This content has been marked as final.
Show 3 replies
-
1. Re: Limit AJP to only select webservers
anguyen Dec 23, 2005 10:39 AM (in response to dmazzella)How about running a firewall on the JBoss/Tomcat server machine? That would be the most secure way to handle it, IMO.
-
2. Re: Limit AJP to only select webservers
dmazzella Dec 23, 2005 10:50 AM (in response to dmazzella)"anguyen" wrote:
How about running a firewall on the JBoss/Tomcat server machine? That would be the most secure way to handle it, IMO.
That is already in place, but security is still concerned about someone attempting to attach to ajp from within the firewall. (It is a government agency with fairly strict security) -
3. Re: Limit AJP to only select webservers
anguyen Dec 23, 2005 11:15 AM (in response to dmazzella)It's not clear from your post whether the firewall you have in fron of JBoss/Tomcat is a separate piece of hardware or is a software firewall running as part of the OS on the same machine.
My suggestion was to use a software firewall that is part of the OS. There is no way to attach to AJP from "within" a software firewall. Any connections destined for JBoss/Tomcat must go through the OS's NIC driver and TCP/IP stack before getting to the socket in JBoss/Tomcat. The software firewall sits somewhere between the OS's NIC driver and the application's socket, checking each packet that comes into the machine.