Denis Signoretto 4 Years Ago Hi David, I'm a fan of AJP too. Do you know if there is a way to encrypt the communication between Apache and Tomacat using AJP? In most cases I have to use mod_proxy to take advantage of SSL. Please sign in to reply. Reply as... Cancel Denis Signoretto Denis Signoretto 4 Years Ago Sorry I read the whole article right now :P Please sign in to reply. Reply as... Cancel Denis Signoretto Denis Signoretto 4 Years Ago Hi @David, I don't understand whether the secret is just a password to authenticate the reverse proxy or is it used to crypt the communication as well? Please sign in to reply. Reply as... Cancel Olaf Kock Denis Signoretto 4 Years Ago There's no encryption whatsoever in AJP. It's just is a shared secret between the reverse proxy and Tomcat. Please sign in to reply. Reply as... Cancel
Denis Signoretto Denis Signoretto 4 Years Ago Sorry I read the whole article right now :P Please sign in to reply. Reply as... Cancel
Denis Signoretto Denis Signoretto 4 Years Ago Hi @David, I don't understand whether the secret is just a password to authenticate the reverse proxy or is it used to crypt the communication as well? Please sign in to reply. Reply as... Cancel Olaf Kock Denis Signoretto 4 Years Ago There's no encryption whatsoever in AJP. It's just is a shared secret between the reverse proxy and Tomcat. Please sign in to reply. Reply as... Cancel
Olaf Kock Denis Signoretto 4 Years Ago There's no encryption whatsoever in AJP. It's just is a shared secret between the reverse proxy and Tomcat. Please sign in to reply. Reply as... Cancel
Olaf Kock 4 Years Ago I think I could get used to mentioning something to David. This saves a lot of work writing an article myself - Big Win! :) One additional note, that I didn't mention in the snippet: AJP is thought of as dangerous, thus it needs to be enabled explicitly. It's dangerous if your AJP port is open to the world - e.g. if third-party webservers could connect to it: They'll have quite some power of tricking tomcat into believing in the request that's coming. This is also the reason why "just enabling it" won't be enough, but you'll need to configure the mentioned "secret" as non-null, non-blank string. Notice also that AJP is totally and utterly unencrypted - cleartext (well clearbinary) by design. If you require encryption on that connection, consider going https - or establish a tunnel or VPN between the servers. I love AJP, due to the features that David already mentioned. It'll just be even more work once tomcat comes "secure by design". By the way, this change is also incorporated into tomcat 8.5.51 and 7.0.100 Please sign in to reply. Reply as... Cancel Andy Scott Olaf Kock 4 Years Ago Was also looking at using the secret option and noticed that HTTPd supports this under version 2.4.42 which is yet to be released. Any recommendations on what versions to use to support this? Please sign in to reply. Reply as... Cancel Olaf Kock Andy Scott 4 Years Ago Despite the secret's name, it travels across an unencrypted network connection, and you can continue to operate through AJP if you know what you're doing: The AJP connection between httpd and tomcat is unencrypted, so you'll need to trust the connection. If you limit access to your AJP connector to trusted sources (e.g. your httpd), that'll go almost all the way. The secret will only provide additional protection if you accidentally make your AJP port available to non-trusted traffic sources. They'd need to know this secret. In a related note: I've mentioned above that AJP is a binary protocol and got corrected in a private conversation - it contains a lot of textual stuff - largely what http contains anyway. When I labelled it as binary, I meant to describe it as "not what you'd typically want to construct manually" (as some simple HTTP/1 requests that can be issued through telnet). And no, I've never tried constructing AJP requests manually - not interested to go in that deep. Again: Keep your network under control, under no circumstance open your AJP port to anyone other than your reverse proxy, and you should be largely set. Please sign in to reply. Reply as... Cancel
Andy Scott Olaf Kock 4 Years Ago Was also looking at using the secret option and noticed that HTTPd supports this under version 2.4.42 which is yet to be released. Any recommendations on what versions to use to support this? Please sign in to reply. Reply as... Cancel Olaf Kock Andy Scott 4 Years Ago Despite the secret's name, it travels across an unencrypted network connection, and you can continue to operate through AJP if you know what you're doing: The AJP connection between httpd and tomcat is unencrypted, so you'll need to trust the connection. If you limit access to your AJP connector to trusted sources (e.g. your httpd), that'll go almost all the way. The secret will only provide additional protection if you accidentally make your AJP port available to non-trusted traffic sources. They'd need to know this secret. In a related note: I've mentioned above that AJP is a binary protocol and got corrected in a private conversation - it contains a lot of textual stuff - largely what http contains anyway. When I labelled it as binary, I meant to describe it as "not what you'd typically want to construct manually" (as some simple HTTP/1 requests that can be issued through telnet). And no, I've never tried constructing AJP requests manually - not interested to go in that deep. Again: Keep your network under control, under no circumstance open your AJP port to anyone other than your reverse proxy, and you should be largely set. Please sign in to reply. Reply as... Cancel
Olaf Kock Andy Scott 4 Years Ago Despite the secret's name, it travels across an unencrypted network connection, and you can continue to operate through AJP if you know what you're doing: The AJP connection between httpd and tomcat is unencrypted, so you'll need to trust the connection. If you limit access to your AJP connector to trusted sources (e.g. your httpd), that'll go almost all the way. The secret will only provide additional protection if you accidentally make your AJP port available to non-trusted traffic sources. They'd need to know this secret. In a related note: I've mentioned above that AJP is a binary protocol and got corrected in a private conversation - it contains a lot of textual stuff - largely what http contains anyway. When I labelled it as binary, I meant to describe it as "not what you'd typically want to construct manually" (as some simple HTTP/1 requests that can be issued through telnet). And no, I've never tried constructing AJP requests manually - not interested to go in that deep. Again: Keep your network under control, under no circumstance open your AJP port to anyone other than your reverse proxy, and you should be largely set. Please sign in to reply. Reply as... Cancel
William Gosse 4 Years Ago Great post David. I just shared it with our devops team. Thanks Please sign in to reply. Reply as... Cancel
Kiran K 4 Years Ago The explanation was awesome, do we have a working example what to set in tomcat and what need to add-in httpd, doest it look correct? <Connector protocol="AJP/1.3" address="::1" port="8029" redirectPort="8443" allowTrace="true" secret="12345" allowedRequestAttributesPattern="7080"/> # allowedRequestAttributesPattern="AJP_REMOTE_PORT" Does it look correct and what should we add in the in httpd. Tomcat documentation is very confusing maybe for experts it is good but it need add more examples. Please sign in to reply. Reply as... Cancel