> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Wednesday, February 23, 2011 10:38 > To: Tomcat Users List > Subject: Re: Secure AJP over ssl > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mark, > > On 2/23/2011 10:36 AM, Mark Thomas wrote: > > On 23/02/2011 15:32, Christopher Schultz wrote: > >> Mladen, > >> > >> On 2/23/2011 3:00 AM, Mladen Turk wrote: > >>> What do you think happens when encrypted data from client > comes in > >>> and is encrypted again and send to the client? > >>> It's unencrypted in the memory and anyone with access to > the box can > >>> just inspect the content of the httpd process in the same > way it can > >>> read the data on the socket. > >>> So since persons which are authorized to login to the Apache and > >>> Tomcat box have the option to view the data, your entire > security is > >>> still human based. > >> > >> I think he's talking about network sniffing (like another > node on the > >> network operating in promiscuous mode), not an untrusted > box administrator. > >> > >>> That's why I see no point of encrypting the data transfer between > >>> those boxes cause you can just as well make sure the > proper persons > >>> have the network access. > >> > >> I certainly agree with this. > >> > >> Anyhow, to answer the OP's question, there are really > three options: > >> > >> 1. SSH tunnel
I think I am going to use stunnel in xinetd. > >> > >> 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if > >> necessary while ssh generally won't). > >> > >> 3. Switch to mod_proxy_http and use an https:// URL with Mark's > >> indicated settings. I am glad to have this cleared up. > >> > >> These options are roughly in order of performance from > best to worst: > >> setting up an HTTPS connection is expensive and I'm not > entirely sure > >> how mod_proxy_http does connections, but I suspect it creates and > >> tears-down for each request (i.e. no keepalives, or at > least limited ones). > >> > >> Encrypted VPNs are simply more complicated than an SSH tunnel and > >> require slightly more overhead. An SSH tunnel is dead > simple and only > >> negotiates a symmetric key once at connect time (okay, and then > >> re-negotiates at intervals) but lacks the robustness of a VPN. > > > > I disagree with that assessment. mod_proxy_http is by far > the simplest > > way to go and it does use keep-alive. > > Good to know that mod_proxy_http uses keepalive. I was > recommending the others since the OP seems wedded to AJP. > Also, if there is any other traffic to encrypt (JDBC, etc.) > the VPN would handle that, too. It is not that I am wedded to any particular implementation, it is just each change requires board approval. A change for reconfiguring the enabled modules in apache. [we can skip this if we stay with mod_proxy_ajp, as it was already approved] A change for opening up a port on the apache box -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
