Is it correct to say that in a typical Browser-Apache Web Server-Tomcat App Server setup, the SSL connection generally terminates at the Apache web server and the traffic between Apache and Tomcat (to the AJP connector) is unencrypted? If I am correct that this is the "usual" setup, then isn't this a pretty big security flaw since the DMZ is supposed be only "partly" safe?
If someone were to crack into the DMZ and could sniff network traffic, then they could in theory listen in to traffic and grab all of it in an unencrypted state (which may include credit card information, usernames, passwords etc). Jim
