James Ellis wrote:
Is it correct to say that in a typical Browser-Apache Web Server-Tomcat
App Server setup, the SSL connection generally terminates at the Apache
web server and the traffic between Apache and Tomcat (to the AJP
connector) is unencrypted? If I am correct that this is the "usual"
setup, then isn't this a pretty big security flaw since the DMZ is
supposed be only "partly" safe?
If someone were to crack into the DMZ and could sniff network traffic,
then they could in theory listen in to traffic and grab all of it in an
unencrypted state (which may include credit card information, usernames,
passwords etc).
Yes. This design relies on the integrity of the network beyond the DMZ.
A good solution is to use proxy_http over ssl and the https connector for
the last mile, if this is a concern in the environment you have deployed.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]