AJP Protocol
32 views
Skip to first unread message
Devin Braun
Mar 9, 2022, 4:59:00 PM3/9/22
to onebusaway-developers
Hi everyone,
Does OBA use the AJP protocol? Our IT department said that their scan show that AJP exists in OBA but they are not sure if it's relevant to the security issue at hand. There is an apparent exploit right now with this protocol and we need to know if we need to mitigate the vulnerability.
Thanks,
Devin
Sean Barbeau
Mar 10, 2022, 2:08:42 PM3/10/22
to onebusaway-developers
Devin,
I assume you're talking about this:
Not to my knowledge, but Sheldon would have a better idea. I'll caveat this with I've never used AJP myself.
Isn't AJP something used for server to server communication? I thought this would be configured for the web server container that oba is hosted inside of, like Apache Tomcat, and not for OBA itself. So it would be possible to set up an architecture where the server sends proxy requests via AJP to a server that OBA is hosted inside of, but that's not dictated by the OBA application itself
Sean
Sheldon A. Brown
Mar 11, 2022, 7:20:09 AM3/11/22
to onebusaway...@googlegroups.com
Sean explained it well, if you wanted to put an Apache or IIS
WebServer in front of OneBusAway for static content or proxying, you
could then use AJP to talk to Tomcat on the back end.
Assuming you are not doing that, you don't need AJP. To prevent
Tomcat from setting up AJP comment out this line in your Tomcat
conf/server.xml:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Sheldon
> --
> You received this message because you are subscribed to the Google Groups "onebusaway-developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to onebusaway-devel...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/onebusaway-developers/c0af1667-37d2-4b21-bc86-856fbd919056n%40googlegroups.com.
WebServer in front of OneBusAway for static content or proxying, you
could then use AJP to talk to Tomcat on the back end.
Assuming you are not doing that, you don't need AJP. To prevent
Tomcat from setting up AJP comment out this line in your Tomcat
conf/server.xml:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Sheldon
> You received this message because you are subscribed to the Google Groups "onebusaway-developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to onebusaway-devel...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/onebusaway-developers/c0af1667-37d2-4b21-bc86-856fbd919056n%40googlegroups.com.
Devin Braun
Mar 15, 2022, 6:34:01 PM3/15/22
to onebusaway-developers
Thanks, as always, for the sage advice!
We commented out the relevant part of the Tomcat config.
Devin
Reply all
Reply to author
Forward
0 new messages