanks everyone for your feedback. I am the one who unknowingly > opened this can of worms. :) > > It seems like there is a bit of momentum for altering the > documentation, so I thought I would offer something that incorporated > some of these suggestions. I left out the part about "why" one would > use a reverse proxy. Maybe it should be referenced here, but that is > seems like something a higher level topic that might be more > appropriate somewhere else. (If it doesn't fit anywhere else either, > I can add it back.) Would anyone care to prepare an actual documentation patch? I can help guide you through the process if necessary. I know this one is basically just a copy-paste job, but if you know how to make docs patches in general, maybe you'd be more likely to submit more :) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqYMCkACgkQHPApP6U8 pFjn7A//TOlILyK+b3wG3BjkBcpOZf3s1sY1INSB+bx1k84FfjSHVQRBHYhlIW4/ LjmQGdKxNF8UNUUq8zfMUV/l70fXM8QSJzQrcma449QsZqHvwbZACQWpR/hzixL/ 9X7Ob/ex9Vd937CUsZOrONK1r9JhZuiaoCcDj1p5XAD6A9YS/PGlJVF5AnLFKiUu UBQUbMdkCestF0cNB9nSYsj5N2C6CuA+TAhb0PzBq/zh2fKVsuBZsW6TgFZwHw4d wf5TxT0Q+/VPMhLTbagqL5eanSIU0k0dTjSvKy9JKpejZFiaMOXUvC61A0uw+Qpj Y/K8tAhl6IM4zFGHv8dbQCrFn3bSg14ULykKdhggclyFsZbr70lNZzY4OuSZnQvL FRnxNIT6iqArDNuDs4BSTbUI7oZVbnq6ngQOgifjAaKpKZcYvsJ7Zkrk/J+xxtGq 1TmMEQqqmqqKtyrSKOkBhDnRS1QbvgiRncgma0iuEDwGV6lCkIQNIMK5vvz0/zPy RdtZKpidDOYrV7C53xVO3NI2et98bm90FIlP93yuzr3Pk09M4QqQVJ7OwwEkkMfQ EiCWny8/j+nnYt7J6CgDtd8By5TmRoKi9eRUeGoC2Kw/2/JriTNShpniEW107sNk RH9oVhAGaksAjjGc6FFttmGDNvCMSj2ppIuCQIA5ppL2j45raFo= =ZH9u -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark(s) and Terence, On 3/1/18 11:20 AM, Mark A. Claassen wrote: > Thanks everyone for your feedback. I am the one who unknowingly > opened this can of worms. :) > > It seems like there is a bit of momentum for altering the > documentation, so I thought I would offer something that > incorporated some of these suggestions. I left out the part about > "why" one would use a reverse proxy. Maybe it should be referenced > here, but that is seems like something a higher level topic that > might be more appropriate somewhere else. (If it doesn't fit > anywhere else either, I can add it back.) Would anyone care to prepare an actual documentation patch? I can help guide you through the process if necessary. I know this one is basically just a copy-paste job, but if you know how to make docs patches in general, maybe you'd be more likely to submit more :) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqYMCkACgkQHPApP6U8 pFjn7A//TOlILyK+b3wG3BjkBcpOZf3s1sY1INSB+bx1k84FfjSHVQRBHYhlIW4/ LjmQGdKxNF8UNUUq8zfMUV/l70fXM8QSJzQrcma449QsZqHvwbZACQWpR/hzixL/ 9X7Ob/ex9Vd937CUsZOrONK1r9JhZuiaoCcDj1p5XAD6A9YS/PGlJVF5AnLFKiUu UBQUbMdkCestF0cNB9nSYsj5N2C6CuA+TAhb0PzBq/zh2fKVsuBZsW6TgFZwHw4d wf5TxT0Q+/VPMhLTbagqL5eanSIU0k0dTjSvKy9JKpejZFiaMOXUvC61A0uw+Qpj Y/K8tAhl6IM4zFGHv8dbQCrFn3bSg14ULykKdhggclyFsZbr70lNZzY4OuSZnQvL FRnxNIT6iqArDNuDs4BSTbUI7oZVbnq6ngQOgifjAaKpKZcYvsJ7Zkrk/J+xxtGq 1TmMEQqqmqqKtyrSKOkBhDnRS1QbvgiRncgma0iuEDwGV6lCkIQNIMK5vvz0/zPy RdtZKpidDOYrV7C53xVO3NI2et98bm90FIlP93yuzr3Pk09M4QqQVJ7OwwEkkMfQ EiCWny8/j+nnYt7J6CgDtd8By5TmRoKi9eRUeGoC2Kw/2/JriTNShpniEW107sNk RH9oVhAGaksAjjGc6FFttmGDNvCMSj2ppIuCQIA5ppL2j45raFo= =ZH9u -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security of AJP
Thanks everyone for your feedback. I am the one who unknowingly opened this can of worms. :) It seems like there is a bit of momentum for altering the documentation, so I thought I would offer something that incorporated some of these suggestions. I left out the part about "why" one would use a reverse proxy. Maybe it should be referenced here, but that is seems like something a higher level topic that might be more appropriate somewhere else. (If it doesn't fit anywhere else either, I can add it back.) --- The AJP Connector element represents a Connector component that communicates with a HTTP server via the AJP protocol. This is an unencrypted protocol and is therefore recommended for use on a protected network or encrypted by some other means, like SSH tunneling. The most common configuration for this is when an HTTP server acts as a reverse proxy in front of one or more Tomcat servers. Besides being a more efficient protocol that HTTP, there are several configuration options in this connector designed to allow Tomcat to operate as it would if it were not running behind a reverse proxy. --- Mark Claassen Senior Software Engineer Donnell Systems, Inc. 130 South Main Street Leighton Plaza Suite 375 South Bend, IN 46601 E-mail: mailto:mclaas...@ocie.net Voice: (574)232-3784 Fax: (574)232-4014 Disclaimer: The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting. -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: Thursday, March 1, 2018 8:34 AM To: Tomcat Users List Subject: Re: Security of AJP On 2/28/2018 10:16 AM, Mark H. Wood wrote: > On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Chris, >> >> On 2/28/18 8:40 AM, Cheltenham, Chris wrote: >>> Since AJP is not really needed by Tomcat; If I comment out the AJP >>> startup line in server.xml will that affect anything. >>> >>> I still don't even understand what its for. I have read the apache >>> docs but it doesn't mean anything to me.. Apache's description >>> doesn't tell me anything. >>> >>> >>> The AJP Connector element represents a Connector component that >>> communicates with a web connector via the AJP protocol. This is used >>> for cases where you wish to invisibly integrate Tomcat into an >>> existing (or new) Apache installation, and you want Apache to handle >>> the static content contained in the web application, and/or utilize >>> Apache's SSL processing. >>> >>> That is mumbo jumbo. >> Is it? > Well, it could be improved. For example, by using the > widely-understood word "proxy" somewhere, or defining "web connector". > Also by recalling that "Apache" is a huge array of various projects > (including Tomcat!), while "Apache HTTP Server" refers to a specific > web server daemon that can front-end Tomcat. One could even link > "Apache HTTP Server" to 'http://httpd.apache.org/'. > +1. Maybe "...communicates with an HTTP server via..." in the first sentence? Also, the second sentence could be greatly simplified. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
On 2/28/2018 10:16 AM, Mark H. Wood wrote: On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/28/18 8:40 AM, Cheltenham, Chris wrote: Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. Is it? Well, it could be improved. For example, by using the widely-understood word "proxy" somewhere, or defining "web connector". Also by recalling that "Apache" is a huge array of various projects (including Tomcat!), while "Apache HTTP Server" refers to a specific web server daemon that can front-end Tomcat. One could even link "Apache HTTP Server" to 'http://httpd.apache.org/'. +1. Maybe "...communicates with an HTTP server via..." in the first sentence? Also, the second sentence could be greatly simplified. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
On Wed, Feb 28, 2018 at 09:25:53AM -0500, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > > Since AJP is not really needed by Tomcat; If I comment out the AJP > > startup line in server.xml will that affect anything. > > > > I still don’t even understand what its for. I have read the apache > > docs but it doesn’t mean anything to me.. Apache's description > > doesn't tell me anything. > > > > > > The AJP Connector element represents a Connector component that > > communicates with a web connector via the AJP protocol. This is > > used for cases where you wish to invisibly integrate Tomcat into an > > existing (or new) Apache installation, and you want Apache to > > handle the static content contained in the web application, and/or > > utilize Apache's SSL processing. > > > > That is mumbo jumbo. > > Is it? Well, it could be improved. For example, by using the widely-understood word "proxy" somewhere, or defining "web connector". Also by recalling that "Apache" is a huge array of various projects (including Tomcat!), while "Apache HTTP Server" refers to a specific web server daemon that can front-end Tomcat. One could even link "Apache HTTP Server" to 'http://httpd.apache.org/'. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
RE: Security of AJP
Chris and Chris -Original Message- > From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] > Sent: Wednesday, February 28, 2018 8:40 AM > To: Tomcat Users List > Subject: RE: Security of AJP > > Since AJP is not really needed by Tomcat; If I comment out the AJP startup > line in server.xml will that affect anything. > > I still don’t even understand what its for. > I have read the apache docs but it doesn’t mean anything to me.. > Apache's description doesn't tell me anything. > > > The AJP Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. This is used for cases where you > wish to invisibly integrate Tomcat into an existing (or new) Apache > installation, and you want Apache to handle the static content contained in > the web application, and/or utilize Apache's SSL processing. > > That is mumbo jumbo. Perhaps is "Apache" were replaced with "Apache web server (httpd)" in the documentation that would clarify things. > === > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, February 27, 2018 4:26 PM > To: users@tomcat.apache.org > Subject: Re: Security of AJP > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: > > From what I have read, it seems that the AJP connector is not secure, > > and is meant to be used in a protective environment. > > There are lots of things that imply this, like no SSL settings and > > such, but I cannot find it directly stated anywhere. I am pretty > > confident in my read of this, but it is, of course, difficult to say > > that "all options have been explored and it is not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some tunneling > technology such as a VPN, stunnel, etc. > > > First of all, am I correct in my assertion that it cannot be made > > secure? > > Theoretically, it can be made to be secure, but it would require a great deal > of work and honestly, it's probably not worth it. The protocol is mature and > nobody really feels like retrofitting encryption into it. > > > And, if so, I would invite you (or us, the community!) to consider > > modifying the documentation to state this. Maybe something like: > > > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > > Connector element represents a Connector component that communicates > > with a web connector via the AJP protocol. [This is an unencrypted > > connector, intended for use in protected enviroments.] This is used > > for cases where you wish to invisibly integrate Tomcat into an > > existing (or new) Apache installation, and you want Apache to handle > > the static content contained in the web application, and/or utilize > > Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? You'll get your > name into the change log ;) > > - -chris > -- Cris Berneburg, Lead Software Engineer CACI, IRMA Project phone: 703-679-5313
RE: Security of AJP
Chris, Poor choice of words. Not meaning it maliciously; just frustrated. My apologies. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, February 28, 2018 9:26 AM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > Since AJP is not really needed by Tomcat; If I comment out the AJP > startup line in server.xml will that affect anything. > > I still don’t even understand what its for. I have read the apache > docs but it doesn’t mean anything to me.. Apache's description doesn't > tell me anything. > > > The AJP Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. > > That is mumbo jumbo. Is it? Lots of things sound like "mumbo jumbo" if you have no basic understanding of the topic. I'm sure I wouldn't be able to understand a description of reverse-transcriptase inhibitors if I had never heard of the germ theory of medicine or DNA. But that doesn't make it "mumbo jumbo". Documentation always requires a basic understanding of the topic before you begin. You can't learn English from scratch by simply picking up a dictionary and reading it start to finish. That description above is intended to be read by people who need to connect servers together, and already understand the ideas behind the mechanisms required to do such a thing. AJP is a communications protocol (the third letter - P - stands for "protocol", just like in HTTP). Like HTTP, it carries web requests between two endpoints where one is the client and the other is the serve r. The AJP Connector is a Connector (you have to understand what Tomcat means by "connector", here) that uses the AJP protocol (instead of HTTP). It only makes sense to use AJP with clients who can speak it. AJP is really only useful between reverse-proxies (you have to understand what a reverse-proxy is, here) and Tomcat or other Java-based app servers. If you don't understand any of these things, you generally don't have to worry about them. If you don't need a reverse-proxy, you don't need AJP or the connector that speaks it. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, > 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: >> From what I have read, it seems that the AJP connector is not secure, >> and is meant to be used in a protective environment. >> There are lots of things that imply this, like no SSL settings and >> such, but I cannot find it directly stated anywhere. I am pretty >> confident in my read of this, but it is, of course, difficult to say >> that "all options have been explored and it is not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some > tunneling technology such as a VPN, stunnel, etc. > >> First of all, am I correct in my assertion that it cannot be made >> secure? > > Theoretically, it can be made to be secure, but it would require a > great deal of work and honestly, it's probably not worth it. The > protocol is mature and nobody really feels like retrofitting > encryption into it. > >> And, if so, I would invite you (or us, the community!) to consider >> modifying the documentation to state this. Maybe something like: > >> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP >> Connector element represents a Connector component that communicates >> with a web connector via the AJP protocol. [This is an unencrypted >> connector, intended for use in protected enviroments.] This is used >> for cases where you wish to invisibly integrate Tomcat into an >> existing (or new) Apache installation, and you want Apache to handle >> the static content contained in the web application, and/or utilize >> Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? > You'll get your name into the change log ;) > > -chris > > ---
Re: Security of AJP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/28/18 8:40 AM, Cheltenham, Chris wrote: > Since AJP is not really needed by Tomcat; If I comment out the AJP > startup line in server.xml will that affect anything. > > I still don’t even understand what its for. I have read the apache > docs but it doesn’t mean anything to me.. Apache's description > doesn't tell me anything. > > > The AJP Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. This is > used for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to > handle the static content contained in the web application, and/or > utilize Apache's SSL processing. > > That is mumbo jumbo. Is it? Lots of things sound like "mumbo jumbo" if you have no basic understanding of the topic. I'm sure I wouldn't be able to understand a description of reverse-transcriptase inhibitors if I had never heard of the germ theory of medicine or DNA. But that doesn't make it "mumbo jumbo". Documentation always requires a basic understanding of the topic before you begin. You can't learn English from scratch by simply picking up a dictionary and reading it start to finish. That description above is intended to be read by people who need to connect servers together, and already understand the ideas behind the mechanisms required to do such a thing. AJP is a communications protocol (the third letter - P - stands for "protocol", just like in HTTP). Like HTTP, it carries web requests between two endpoints where one is the client and the other is the serve r. The AJP Connector is a Connector (you have to understand what Tomcat means by "connector", here) that uses the AJP protocol (instead of HTTP). It only makes sense to use AJP with clients who can speak it. AJP is really only useful between reverse-proxies (you have to understand what a reverse-proxy is, here) and Tomcat or other Java-based app servers. If you don't understand any of these things, you generally don't have to worry about them. If you don't need a reverse-proxy, you don't need AJP or the connector that speaks it. - -chris > -Original Message- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, > 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of > AJP > > Mark, > > On 2/27/18 3:54 PM, Mark A. Claassen wrote: >> From what I have read, it seems that the AJP connector is not >> secure, and is meant to be used in a protective environment. >> There are lots of things that imply this, like no SSL settings >> and such, but I cannot find it directly stated anywhere. I am >> pretty confident in my read of this, but it is, of course, >> difficult to say that "all options have been explored and it is >> not possible". > > AJP is definitely a cleartext protocol, and offers no encryption > capabilities. If you want to secure it, you will have to use some > tunneling technology such as a VPN, stunnel, etc. > >> First of all, am I correct in my assertion that it cannot be >> made secure? > > Theoretically, it can be made to be secure, but it would require a > great deal of work and honestly, it's probably not worth it. The > protocol is mature and nobody really feels like retrofitting > encryption into it. > >> And, if so, I would invite you (or us, the community!) to >> consider modifying the documentation to state this. Maybe >> something like: > >> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP >> Connector element represents a Connector component that >> communicates with a web connector via the AJP protocol. [This is >> an unencrypted connector, intended for use in protected >> enviroments.] This is used for cases where you wish to invisibly >> integrate Tomcat into an existing (or new) Apache installation, >> and you want Apache to handle the static content contained in the >> web application, and/or utilize Apache's SSL processing. > > That seems reasonable. Care to provide a documentation patch? > You'll get your name into the change log ;) > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP
RE: Security of AJP
Yes thank you a little bit. Maybe I need to see It in action to fully understand what its for. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: George Stanchev [mailto:gstanc...@serena.com] Sent: Wednesday, February 28, 2018 9:09 AM To: Tomcat Users List Subject: RE: Security of AJP It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over TCPIP to Tomcat's AJP connector. Is it more clear now? -Original Message- From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] Sent: Wednesday, February 28, 2018 6:40 AM To: Tomcat Users List Subject: RE: Security of AJP Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ---
RE: Security of AJP
It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over TCPIP to Tomcat's AJP connector. Is it more clear now? -Original Message- From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] Sent: Wednesday, February 28, 2018 6:40 AM To: Tomcat Users List Subject: RE: Security of AJP Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Security of AJP
Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. === Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
Mark, On 27.02.2018 21:54, Mark A. Claassen wrote: From what I have read, it seems that the AJP connector is not secure, and is meant to be used in a protective environment. There are lots of things that imply this, like no SSL settings and such, but I cannot find it directly stated anywhere. I am pretty confident in my read of this, but it is, of course, difficult to say that "all options have been explored and it is not possible". I would /not/ state that it's /not secure/. But I'm following your later argument: It's an "unencrypted connector", yes. In order to encrypt it, it needs to be run through an encrypted tunnel - and doing so is cumbersome, error prone and unrelated to the unencrypted nature of this connector. Why would I /not/ state that it's "not secure"? Because I wouldn't make /any/ statement about /any/ component's /security/. Security is always only about being secure /enough/. I'd happily make a statement about AJP's /encryptedness/ though (if that's a word. I assume it is now). Also, I wouldn't call https /secure/ per se - it's /typically encrypted/, but there are several options to make it horribly insecure (and I'm not talking about the ancient PLAINTEXT cipher suite - name from memory). Just the fact that the keystores must be readable by the tomcat user make me delegate TLS-handling to Apache httpd. Any vulnerability of any webapp might otherwise compromise my private keys. First of all, am I correct in my assertion that it cannot be made secure? Nope. Add a VPN. Now it's secure. Might not be secure up to everybody's standard, but to some it would be secure /enough/. And, if so, I would invite you (or us, the community!) to consider modifying the documentation to state this. Maybe something like: https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. [This is an unencrypted connector, intended for use in protected enviroments.] This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. After having said, what I said above: I wouldn't object to your additional sentence. On the other hand, I'd expect any admin to figure out missing encryption from the missing key/cert options on their own, and not just set up a random production server after browsing reference documentation with whatever config option they happen to find first on stackoverflow. Wishful thinking, I know, after seeing so many "chmod -r 777 *". And yes, I rambled - couldn't resist. While I wouldn't object with your proposed change, I believe that the world wouldn't be notably better with it. Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security of AJP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not > secure, and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to > say that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that > communicates with a web connector via the AJP protocol. [This is an > unencrypted connector, intended for use in protected enviroments.] > This is used for cases where you wish to invisibly integrate Tomcat > into an existing (or new) Apache installation, and you want Apache > to handle the static content contained in the web application, > and/or utilize Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org