Future of AJP might be OK?

Richard Frovarp richard.frovarp at ndsu.edu
Thu Aug 25 16:31:12 UTC 2022

"Not further developed" isn't a great place to be as part of your 
security infrastructure. mod_proxy_ajp works quite well. We are 
currently using it in places. mod_proxy_http or mod_proxy_http2 is 
probably the place to be. Proxying via AJP only works on trusted 
networks, and likely only on the same host from a security point of 
view. There is no security in the protocol, and there have been various 
attacks against it over time.

There isn't an official sunset for AJP from either the Tomcat devs or 
the HTTPD devs, because there isn't a consensus at this time. So for 
right now it is supported by both in some methods. Expectation is that 
it will likely go away at some point: 
https://youtu.be/qUjUEvGFstI?t=1989 Title of the talk: "Migrating from 
AJP to HTTP: It's About Time"

And of course for Shibboleth, the recommended container is Jetty, which 
dropped AJP with Jetty 9.

On 8/25/22 02:38, Simon Lundström wrote:
> Hi Richard!
> Don't know which talk you are refering to but if it's this one[1] you
> mean; they are talking about the APR variant of the AJP Connector. I.e.
> the one written in C. Not the NIO one written in Java.
> And while mod_jk isn't developed further it's still available as a
> plugin from most distros.
> BR,
> - Simon
> 1, <https://youtu.be/gjSj7zIiLPA?t=749>
> On Sat, 2022-07-16 at 05:05:30 +0200, Richard Frovarp via users wrote:
>> Long term AJP is going away. The Tomcat maintainers have said to move off of mod_jk and then eventually onto HTTP(S) for proxying. Lookup their talk from last year's ApacheCon.
>> On Fri, 2022-07-15 at 22:38 +0000, Woolf, Carl wrote:
>> My people now, digging a bit deeper, think that some options for AJP on Apache / Tomcat might remain viable:
>> https://tomcat.apache.org/tomcat-10.0-doc/config/ajp.html#Connector_Comparison
>> vs https://tomcat.apache.org/tomcat-10.1-doc/config/ajp.html#Connector_Comparison
>> Looks like the only connector mentioned explicitly in 10.0 that is dropped in 10.1 is the APR/native Connector.
>> In 10.1 “"The native connectors supported with this Tomcat release are:
>>      JK 1.2.x with any of the supported servers. See the JK docs for details.
>>      mod_proxy on Apache httpd 2.x (included by default in Apache HTTP Server 2.2), with AJP enabled: see the httpd docs for details.”
>> This could imply that AJP is supported by mod_jk and mod_proxy via the Nio connector classes, though NOT through the Native Connector (deprecated).
>> I wonder if these supported options would suffice for Shibboleth?
>> Thanks, - Carl
>> -- 
>> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list