Any chance you could send me a sample configuration file? :)
Just got it install and going to start trying to get it setup.
I am going to try to end the tunnel on a BigIP box. So just set it up on the apache server and hope it can end on the BigIP box.
Thanks
-----Original Message----- From: Richard.Hall [mailto:Richard.Hall@ingenta.com] Sent: Friday, August 25, 2006 4:08 PM To: Jones Scott - sjones Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] stunnel and AJP
Jason,
On Fri, 25 Aug 2006, Jones Scott - sjones wrote:
Has anyone used stunnel to secure AJP traffic from apache to jboss
Short answer: Yes.
- Apache + mod_jk configured to talk to stunnel client on localhost rather than to JBoss AJP13 port - stunnel client talks to remote stunnel server - stunnel server talks to JBoss AJP13 port on _its_ localhost.
Works a treat :-)
We've even done it with a third machine in the middle, running an stunnel server and client back-to-back. Just don't ask why!
HTH, Richard
************************************************************************* The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged.
If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system.
Thank you. *************************************************************************
Scott,
On Wed, 6 Sep 2006, Jones Scott - sjones wrote:
Any chance you could send me a sample configuration file? :)
Sorry for the delay, this got buried and has only just resurfaced.
For a local Apache (ie local to the machine running JBoss), a non-stunnel'd config has something like
JkMount /folder/* workername
in httpd.conf, and
worker.workername.type=ajp13 worker.workername.port=7003 worker.workername.host=localhost
in mod_jk.properties (the JkWorkersFile file)
For a remote Apache, you don't need to change mod_jk.properties. But instead of having JBoss listening on port 7003, you have an stunnel client, with a config something like
client=yes [ajp13s] accept = localhost:7003 connect = jboss-server:17003
And then on your local server, i.e. the one running JBoss, you have an stunnel server:-
client=no [ajp13s] accept = 17003 connect = localhost:7003
(You might want to consider how best to stop the rest of the world connecting to port 17003. I do it out at the firewall)
Just got it install and going to start trying to get it setup.
I am going to try to end the tunnel on a BigIP box. So just set it up on the apache server and hope it can end on the BigIP box.
Don't know a thing about BigIP boxes! Good luck.
HTH, Richard
-
Jones Scott - sjones -
Richard.Hall