Is the communication between httpd and tomcat secure?

2
votes

We have an app running on tomcat port 8080, and we are fronting Apache httpd, SSL is installed and implemented, all the request are redirected to port 443, and proxy to tomcat 8080 by mod_proxy_httpd:

ProxyPass / http://localhost:8080/ retry=0 timeout=5
ProxyPassReverse / http://localhost:8080/

Everything works just fine, request from client to httpd is secured, however obviously communication between httpd and tomcat are not encrypted.

My question is: 1.would it be an issue if the communication between httpd and tomcat are not encrypted? provided httpd and tomcat are under same sever?

2.We are transmitting sensitive data, such as customer credit card information during payment processing, do we need to implement SSL on tomcat also (e.g.port 8443), and proxy the request from 443 to secured tomcat port 8443? So it is gonna be all secured from client to httpd to tomcat, however this could be affect the performance, since 2 way encryption/decryption is needed.

We have been searching on this issue, but found no clear answers. Any help is greatly appreciated.

1
javaapachetomcatsslencryption

1 Answers

1
votes

If you stick to localhost (e.g. have Apache httpd on the same server as tomcat) this most likely is secure: If you don't trust the implementation of the "localhost" networking, you couldn't trust the TLS implementation on the same server as well.

You might gain performance by having Apache on a different server than tomcat. In that case you obviously depend on the network between both: Routers, cabling etc. If you don't trust your network, this might be something that you can work on. However, note that you probably also have some connection between tomcat and filesystems (temp files), databases, etc. - with transport encryption nailed, data can still leak out of this application if you can't trust your datacenter/network security.

We can't judge to what level you can trust your network, you'll have to do this by yourself.

Note that in the case you mention in the question, tomcat will have no idea that a connection has been made in https when you just forward on http (e.g.: Browser -> Apache is https, Apache -> tomcat is http)

You can configure tomcat's connector to assume that the connection was secure (look up the secure attribute on the connector's documentation), but this also means that you absolutely need to make sure never to allow a http connection to be forwarded to that connector. Check if AJP (a different protocol) is for you - it will forward all of the HTTP(S) connection's properties properly to tomcat. Some like it (me among them), some don't.