Apache Tomcat and AJP

Had a situation come up where I was reminded of this awesome article:

This image kinda paints a better picture of why you probably don’t want to expose the AJP connector:

Even if you can’t get to the “manager” interface, you still have a pipeline into the app that is going over a binary (like) protocol. This means that there is very little chance your traffic is being watched by an IDS, IPS, NGFW, or even a WAF (most don’t speak AJP). You also bypass any handlers that are setup (say, a poor man’s mod_security) – you have a fast lane behind most of any front line protections.

Theres other fun stuff you can do with AJP – but I’ll leave that as a excercise for the reader – just good information to know, if you run across any tomcat installs that expose the AJP interface.

(if you need help setting it up under CentOS – let me know, its a bit different from the article, as the article relies on the outdated mod_jk module )

1 Like