httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [users@httpd] Unencrypted Channel From Web Server To App Server
Date Sun, 02 Mar 2008 23:59:00 GMT
James Ellis wrote:
> Is it correct to say that in a typical Browser-Apache Web Server-Tomcat 
> App Server setup, the SSL connection generally terminates at the Apache 
> web server and the traffic between Apache and Tomcat (to the AJP 
> connector) is unencrypted?  If I am correct that this is the "usual" 
> setup, then isn't this a pretty big security flaw since the DMZ is 
> supposed be only "partly" safe?
> If someone were to crack into the DMZ and could sniff network traffic, 
> then they could in theory listen in to traffic and grab all of it in an 
> unencrypted state (which may include credit card information, usernames, 
> passwords etc).

Yes.  This design relies on the integrity of the network beyond the DMZ.

A good solution is to use proxy_http over ssl and the https connector for
the last mile, if this is a concern in the environment you have deployed.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message