How do ensure that Apache AJP to Tomcat connection is secure/encrypted?

About

Asked 17/9, 2012 at 13:37 Answered 17/9, 2012 at 21:56

We want to front-end our Tomcat instance with an Apache instance (running on the same machine) that will be serving everything on HTTPS and connect Apache to Tomcat using AJP. When using AJP, do we need to do anything to make sure that the connection between Apache and Tomcat is secure? (We dont want passwords to be sniffable on the network between Apache and Tomcat). The O/S is Red Hat Enterprise Linux 6.3

Omphalos answered 17/9, 2012 at 13:37 Comment(0)

You are saying

Tomcat instance with an Apache instance (running on the same machine)

and later you are saying

We dont want passwords to be sniffable on the network between Apache and Tomcat

This just contradicts each other.

EDIT: AJP is not designed to be secure, if you need security, use mod_proxy_http and proxy over https, or create SSH tunnel. Needless to say, you will have to pay for this overhead.

Abelabelard answered 17/9, 2012 at 13:45 Comment(1)

Well, therein lies the question-- is the tech that enables Apache to Tomcast communications going to go back through the network at all. There are ways you could configure a web server to go back through the network even if what its connecting to in the back-end is on the same machine. – Omphalos 17/9, 2012 at 17:10

When using AJP you cannot do anything to ensure it is secure. It isn't. There is no SSL version. You would have to use HTTPS. AJP is designed for the usual case where HTTPD and Tomcat are in the same private LAN and security isn't an issue.

Selfrenunciation answered 17/9, 2012 at 21:56 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags