Quantcast

Secure AJP over ssl

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Secure AJP over ssl

Jason Pyeron
Does (or could) tomcat 5.5 support encrypted AJP? The frontend apache will be on
a different host than the tomcat server. It is required that the communications
are encrypted.

Would I be best off using stunnel?

My googleing has led me astray to
http://download.oracle.com/docs/cd/E13789_01/bh.100/e13791/ajp.htm 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Mark Thomas-2
On 21/02/2011 21:31, Jason Pyeron wrote:
> Does (or could) tomcat 5.5 support encrypted AJP?

No.

> Would I be best off using stunnel?

Also, no.

Use mod_proxy_http and proxy over https.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Secure AJP over ssl

Jason Pyeron
> -----Original Message-----
> From: Mark Thomas
> Sent: Monday, February 21, 2011 17:15
> To: Tomcat Users List
> Subject: Re: Secure AJP over ssl
>
> On 21/02/2011 21:31, Jason Pyeron wrote:
> > Does (or could) tomcat 5.5 support encrypted AJP?
>
> No.
>
> > Would I be best off using stunnel?
>
> Also, no.
>
> Use mod_proxy_http and proxy over https.

Then we would loose the is_secure handling of AJP, as well as the client
certificates of the web application clients. That is the purpose of
mod_proxy_ajp, among others.



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Mark Thomas-2
On 21/02/2011 22:19, Jason Pyeron wrote:

>> -----Original Message-----
>> From: Mark Thomas
>> Sent: Monday, February 21, 2011 17:15
>> To: Tomcat Users List
>> Subject: Re: Secure AJP over ssl
>>
>> On 21/02/2011 21:31, Jason Pyeron wrote:
>>> Does (or could) tomcat 5.5 support encrypted AJP?
>>
>> No.
>>
>>> Would I be best off using stunnel?
>>
>> Also, no.
>>
>> Use mod_proxy_http and proxy over https.
>
> Then we would loose the is_secure handling of AJP, as well as the client
> certificates of the web application clients. That is the purpose of
> mod_proxy_ajp, among others.

No you wouldn't. That all works (with a little more configuration) with
mod_proxy_http.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Secure AJP over ssl

Jason Pyeron
 

> -----Original Message-----
> From: Mark Thomas [mailto:[hidden email]]
> Sent: Monday, February 21, 2011 17:26
> To: Tomcat Users List
> Subject: Re: Secure AJP over ssl
>
> On 21/02/2011 22:19, Jason Pyeron wrote:
> >> -----Original Message-----
> >> From: Mark Thomas
> >> Sent: Monday, February 21, 2011 17:15
> >> To: Tomcat Users List
> >> Subject: Re: Secure AJP over ssl
> >>
> >> On 21/02/2011 21:31, Jason Pyeron wrote:
> >>> Does (or could) tomcat 5.5 support encrypted AJP?
> >>
> >> No.
> >>
> >>> Would I be best off using stunnel?
> >>
> >> Also, no.
> >>
> >> Use mod_proxy_http and proxy over https.
> >
> > Then we would loose the is_secure handling of AJP, as well as the
> > client certificates of the web application clients. That is the
> > purpose of mod_proxy_ajp, among others.
>
> No you wouldn't. That all works (with a little more
> configuration) with mod_proxy_http.
>

Where are the docs for certificate chaining with mod_proxy? I have not found
any.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Mark Thomas-2
On 21/02/2011 22:28, Jason Pyeron wrote:
> Where are the docs for certificate chaining with mod_proxy? I have not found
> any.

Unhelpfully, the comments in the relevant class aren't in Javadoc
format. Grr. That will be fixed shortly.

In the meantime, add the following to your SSL virtual host in httpd:
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"

And add the SSLValve to the Engine element in server.xml

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

mturk
In reply to this post by Jason Pyeron
On 02/21/2011 10:31 PM, Jason Pyeron wrote:
> Does (or could) tomcat 5.5 support encrypted AJP? The frontend apache will be on
> a different host than the tomcat server. It is required that the communications
> are encrypted.
>

I would suggest you reconsider your security requirements.
Unless your frontend and backend are on different continents
the best way to fight wire tapping (only reason why would you
secure the communication at the first place) is much better
done with securing your infrastructure.


Regards
--
^TM

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Secure AJP over ssl

Jason Pyeron
> -----Original Message-----
> From: Mladen Turk [mailto:[hidden email]]
> Sent: Tuesday, February 22, 2011 1:20
> To: [hidden email]
> Subject: Re: Secure AJP over ssl
>
> On 02/21/2011 10:31 PM, Jason Pyeron wrote:
> > Does (or could) tomcat 5.5 support encrypted AJP? The
> frontend apache
> > will be on a different host than the tomcat server. It is required
> > that the communications are encrypted.
> >
>
> I would suggest you reconsider your security requirements.

Cordially, no.

> Unless your frontend and backend are on different continents
> the best way to fight wire tapping (only reason why would you

Yes. You hit the nail on the head, besides being required by law.

> secure the communication at the first place) is much better
> done with securing your infrastructure.

That is a naive view. [Please forgive the wording.]

Given:

1) The Apache box is secure and login is restricted to the minimum set of
persons with a kneed to know.
2) The Tomcat box is secure and login is restricted to the minimum set of
persons with a kneed to know.

There is no reason to allow the set of persons capable (and sometimes
authorized) to inspect the data on a network (network operations) to be able to
inspect the unsecured contents of the data stream. That would be a briech of
security and law.

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

mturk
On 02/22/2011 11:23 PM, Jason Pyeron wrote:
>> -----Original Message-----
>
> That is a naive view. [Please forgive the wording.]
>

None taken.

> Given:
>
> 1) The Apache box is secure and login is restricted to the minimum set of
> persons with a kneed to know.
> 2) The Tomcat box is secure and login is restricted to the minimum set of
> persons with a kneed to know.
>
> There is no reason to allow the set of persons capable (and sometimes
> authorized) to inspect the data on a network (network operations) to be able to
> inspect the unsecured contents of the data stream. That would be a briech of
> security and law.
>

I just waited you mention that :)
What do you think happens when encrypted data from client comes in and
is encrypted again and send to the client?
It's unencrypted in the memory and anyone with access to the box
can just inspect the content of the httpd process in the same way
it can read the data on the socket.
So since persons which are authorized to login to the Apache and Tomcat
box have the option to view the data, your entire security is still
human based. That's why I see no point of encrypting the data transfer
between those boxes cause you can just as well make sure the proper
persons have the network access.

However I can live with the 'law' reason, but that doesn't mean it's
a secure just because the 'law' says it is.


Cheers
--
^TM

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mladen,

On 2/23/2011 3:00 AM, Mladen Turk wrote:
> What do you think happens when encrypted data from client comes in and
> is encrypted again and send to the client?
> It's unencrypted in the memory and anyone with access to the box
> can just inspect the content of the httpd process in the same way
> it can read the data on the socket.
> So since persons which are authorized to login to the Apache and Tomcat
> box have the option to view the data, your entire security is still
> human based.

I think he's talking about network sniffing (like another node on the
network operating in promiscuous mode), not an untrusted box administrator.

> That's why I see no point of encrypting the data transfer
> between those boxes cause you can just as well make sure the proper
> persons have the network access.

I certainly agree with this.

Anyhow, to answer the OP's question, there are really three options:

1. SSH tunnel

2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if
   necessary while ssh generally won't).

3. Switch to mod_proxy_http and use an https:// URL with Mark's
   indicated settings.

These options are roughly in order of performance from best to worst:
setting up an HTTPS connection is expensive and I'm not entirely sure
how mod_proxy_http does connections, but I suspect it creates and
tears-down for each request (i.e. no keepalives, or at least limited ones).

Encrypted VPNs are simply more complicated than an SSH tunnel and
require slightly more overhead. An SSH tunnel is dead simple and only
negotiates a symmetric key once at connect time (okay, and then
re-negotiates at intervals) but lacks the robustness of a VPN.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1lKIQACgkQ9CaO5/Lv0PA3AACeLMsHtTuiodq/s1ITyUJYS0Go
LrEAnRRTPcVpDkPw9sXYP0vggDSz4fa3
=UJv2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Mark Thomas-2
On 23/02/2011 15:32, Christopher Schultz wrote:

> Mladen,
>
> On 2/23/2011 3:00 AM, Mladen Turk wrote:
>> What do you think happens when encrypted data from client comes in and
>> is encrypted again and send to the client?
>> It's unencrypted in the memory and anyone with access to the box
>> can just inspect the content of the httpd process in the same way
>> it can read the data on the socket.
>> So since persons which are authorized to login to the Apache and Tomcat
>> box have the option to view the data, your entire security is still
>> human based.
>
> I think he's talking about network sniffing (like another node on the
> network operating in promiscuous mode), not an untrusted box administrator.
>
>> That's why I see no point of encrypting the data transfer
>> between those boxes cause you can just as well make sure the proper
>> persons have the network access.
>
> I certainly agree with this.
>
> Anyhow, to answer the OP's question, there are really three options:
>
> 1. SSH tunnel
>
> 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if
>    necessary while ssh generally won't).
>
> 3. Switch to mod_proxy_http and use an https:// URL with Mark's
>    indicated settings.
>
> These options are roughly in order of performance from best to worst:
> setting up an HTTPS connection is expensive and I'm not entirely sure
> how mod_proxy_http does connections, but I suspect it creates and
> tears-down for each request (i.e. no keepalives, or at least limited ones).
>
> Encrypted VPNs are simply more complicated than an SSH tunnel and
> require slightly more overhead. An SSH tunnel is dead simple and only
> negotiates a symmetric key once at connect time (okay, and then
> re-negotiates at intervals) but lacks the robustness of a VPN.

I disagree with that assessment. mod_proxy_http is by far the simplest
way to go and it does use keep-alive.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 2/23/2011 10:36 AM, Mark Thomas wrote:

> On 23/02/2011 15:32, Christopher Schultz wrote:
>> Mladen,
>>
>> On 2/23/2011 3:00 AM, Mladen Turk wrote:
>>> What do you think happens when encrypted data from client comes in and
>>> is encrypted again and send to the client?
>>> It's unencrypted in the memory and anyone with access to the box
>>> can just inspect the content of the httpd process in the same way
>>> it can read the data on the socket.
>>> So since persons which are authorized to login to the Apache and Tomcat
>>> box have the option to view the data, your entire security is still
>>> human based.
>>
>> I think he's talking about network sniffing (like another node on the
>> network operating in promiscuous mode), not an untrusted box administrator.
>>
>>> That's why I see no point of encrypting the data transfer
>>> between those boxes cause you can just as well make sure the proper
>>> persons have the network access.
>>
>> I certainly agree with this.
>>
>> Anyhow, to answer the OP's question, there are really three options:
>>
>> 1. SSH tunnel
>>
>> 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if
>>    necessary while ssh generally won't).
>>
>> 3. Switch to mod_proxy_http and use an https:// URL with Mark's
>>    indicated settings.
>>
>> These options are roughly in order of performance from best to worst:
>> setting up an HTTPS connection is expensive and I'm not entirely sure
>> how mod_proxy_http does connections, but I suspect it creates and
>> tears-down for each request (i.e. no keepalives, or at least limited ones).
>>
>> Encrypted VPNs are simply more complicated than an SSH tunnel and
>> require slightly more overhead. An SSH tunnel is dead simple and only
>> negotiates a symmetric key once at connect time (okay, and then
>> re-negotiates at intervals) but lacks the robustness of a VPN.
>
> I disagree with that assessment. mod_proxy_http is by far the simplest
> way to go and it does use keep-alive.

Good to know that mod_proxy_http uses keepalive. I was recommending the
others since the OP seems wedded to AJP. Also, if there is any other
traffic to encrypt (JDBC, etc.) the VPN would handle that, too.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1lKesACgkQ9CaO5/Lv0PBFRgCfVfwSNBR+hw9goy/jZft92ekx
VRQAoICP/Mklk5HmZnyj7EvSdk4dEuGE
=6FMQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Secure AJP over ssl

Jason Pyeron
In reply to this post by mturk

> -----Original Message-----
> From: Mladen Turk [mailto:[hidden email]]
> Sent: Wednesday, February 23, 2011 3:01
> To: [hidden email]
> Subject: Re: Secure AJP over ssl
>
> On 02/22/2011 11:23 PM, Jason Pyeron wrote:
> >> -----Original Message-----
> >
> > That is a naive view. [Please forgive the wording.]
> >
>
> None taken.
>
> > Given:
> >
> > 1) The Apache box is secure and login is restricted to the
> minimum set
> > of persons with a kneed to know.
> > 2) The Tomcat box is secure and login is restricted to the
> minimum set
> > of persons with a kneed to know.
> >
> > There is no reason to allow the set of persons capable (and
> sometimes
> > authorized) to inspect the data on a network (network
> operations) to
> > be able to inspect the unsecured contents of the data stream. That
> > would be a briech of security and law.
> >
>
> I just waited you mention that :)
> What do you think happens when encrypted data from client
> comes in and is encrypted again and send to the client?
> It's unencrypted in the memory and anyone with access to the
> box can just inspect the content of the httpd process in the
> same way it can read the data on the socket.
> So since persons which are authorized to login to the Apache
> and Tomcat box have the option to view the data, your entire
> security is still human based. That's why I see no point of

Yes, the list includes 4 people.

> encrypting the data transfer between those boxes cause you
> can just as well make sure the proper persons have the network access.
>

That list includes 78 people.

> However I can live with the 'law' reason, but that doesn't
> mean it's a secure just because the 'law' says it is.

I see it as there is no excuse not to encrypt it when it crosses security domain
boundaries.



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Secure AJP over ssl

Jason Pyeron
In reply to this post by Christopher Schultz-2

> -----Original Message-----
> From: Christopher Schultz [mailto:[hidden email]]
> Sent: Wednesday, February 23, 2011 10:38
> To: Tomcat Users List
> Subject: Re: Secure AJP over ssl
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark,
>
> On 2/23/2011 10:36 AM, Mark Thomas wrote:
> > On 23/02/2011 15:32, Christopher Schultz wrote:
> >> Mladen,
> >>
> >> On 2/23/2011 3:00 AM, Mladen Turk wrote:
> >>> What do you think happens when encrypted data from client
> comes in
> >>> and is encrypted again and send to the client?
> >>> It's unencrypted in the memory and anyone with access to
> the box can
> >>> just inspect the content of the httpd process in the same
> way it can
> >>> read the data on the socket.
> >>> So since persons which are authorized to login to the Apache and
> >>> Tomcat box have the option to view the data, your entire
> security is
> >>> still human based.
> >>
> >> I think he's talking about network sniffing (like another
> node on the
> >> network operating in promiscuous mode), not an untrusted
> box administrator.
> >>
> >>> That's why I see no point of encrypting the data transfer between
> >>> those boxes cause you can just as well make sure the
> proper persons
> >>> have the network access.
> >>
> >> I certainly agree with this.
> >>
> >> Anyhow, to answer the OP's question, there are really
> three options:
> >>
> >> 1. SSH tunnel

I think I am going to use stunnel in xinetd.

> >>
> >> 2. Encrypted VPN (OpenVPN is quite good and will auto-reconnect if
> >>    necessary while ssh generally won't).
> >>
> >> 3. Switch to mod_proxy_http and use an https:// URL with Mark's
> >>    indicated settings.

I am glad to have this cleared up.

> >>
> >> These options are roughly in order of performance from
> best to worst:
> >> setting up an HTTPS connection is expensive and I'm not
> entirely sure
> >> how mod_proxy_http does connections, but I suspect it creates and
> >> tears-down for each request (i.e. no keepalives, or at
> least limited ones).
> >>
> >> Encrypted VPNs are simply more complicated than an SSH tunnel and
> >> require slightly more overhead. An SSH tunnel is dead
> simple and only
> >> negotiates a symmetric key once at connect time (okay, and then
> >> re-negotiates at intervals) but lacks the robustness of a VPN.
> >
> > I disagree with that assessment. mod_proxy_http is by far
> the simplest
> > way to go and it does use keep-alive.
>
> Good to know that mod_proxy_http uses keepalive. I was
> recommending the others since the OP seems wedded to AJP.
> Also, if there is any other traffic to encrypt (JDBC, etc.)
> the VPN would handle that, too.

It is not that I am wedded to any particular implementation, it is just each
change requires board approval.

A change for reconfiguring the enabled modules in apache. [we can skip this if
we stay with mod_proxy_ajp, as it was already approved]
A change for opening up a port on the apache box








--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

mturk
In reply to this post by Jason Pyeron
On 02/23/2011 07:28 PM, Jason Pyeron wrote:
>
>
>> encrypting the data transfer between those boxes cause you
>> can just as well make sure the proper persons have the network access.
>>
>
> That list includes 78 people.
>

You mean 78 people monitor your network for trouble or
you have your production servers in the same network
segment as your local intranet?

Cannot tell which one is worse :)


Regards
--
^TM

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

André Warnier
In reply to this post by Jason Pyeron
...
>
> It is not that I am wedded to any particular implementation, it is just each
> change requires board approval.
>
> A change for reconfiguring the enabled modules in apache. [we can skip this if
> we stay with mod_proxy_ajp, as it was already approved]
> A change for opening up a port on the apache box
>

Personally, in such a case I would see the solution with an SSH or VPN tunnel as much
simpler to put in place, and requiring much less "opening of ports".

You have 2 machines : A running httpd, B running Tomcat.
In machineA, you have a mod_jk setup which says something like

worker.worker1.host=machineB.mydomain.com
worker.worker1.port=8009

So let's say you change this to

worker.worker1.host=localhost
worker.worker1.port=8009

and you set up an SSH or VPN tunnel on localhost, listening on port 8009 and accepting
connections only from localhost. This tunnel connects to machine B, where the receiving
end forwards the data to localhost:8009 on B.

On machine A, you have not opened an additional port (at least not one accessible from
outside of machine A).
On machine B, in all likelihood the SSH port is already open (and if not, you could have
it listen on an arbitrary port, but accepting connections only from machine A).

All the changes are transparent to Apache (apart from the above 1 line) and to Tomcat
(entirely).
And you save yourself the hassle in setting up mod_proxy_http on Apache, and a HTTPS
Connector on Tomcat, with all the baggage attached to it.
And you may save yourself changes in your authentication setup, since it will continue to
use AJP and pass the user credentials as it does right now.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

André Warnier
In reply to this post by mturk
Mladen Turk wrote:

> On 02/23/2011 07:28 PM, Jason Pyeron wrote:
>>
>>
>>> encrypting the data transfer between those boxes cause you
>>> can just as well make sure the proper persons have the network access.
>>>
>>
>> That list includes 78 people.
>>
>
> You mean 78 people monitor your network for trouble
...
I don't see what is so surprising there.
We are 3 developers in my company, and whenever we want to install a piece of software at
some of our customers, that is just about the number of people we have to deal with.
;-)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

Christopher Schultz-2
In reply to this post by André Warnier
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 2/23/2011 2:56 PM, André Warnier wrote:
> Personally, in such a case I would see the solution with an SSH or VPN
> tunnel as much simpler to put in place, and requiring much less "opening
> of ports".

There's nothing that says that port 8009 has to be used for AJP: you can
use HTTPS over port 8009 just as well. So, the congressional approval
necessary will only need to cover the switch from mod_proxy_ajp to
mod_proxy_http.

I would think you'd have to get approval for any of these actions... why
not just pick the one that makes the most sense and request permission
to do that?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ljckACgkQ9CaO5/Lv0PARLACgkGOVZh0D8OJZHJNmvwu6B+Nw
FFoAoLo4sqBLLUtpKW58msMrofW1LlAs
=32/2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

André Warnier
Christopher Schultz wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> André,
>
> On 2/23/2011 2:56 PM, André Warnier wrote:
>> Personally, in such a case I would see the solution with an SSH or VPN
>> tunnel as much simpler to put in place, and requiring much less "opening
>> of ports".
>
> There's nothing that says that port 8009 has to be used for AJP: you can
> use HTTPS over port 8009 just as well. So, the congressional approval
> necessary will only need to cover the switch from mod_proxy_ajp to
> mod_proxy_http.
>
> I would think you'd have to get approval for any of these actions... why
> not just pick the one that makes the most sense and request permission
> to do that?
>

My mistake.  I thought, incorrectly, that the OP was using mod_jk as a connector right
now, and the tunnel solution then looked simpler with respect to the (lack of)
configuration changes required in that case.
But if he is using mod_proxy_ajp now, then the situation is reversed.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Secure AJP over ssl

funkman
In reply to this post by mturk
Or it could be in the world of outsourcing you have a giant pool of 1st,
2nd, and 3rd level support who are offshore which need "access" to
perform basic trouble shooting before escalation. And 90% of them have
no idea they have access but getting them access when they would need it
becomes a giant hassle.

But since everyone is on the ACL - its "secure" :)

-Tim


On 2/23/2011 2:44 PM, Mladen Turk wrote:

> On 02/23/2011 07:28 PM, Jason Pyeron wrote:
>>
>>
>>> encrypting the data transfer between those boxes cause you
>>> can just as well make sure the proper persons have the network access.
>>>
>>
>> That list includes 78 people.
>>
>
> You mean 78 people monitor your network for trouble or
> you have your production servers in the same network
> segment as your local intranet?
>
> Cannot tell which one is worse :)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...