-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Frank,
On 4/15/20 03:05, Frank Tornack wrote: > Chris, > > Am Dienstag, den 14.04.2020, 10:56 -0400 schrieb Christopher > Schultz: >> Frank, >> >> On 4/12/20 10:20, Frank Tornack wrote: >>> It is possible to replace AJP with normal HTTP or HTTPs. >>> >>> AJP has an advantage, it needs less bandwidth. >> >> Reference? > https://marc.info/?l=tomcat-user&m=123404294317780 I think AJP has > less overhead. Nothing in there suggests that AJP has less overhead. In fact, just the opposite: " > So what does all that mean? I expect that neither mod_proxy_http, > nor mod_proxy_ajp or mod_jk do differ very much in performance on > modern hardware." If you really want to reduce overhead, you need to use WebSocket. Guess what doesn't support WebSocket? AJP. >>> But it shouldn't make too much difference with today's >>> computer networks. If you need the bandwidth advantage, you can >>> certainly use the module ModSecurity for Apache HTTPD to >>> protect your application server. But an advanced solution would >>> be to protect AJP with the IPTables firewall. AJP is mostly >>> used in conjunction with HTTPD and if you only allow access to >>> these, it should be pretty secure. >> >> While a firewall (iptables) can be used to protect AJP, a much >> better solution would be mutually-authenticated stunnel. Even >> better, switch to mutually-authenticated https, which doesn't >> require a separate package to add the security layer. > > why not both? You can certainly use both, but if you use mutually-authenticated TLS, even an attacker on a trusted IP cannot attack you. My suggestion is not that itpables offers no protection. It's that mutually-authenticated TLS offers you *much more* protection, whether you use a firewall or not. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl6XW3cACgkQHPApP6U8 pFgM5w//WL/pz2G44/AeiN+W6F7V7IkPOMXe2I8NPHEP/4G+qy6aVIfDpK3uY/ti XZD1h4gC8MGb67Lra4au0l0azJ6rovIhX1OllD8ct3S+TOujM7xcxQ85CyekKtZt qDG5QG187DwM+iUrbx4jBo8HOYoV90UaMkaiCZ+IPaWc9tLJP1mhX6nB+JWs9i1n HKUo7Q8jY/420CMY7xWJXqE4Qs6F9q4XzncmZr3CAqo1bTQzU0ZQKMs/osPen9yV x+3X7pRWDQ7GvWjsF6JE8NLAcY4PyMbUX9/wFwGdmBUsn+efNQBxF1Q2xSx7G/aX TfdpVA60IIf1UgBJhQk3wOSEsIcO6mdKfy5gsFB7xqSt+2h4zxbY5BVC8OHOtQpx kwKVXxGxQ2+4Os2NaGJL6OVVAFvi5TQoCLk6x5VPpkX2Ydgn8LrgHoHmZDfgwNyo vme8w/Y6eS6wJibJunFBSt36466E/hBxNJDA8Z4zTrZFRJtIFXch9sW/VIuApynp In4MOw9rSuI22TiXHh6+13UJUhLGmq5vOUq6QUrqTyc42wb/dUCp4WedoosKaPJC rRwJzhaBa1Dou+b9qTuFF3mYzF6Afk8o0xIuZQdt4lUuPqMKjrReUAPAjRf/RQEk RWGj7nZGJCDtO4N6IcFm9NvjKDbKzau5le0grsTDVxSA1Ir3q8A= =WWJX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org