It is used, for example, if you want to front Tomcat by Apache Web Server or by IIS (among others). In those cases the HTTP processing is done in the front system and if necessary it is proxied to Tomcat via AJP. You take HTTP request from that system, put it in an AJP record and send it over TCPIP to Tomcat's AJP connector.
Is it more clear now? -----Original Message----- From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org] Sent: Wednesday, February 28, 2018 6:40 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: Security of AJP Since AJP is not really needed by Tomcat; If I comment out the AJP startup line in server.xml will that affect anything. I still don’t even understand what its for. I have read the apache docs but it doesn’t mean anything to me.. Apache's description doesn't tell me anything. The AJP Connector element represents a Connector component that communicates with a web connector via the AJP protocol. This is used for cases where you wish to invisibly integrate Tomcat into an existing (or new) Apache installation, and you want Apache to handle the static content contained in the web application, and/or utilize Apache's SSL processing. That is mumbo jumbo. =========================== Thank You; Chris Cheltenham Technology Services The School District of Philadelphia Work # 215-400-5025 Cell # 215-301-6571 -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 27, 2018 4:26 PM To: users@tomcat.apache.org Subject: Re: Security of AJP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark, On 2/27/18 3:54 PM, Mark A. Claassen wrote: > From what I have read, it seems that the AJP connector is not secure, > and is meant to be used in a protective environment. > There are lots of things that imply this, like no SSL settings and > such, but I cannot find it directly stated anywhere. I am pretty > confident in my read of this, but it is, of course, difficult to say > that "all options have been explored and it is not possible". AJP is definitely a cleartext protocol, and offers no encryption capabilities. If you want to secure it, you will have to use some tunneling technology such as a VPN, stunnel, etc. > First of all, am I correct in my assertion that it cannot be made > secure? Theoretically, it can be made to be secure, but it would require a great deal of work and honestly, it's probably not worth it. The protocol is mature and nobody really feels like retrofitting encryption into it. > And, if so, I would invite you (or us, the community!) to consider > modifying the documentation to state this. Maybe something like: > > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html The AJP > Connector element represents a Connector component that communicates > with a web connector via the AJP protocol. [This is an unencrypted > connector, intended for use in protected enviroments.] This is used > for cases where you wish to invisibly integrate Tomcat into an > existing (or new) Apache installation, and you want Apache to handle > the static content contained in the web application, and/or utilize > Apache's SSL processing. That seems reasonable. Care to provide a documentation patch? You'll get your name into the change log ;) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqVzOgACgkQHPApP6U8 pFitmA/6A1fSjyIDEz7q9lxzwhlbVxZFMIGSM9pQLF3ZHAI3qA304luhNO9+wjAp 4cbczpnKiiEIj+753To2d0NOtjPP4+NfR25d8sg+T5e3SgynpEhx8wPCvPPxHGBx hgsX9xY+gLikvJs25u7QAab8i2qe6i1YBtJhKUNgTLvD/OAI/MzfhkuQBEUq9yUx 66cWSJznsOHthnC2lUKCzTIrOEPDhhSd7B90n99SIV1DOZdOzI2fXA2xMXByaZ/e kiWSvt5OfvThDZlbXFexEwFrQfJ+Tj10/L/tVz4OY3LSPDXEukFE/MnRya8HW1sj 6ANX3tNOBBPLMtNNLfJtn16mbAQsWZMFRPYl3fukwmwWzEs1IvMq7dQGSOo355A7 UXMjlFL/ogty6Q3qFzhnpvoSNxmrCXKWos7Mk3kYpeWkp9yEB7Kp48ogsKIMRcn+ YW8+1c/yKC17PjjhOr2ty3QzHFRbY+x4nZO65v9c402UhM+MTf0J6GhUxxe5nHI2 bmA3bRFTjyLNpu97XjAfUEIuYEXynZSn8ViVnKhG3xjPIWokSjDyIDVmED4mvimt vE3bUTSkpAV8nE/M/Y3Xu5VjhLcjymHCVUoz/v8La7Bm9+nHfg1NH9XYmNmCrkr7 YkCaYAk9xErXTWbNABaY6sJNxATZA3pftl/592twWr7v9w0eDSQ= =FAja -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
