-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer,
On 6/27/18 12:50 PM, Rainer Jung wrote: > Hi there, > > BZ56402 is an AJP feature request and Remy postet > > "IMO, with each day that passes, this enhancement becomes more > unrealistic and less useful. I think the decision must now be made > to either start it immediately (with a volunteer ) or pass on it > and freeze AJP for good." > > and Chris postet: > > "It might be time to let AJP die." > > Maybe a dev list discussion about plans for AJP should happen. I > heard several people interested in getting TLS support for mod_jk. > Whenever I was thinking about it, I refrained from starting to work > on it, because > > - good TLS support is a lot of work and I'm not sure how good > mod_jk could reuse mod_ssl like mod_proxy does. mod_jk uses common > source code for IIS and Apache httpd with only a thin wrapper for > the individual web servers. Therefore it is not easy to integrate > the details of comunication, which happens in the common source > code part, with mod_ssl. > > - even if it would be done with lots of efforts, it would probably > take quite some time to become robust and I think there's not > enough interest and available work time to support that new and > complex code for a longer time. > > Since encryption would be most of the most useful features and IMHO > we won't get there, I suggest we discuss deprecation and EOL dates > for AJP - meaning mod_jk and AJP connectors. After encryption, the next most useful feature would be to support Websocket, and I don't see that happening, either. > There's no need to rush, but there could be a clear statement, that > no feature improvements will be done and users should plan for > moving to mod_proxy_http (or other http/https) clients. > > I think it would be better to invest time in improving mod_proxy > where it still might lack. For instance adding custom headers to > transport communication info from the proxy to the backend like AJP > does and which could be noticed by our Tomcat http connectors > and/or support for the PROXY protocol. > > So what do people think about: > > 1) adding a statement to the mod_jk docs, that we don't plan any > feature enhancements and suggest users to migrate to mod_proxy_http > and the TC HTTP connectors (but what about IIS? I think there are > reverse proxy modules there as well?) I'm not sure, but I believe IIS does indeed have HTTP proxy modules. H2 and Websocket will probably eventually be written if they don't already exist. > 2) Adding a similar statement to the connector docs for AJP to TC > 7-9. > > 3) Deprecating AJP in TC 9 and removing in TC 10 +1 That being said, I've been using mod_jk for my entire professional life, in every single deployment I've ever done. Until I had to do one on Windows where building modules is sometimes problematic. At that point, I switched to mod_proxy_http because the client had a requirement that the point-to-point connections be encrypted. I usually solve that in the Unix world by using stunnel but Windows doesn't really have convenient options like that. I'm going to be phasing-out my own use of AJP starting soon. I think mod_jk (in various forms) has served the community well for 20 years but other products (mod_proxy) and other protocols (TLS, h2, websocket) have become much more important and robust over that same period of time. I think Tomcat 9 is appropriate for deprecation, and Tomcat 10 is appropriate for removal depending upon the schedule. If Jakarta EE ends up publishing a spec "soon" (like in the next 18 months) then it's too soon to completely remove AJP from Tomcat. If it looks like it's going to be a long time for the spec to be ready (2020 or beyond) then I think it's a reasonable plan to remove for Tomcat 10. Really, that decision should be made at the time we split Tomcat 9 into its own separate non-trunk branch, not now. So perhaps our announcement should say "deprecated now, will be removed in a future version, possibly as early as Tomcat 10". - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltSBMsACgkQHPApP6U8 pFg7TBAAjuLkBmk8N67VzcdaZBMrhxGyJFXKdhKiaD2GUAuagQ5RPmDWQ5qwDZRJ vZF4sAK2HyNTASHmUV3g2H0NY36+54P0fYVQLaj3t2qVGRtdpU+K5HX4ODvRO8ID fhBjZoguRdXPRhVnHeS5qVCGwN3cjgvofKqpiuLqC/Tfeaodi9HMmi5H7Fh9COti fYw8o+6qo3qYQlzhNXzuVEU1mD79U5hl1aU23AFgrjrouiW10mnq6kMcCtwg1ap7 INrfzQoBKXYP8OzqPYyj8qft523h1b8CCEFBSdWp83pLCiW82wnYmo5yFV2elq3x VvBFnhPC9g4LnnHfTc9oTJAYVzUU3QRniGqTMKIo0DIfTf+NSkDyZsJvC0TbIOwM JzCkCG+MJmgcSKuVH8wN82y2a+IDOFkpxbz71+dDZXkL/fur8fj/TBwOdDmb+gG3 dhm8SOdYzEPWVYMl2Zr2kgn3lnRAY142uSlXgyGx0Vq0Q0qva5Jxx/aqOGHeortr 3l1OzoBHKwuiLSYqsETjTEQ2aaM+b5PyvURncEVk2N77kQTBpsDANkufAbhmrLom lGbOB4ksDjys6F4fOh1QX5/q0zZG38tOlNgTF3wtlE+TdwBXALaJohqffGUhNOWS 94fKkguyWIl55JsjrKDY+y1WvGYGqNvYoHty6mGB82ayjNpfHcc= =2AUR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
