-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Frank,
On 4/12/20 10:20, Frank Tornack wrote: > It is possible to replace AJP with normal HTTP or HTTPs. > > AJP has an advantage, it needs less bandwidth. Reference? > But it shouldn't make too much difference with today's computer > networks. If you need the bandwidth advantage, you can certainly > use the module ModSecurity for Apache HTTPD to protect your > application server. But an advanced solution would be to protect > AJP with the IPTables firewall. AJP is mostly used in conjunction > with HTTPD and if you only allow access to these, it should be > pretty secure. While a firewall (iptables) can be used to protect AJP, a much better solution would be mutually-authenticated stunnel. Even better, switch to mutually-authenticated https, which doesn't require a separate package to add the security layer. - -chris > Am Freitag, den 10.04.2020, 15:45 +0000 schrieb David Cleary: >> Some of our customers are currently using the AJP connector. >> Given the vulnerability and breaking change to address it, now >> may be a good time to prompt them look at alternatives. One >> requirement is HTTPS support. What are the alternatives when >> hosting Tomcat behind Apache httpd, nginx, or IIS? I do remember >> a presentation I thought was pretty good at Apachecon in Miami on >> connectors a few years ago. Has there been anything new that has >> come out since then? Are there any recommendations on what is >> best to replace AJP13? >> >> Thanks Dave > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6VzwgACgkQHPApP6U8 pFhmJxAAjA+qafrBj6bAMkZz8E4X8wIE4jM2JjRiEiEPLahVX8uUb8xEpNJz7i78 1ncziwhYItfNwB+6jrp3rjEWXWLcsFOf0eTU207qORLkM8OahRV8X7hc8PUVs84c f2p3orGsqGVlL38I2CX8qILlgqJ0YalQXS5EEOOTGgojh6aB6xXe6qfeUgJJYi1Q Rx5w4rfYU1FrgAv+r2ZlpGb5x3zeUpBIEzZnXbmoB03L3Bhc1HW4lMN9zb6TIKC1 Q4CZ//J/sMzV9sJQmRrWlI0OiucNXUhkpkodzMLvMStNPyGLhC9mbxslILz2JznD FRUDJfRTaQoJyi2nz8+/qG1N+/y9/Nr0Y65mDkeYRqyP6vTWuikrresdLMwThlYE kIcqKp1plNs53WaIjIae13ByRbWgzcS1wPOmCImwcl9gpVG/A/Nvy5SDJMHAuLev kCZlAD/lGhdaMXzLIhLmxPht6u9vSOD93jHIkyI3+TyKHQRxItPKb9Cqumg46fsA zB0QRFy1xAsrAILh/JhQsaQ+/In5WoqoP9qnBFj6J6RShomdbECtwdDXjHx6KM00 k/WayVz7Uc7dM7uqq0HJ6yHF0ypRHRgBQ0GanIkF2yhAPd85LkQPNjbjp2LHKq7O FvnvRacR1oXDRSaR6vohx1LQD0+xaxsUx7dFKcI303K0Hv+su8c= =UKha -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org