Future of AJP might be OK?
cantor.2 at osu.edu
Thu Aug 25 20:53:56 UTC 2022
> You are correct. I usually forget that plain HTTP is still a thing. The
> one thing is that AJP has a "secret" parameter that is anything but
> secret as it is passed in the plain over the wire. So it gives the
> illusion of being more secure than plain HTTP.
I think it's really quite the opposite. People generally grasp that you need a private network between AJP endpoints, but people proxy HTTP all the time with no regard for preventing other clients sneaking in, they just don't get it. So smuggling headers and the like tends to be a huge problem on campus networks, at least on mine.
> There have been buffer overflow attacks that have worked against the
> various AJP components, with I think mod_jk being a frequent target.
I completely agree that mod_jk is a disaster, haven't used that in years.
More information about the users