Re: fronting tomcat with reverse proxy+SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, On 5/27/12 2:43 PM, al so wrote: I've used standalone Tomcat to serve as web server+SSL+web container in the past. Now, I am trying to front Tomcat with apache reverse proxy+SSL. 1. Is it not redundant to configure the SSL in the Tomcat as well when the fronting reverse proxy is already configured to handle SSL. I see lot of posts on the internet which configure SSL at both Tomcat and Reverse proxy. Am I missing something? The real question is whether or not you need to protect the communication between httpd and Tomcat. If you are on a trusted network, then you probably don't need any kind of SSL between the two, and it would be redundant to configure Tomcat to handle SSL and have the proxy re-negotiate an SSL connection with it. On the other hand, if you are communicating across an untrusted network, then you probably do want to encrypt the communication. One way of doing that is by using something like mod_proxy_http and just making sure that you use an https:// URL for the backend. If you want to use AJP, you'll have to tunnel it yourself using stunnel, ssh, a VPN which provides similar behavior, or some similar external tool because AJP itself does not support any kind of encryption. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/E46wACgkQ9CaO5/Lv0PD3VQCdES7sfLOQxNzouCuqOIFfq6NU fdMAmwd8RebyOoB+ESkPzvlsUJFWBpUT =KJ3O -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Al, On 5/28/12 1:35 AM, al so wrote: It would be nice if I can hear from someone who has done such familiar setup. Have you seen any performance issues in setting up SSL both at Tomcat and Apache? As Aristedes states: only you know your environment and we can't really answer performance questions for you. But, in general, if you have lots of small HTTPS requests (and responses) without keepalive, then your performance will be terrible, relative to /not/ using SSL. If you have lots of keepalive requests and/or your requests (or responses, or both) then it won't feel so bad. The worst-performing part of SSL communication is the setup of the channel. Once the negotiation has happened (at the start of the connection), the stream-encryption is not too bad. I honestly don't know how mod_proxy_http handles keepalives when communicating with a Tomcat backend... if mod_proxy_http can pipeline disparate incoming requests from random clients into a single keepalive connection to Tomcat, then things might work out well. If not, well then maybe performance will be terrible. If you use something like ssh tunnel (or stunnel, or anything similar) then your performance shouldn't suffer too much because SSL re-negotiations are going to be very rare events. Again, you'll have to test in your own environment with realistic conditions in order to draw any meaningful conclusions. Honestly, I think it comes down to your requirements: if you *need* to protect the data between httpd and Tomcat then you don't really have a choice: you must encrypt it... you just have to decide exactly how you will be doing it. Do you use same keys/certs at both Tomcat and Apache? I see no advantage to doing that, and one might consider it to be a security problem to have a backend server's key out on a web server (which is presumably in more danger of being compromised). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/E5XAACgkQ9CaO5/Lv0PDmtACgoOF+nGPRqzxZhGn0QKENJ08U JuoAn1CgtfEY5/9RJ5hVWD6USQIuhjQf =Eppm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
Anyone who considers AJP a secure protocol is clearly clueless when it comes to security. Anyone that thinks he can judge security without knowing any of the requirements is plain wrong. As I wrote in a previous answer. It all depends on requirements and what you want to accomplish. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
On 29/05/2012 17:30, John Renne wrote: Anyone who considers AJP a secure protocol is clearly clueless when it comes to security. Anyone that thinks he can judge security without knowing any of the requirements is plain wrong. As I wrote in a previous answer. It all depends on requirements and what you want to accomplish. Nope. AJP is not secure under any circumstances. Period. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
What problem are you trying to solve by doing this? It seems to serve little purpose. Decrypt the traffic from the browser using Apache httpd, then re-encrypt the data and pass it onto tomcat. Why? I am sure it will work fine, but your performance will depend on the traffic you have. No one can answer that question for you. Ari On 28/05/12 3:35pm, al so wrote: It would be nice if I can hear from someone who has done such familiar setup. Have you seen any performance issues in setting up SSL both at Tomcat and Apache? Do you use same keys/certs at both Tomcat and Apache? On Sun, May 27, 2012 at 11:43 AM, al so volks...@gmail.com wrote: I've used standalone Tomcat to serve as web server+SSL+web container in the past. Now, I am trying to front Tomcat with apache reverse proxy+SSL. 1. Is it not redundant to configure the SSL in the Tomcat as well when the fronting reverse proxy is already configured to handle SSL. I see lot of posts on the internet which configure SSL at both Tomcat and Reverse proxy. Am I missing something? -- -- Aristedes Maniatis GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A -- -- Aristedes Maniatis GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
What is the typical setup in the enterprise apps? Do they just SSL terminate at the reverse proxy OR do they setup SSL at both apache and tomcat? In the former case, obviously the link is insecure between apache and tomcat. seeking pretty basic clarification.. On Mon, May 28, 2012 at 12:30 AM, Aristedes Maniatis amania...@apache.orgwrote: What problem are you trying to solve by doing this? It seems to serve little purpose. Decrypt the traffic from the browser using Apache httpd, then re-encrypt the data and pass it onto tomcat. Why? I am sure it will work fine, but your performance will depend on the traffic you have. No one can answer that question for you. Ari On 28/05/12 3:35pm, al so wrote: It would be nice if I can hear from someone who has done such familiar setup. Have you seen any performance issues in setting up SSL both at Tomcat and Apache? Do you use same keys/certs at both Tomcat and Apache? On Sun, May 27, 2012 at 11:43 AM, al so volks...@gmail.com wrote: I've used standalone Tomcat to serve as web server+SSL+web container in the past. Now, I am trying to front Tomcat with apache reverse proxy+SSL. 1. Is it not redundant to configure the SSL in the Tomcat as well when the fronting reverse proxy is already configured to handle SSL. I see lot of posts on the internet which configure SSL at both Tomcat and Reverse proxy. Am I missing something?
Re: fronting tomcat with reverse proxy+SSL
What is the typical setup in the enterprise apps? Do they just SSL terminate at the reverse proxy OR do they setup SSL at both apache and tomcat? In the former case, obviously the link is insecure between apache and tomcat. The most common setup I've seen is to terminate the SSL connection at the apache level and let apache and tomcat communicate through AJP which you obviously consider insecure. Can I ask you what you consider insecure about AJP by the way? John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
John Renne j...@gniffelnieuws.net wrote: Can I ask you what you consider insecure about AJP by the way? AJP is, apart from some simple encoding of a few headers which are easily decoded, a plain text protocol. There is zero encryption. Hence it is not secure. I suggest you read the AJP protocol definition in the docs. Anyone who considers AJP a secure protocol is clearly clueless when it comes to security. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
Now, I am trying to front Tomcat with apache reverse proxy+SSL. 1. Is it not redundant to configure the SSL in the Tomcat as well when the fronting reverse proxy is already configured to handle SSL. I see lot of posts on the internet which configure SSL at both Tomcat and Reverse proxy. Am I missing something? Personaly I wouldn't use SSL between de frontend proxy and Tomcat. In case of an apache server, I would rather let apache handle SSL offloading and use mod_proxy, mod_proxy_ajp and mod_cluster to address tomcat using the AJP protocol. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
How about the security concerns in having HTTP between reverse proxy and Tomcat? On Sun, May 27, 2012 at 11:47 AM, John Renne j...@gniffelnieuws.net wrote: Now, I am trying to front Tomcat with apache reverse proxy+SSL. 1. Is it not redundant to configure the SSL in the Tomcat as well when the fronting reverse proxy is already configured to handle SSL. I see lot of posts on the internet which configure SSL at both Tomcat and Reverse proxy. Am I missing something? Personaly I wouldn't use SSL between de frontend proxy and Tomcat. In case of an apache server, I would rather let apache handle SSL offloading and use mod_proxy, mod_proxy_ajp and mod_cluster to address tomcat using the AJP protocol. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
How about the security concerns in having HTTP between reverse proxy and Tomcat? You don't you can use AJP between HTTP and Tomcat. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
Well, AJP is not SSL. So, the link is insecure between rev proxy and tomcat if you don't use SSL. On Sun, May 27, 2012 at 3:02 PM, John Renne j...@gniffelnieuws.net wrote: How about the security concerns in having HTTP between reverse proxy and Tomcat? You don't you can use AJP between HTTP and Tomcat. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
On May 28, 2012, at 12:11 AM, al so wrote: Well, AJP is not SSL. So, the link is insecure between rev proxy and tomcat if you don't use SSL. It all depends on what your requirements are. If a binary protocol will you, you can use AJP. If you don't consider it secure, you can choose to go for SSL. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: fronting tomcat with reverse proxy+SSL
It would be nice if I can hear from someone who has done such familiar setup. Have you seen any performance issues in setting up SSL both at Tomcat and Apache? Do you use same keys/certs at both Tomcat and Apache? On Sun, May 27, 2012 at 11:43 AM, al so volks...@gmail.com wrote: I've used standalone Tomcat to serve as web server+SSL+web container in the past. Now, I am trying to front Tomcat with apache reverse proxy+SSL. 1. Is it not redundant to configure the SSL in the Tomcat as well when the fronting reverse proxy is already configured to handle SSL. I see lot of posts on the internet which configure SSL at both Tomcat and Reverse proxy. Am I missing something?