How do ensure that Apache AJP to Tomcat connection is secure/encrypted?

apache tomcat ssl ajp
BestPractices picture BestPractices · Sep 17, 2012 · Viewed 12.2k times · Source

We want to front-end our Tomcat instance with an Apache instance (running on the same machine) that will be serving everything on HTTPS and connect Apache to Tomcat using AJP. When using AJP, do we need to do anything to make sure that the connection between Apache and Tomcat is secure? (We dont want passwords to be sniffable on the network between Apache and Tomcat). The O/S is Red Hat Enterprise Linux 6.3

Answer

mindas picture mindas · Sep 17, 2012

You are saying

Tomcat instance with an Apache instance (running on the same machine)

and later you are saying

We dont want passwords to be sniffable on the network between Apache and Tomcat

This just contradicts each other.

EDIT: AJP is not designed to be secure, if you need security, use mod_proxy_http and proxy over https, or create SSH tunnel. Needless to say, you will have to pay for this overhead.

Related questions

Error during SSL Handshake with remote server

I have Apache2 (listening on 443) and a web app running on Tomcat7 (listening on 8443) on Ubuntu. I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication …

Read More
Configure Apache SSL and then redirect to Tomcat with mod_jk

I'm trying to configure my home server to accept SSL Connection on port 443. I've www.mydomain.com domain, I've just linked Apache2 and Tomcat, using mod_jk, now I wish to accept also https request from the web. This is …

Read More
Making a two way SSL authentication between apache httpd reverse proxy and Tomcats

I have an Apache HTTPD working as a reverse proxy, and Tomcat(6.0.35) server(s), what I'm trying to achieve is that there will be mutual trust between the Tomcat server and the reverse proxy. Meaning that when reverse proxy forwards …

Read More