> -----Original Message----- > From: Brian Eller <bel...@guidehousefederal.com> > Sent: Thursday, May 19, 2022 9:29 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: RE: Encryption of Tomcat AJP > > TRADING PARTNER > > Thank you Mark, > > My vendor supports AJP but, I don't know if they support > mod_http_proxy. This is a embedded version of Tomcat 8.5 that is tightly > coupled with the vendor's software and is an installed subcomponent from > the vendor. > > > Brian Eller | Senior System Administrator bel...@guidehouse.com > > Ace Info Solutions (AceInfo), a Guidehouse company | aceinfosolutions.com > 1200 South College Avenue, Suite 210 | Fort Collins, CO 80524 AceInfo is now > a Guidehouse company > > -----Original Message----- > From: Mark H. Wood <mw...@iupui.edu> > Sent: Thursday, May 19, 2022 6:12 AM > To: users@tomcat.apache.org > Subject: Re: Encryption of Tomcat AJP > > On Thu, May 19, 2022 at 07:09:59AM +0000, Hiran CHAUDHURI wrote: > > CONFIDENTIAL & RESTRICTED > > > > From: Mark Thomas <ma...@apache.org> > > Subject: Re: Encryption of Tomcat AJP > > > > >On 19/05/2022 01:32, Brian Eller wrote: > > >> TRADING PARTNER > > >> > > >> Hello, > > >> > > >> I am working on a Tomcat install embedded inside a > > >> vendor > product that uses Apache to pass traffic to Tomcat. My cyber security group > is asking if we can encrypt all connections. Does the mod_jk protocol, AJP > can be encrypted? > > > > > >No, AJP does not support encryption. > > > > > >If you want to encrypt traffic between the reverse proxy and the > embedded Tomcat instance I'd recommend using mod_proxy_http and > proxy everything over HTTPS. This requires a little more configuration to get > things working. > > > > > >The main thing to keep in mind is to make sure that the Tomcat instance > correctly identifies whether the client connection to the reverse proxy was > over HTTP or HTTPS. > > > > > >Mark > > > > I totally agree this is an existing and sufficient mechanism already > > available. > And I see it popping up in more and more locations. > > But as you point out there are some caveats that potentially open security > risks. On the contrary AJP - maybe because it cannot be configured with > encryption - looks simple and straightforward. > > > > Would it make sense to create a solution with less caveats and up to date > security requirements? > > If the OP's cyber security group insists, then maybe they would care to give > him their requirements and suggestions for setting up IPSEC. > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > https://urldefense.com/v3/__http://www.ulib.iupui.edu__;!!F9svGWnIaVP > GSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D53 > SFMWtnXIeAMsiXm73xEklczYayDsQr_ecXcqi48$ > NOTICE: This communication is from Guidehouse Inc. or one of its > subsidiaries. The details of the sender are listed above. This email, > including > any attachments, is meant only for the intended recipient of the > transmission and may contain confidential and/or privileged material. If you > received this email in error, any review, distribution, dissemination or other > use of this information is strictly prohibited. Please notify the sender > immediately by return email and delete the messages from your systems. In > addition, this communication is subject to, and incorporates by reference, > additional disclaimers found in the “Disclaimers” section at > https://urldefense.com/v3/__http://www.guidehouse.com__;!!F9svGWnIa > VPGSwU!q7KubMJTlR76KeDOI97BQ9UwOqJiOdAl69CeN765EKZdJBB5Jqsu_D > 53SFMWtnXIeAMsiXm73xEklczYayDsQr_eQxkSDm4$ . > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Another thing to consider. If your Apache HTTPD server, or even IIS web server, are co-hosted on the same server, setup the AJP to listen and communicate on localhost (127.0.0.1) and you shouldn't have to even think about encryption at that point. Another possibility would be to port the traffic over a secure VPN between the servers, but that may be a costly alternative. Otherwise, I agree with Mark and go with MOD-PROXY over HTTPS. Just my .02 worth. Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
