I'm no security expert, but I was looking at mod_ssl the other day, so
here are my thoughts...

1>Is there a need for SSL between web server and Tomcat?
It depends on what traffic is allowed through your firewall?  If webserver-tomcat
communication is on port 8009 and your firewall doesn't allow access to
this port from the outside then the unencrypted communication between
webserver and tomcat is safe from the outside world.  However, if someone
was to upload an application to the web server they would then be able to
monitor the traffic on 8009.  Also without SSL between webserver-Tomcat
you are still vulnerable from inside the network coworkers, etc.

2) In mod_ssl for Apache data is unencrypted by the webserver and then
forwarded in unencrypted format to tomcat.

Note - I have never setup Apache mod_ssl / Tomcat so take this with a
grain of salt, all comments based on my limited understanding of the
documentation.

cheers, On Fri, 15 Nov 2002 [EMAIL PROTECTED] wrote:
Dave

> Hi All.
> I know this has been discussed ad nauseum, but I do need some
> clarification conceptually.
> By the time the web-server applet calls a servlet in Tomcat, the http
> request has already gone pass the firewall.
> Ideally, I would like to see anything between the web-server and the
> browser encoded in SSL.
> So my questions are :
> (1) Is there a need for openSSL between Tomcat and web-server ?
> (2) If I implement openSSL between web-server and browser, how will this
> affect Tomcat downstream, if at all ?
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>

Reply via email to