We want to front-end our Tomcat instance with an Apache instance (running on the same machine) that will be serving everything on HTTPS and connect Apache to Tomcat using AJP. When using AJP, do we need to do anything to make sure that the connection between Apache and Tomcat is secure? (We dont want passwords to be sniffable on the network between Apache and Tomcat). The O/S is Red Hat Enterprise Linux 6.3
The Apache JServ Protocol v1. 3 (AJP13) is binary for performance reasons, but it is not encrypted.
Resolution. This is a configuration issue with AJP protocol in Tomcat/Undertow. AJP is a highly trusted protocol and should never be exposed to untrusted clients. It is insecure (clear text transmission) and assumes that your network is safe.
Apache JServ Protocol, or AJP, is an optimized binary version of HTTP that is typically used to allow Tomcat to communicate with an Apache web server.
The SecurityManager is normally controlled by a file called "java. policy," which is distributed with the SDK. Tomcat uses the file $CATALINA_BASE/conf/catalina. policy in place of this file.
You are saying
Tomcat instance with an Apache instance (running on the same machine)
and later you are saying
We dont want passwords to be sniffable on the network between Apache and Tomcat
This just contradicts each other.
EDIT: AJP is not designed to be secure, if you need security, use mod_proxy_http
and proxy over https, or create SSH tunnel. Needless to say, you will have to pay for this overhead.
When using AJP you cannot do anything to ensure it is secure. It isn't. There is no SSL version. You would have to use HTTPS. AJP is designed for the usual case where HTTPD and Tomcat are in the same private LAN and security isn't an issue.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With