Apache vs Tomcat WRT Security
I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. Please do not think that I am bashing Tomcat, juts pointing out some interesting findings that I have come across over time. I have been a supporter and user of tomcat back to the 3.x days and will continue. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
I won't argue with no. 1 since I don't use SSL connectors in Tomcat. However, no. 2 can be mitigated with the commons-daemon project among other tricks and IMHO, not a valid argument against having Tomcat out front. Just my thoughts on the subject. :-) -David Mark wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. Please do not think that I am bashing Tomcat, juts pointing out some interesting findings that I have come across over time. I have been a supporter and user of tomcat back to the 3.x days and will continue. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
On 5/19/05, Mark [EMAIL PROTECTED] wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. The next Tomcat 5.5 release will include APR based connectors, where SSL will (predictably) use OpenSSL. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. I think you should have googled for that. You can use either kernel level redirection (iptables, for example), or use jsvc. -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
I don't know about others, but I prefer to run tomcat on port 8080 and then setup the router to redirect port 80 to 8080. it's rather easy to setup these days. peter On 5/19/05, Remy Maucherat [EMAIL PROTECTED] wrote: On 5/19/05, Mark [EMAIL PROTECTED] wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. The next Tomcat 5.5 release will include APR based connectors, where SSL will (predictably) use OpenSSL. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. I think you should have googled for that. You can use either kernel level redirection (iptables, for example), or use jsvc. -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
OK, so I will admit that I am out of the loop with regards to #2. But I still have an issue with storing and passwords required to open key files in the clear. Is there some function that will handle this for me... On 5/19/05, Peter Lin [EMAIL PROTECTED] wrote: I don't know about others, but I prefer to run tomcat on port 8080 and then setup the router to redirect port 80 to 8080. it's rather easy to setup these days. peter On 5/19/05, Remy Maucherat [EMAIL PROTECTED] wrote: On 5/19/05, Mark [EMAIL PROTECTED] wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. The next Tomcat 5.5 release will include APR based connectors, where SSL will (predictably) use OpenSSL. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. I think you should have googled for that. You can use either kernel level redirection (iptables, for example), or use jsvc. -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
Mark wrote: OK, so I will admit that I am out of the loop with regards to #2. But I still have an issue with storing and passwords required to open key files in the clear. Is there some function that will handle this for me... Assuming that the file is sensibly protected with OS security if an attacker is able to read this file then the chances are they already own the box or are well on the way to owning it and you have much bigger problems. As always with security, you need to consider the all of threats to your system, the possible mitigation actions and the balance between effort/cost of the mitigation and the acceptable level of risk for your system. In my experience the balance is usually in favour of availability rather than using a password on startup but each system is unique. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
On Thu, 19 May 2005, Mark wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. Agreed. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. jscv will allow you to do this with Tomcat, a simple guide to setting this up is here http://www.mythic-beasts.com/support/topic_vds_java.html Yours, Pete Stevens -- Pete Stevens [EMAIL PROTECTED] http://www.ex-parrot.com/~pete/ the Flat Earth Society announced in 1995 that their membership was global - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
David Smith wrote: I won't argue with no. 1 since I don't use SSL connectors in Tomcat. However, no. 2 can be mitigated with the commons-daemon project among other tricks and IMHO, not a valid argument against having Tomcat out front. Just my thoughts on the subject. :-) I'll just add to the mix... The way I see it, you will use Apache as a front end for other reasons. Some of them might be: 1. You already have a web site, into which you would like to plug-in your applications 2. You would like to use Apache's mod_rewrite 3. You would like to mix PHP, ASP, Perl or something else on your global site 4. You have a need for exotic authentication, like LDAP or Kerberos5/SPNEGO (read: MS Active Directory) 5. You have a need for any of those nifty modules of Apache 6. You would like to use dedicated servers for TC's application serving and load balance Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
At boot is order of start up (Apache vs Tomcat) important?
I know I've seen this discussion a while back but I couldn't find it. On a Linux box I've build a simple minded tomcat start/stop/restart script and put it in /etc/init.d. Should I start tomcat before apache or after or does it matter? Same for shutdown. Are there any timing issues? This is a RedHat installation. Thanks, Jim. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: At boot is order of start up (Apache vs Tomcat) important?
To the best of my understanding, the sequence does not matter. Just that as long as tomcat is not started, the requests that ought to be served by tomcat will return an error. -Original Message- From: Jim Lynch [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 9:34 AM To: tomcat Subject: At boot is order of start up (Apache vs Tomcat) important? I know I've seen this discussion a while back but I couldn't find it. On a Linux box I've build a simple minded tomcat start/stop/restart script and put it in /etc/init.d. Should I start tomcat before apache or after or does it matter? Same for shutdown. Are there any timing issues? This is a RedHat installation. Thanks, Jim. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: At boot is order of start up (Apache vs Tomcat) important?
I've found that it is best to start Tomcat and wait until Tomcat is fully up and running before starting Apache. Otherwise Tomcat seems to die if Apache sends it a request. Your mileage may vary. -Original Message- From: Jim Lynch [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 9:34 AM To: tomcat Subject: At boot is order of start up (Apache vs Tomcat) important? I know I've seen this discussion a while back but I couldn't find it. On a Linux box I've build a simple minded tomcat start/stop/restart script and put it in /etc/init.d. Should I start tomcat before apache or after or does it matter? Same for shutdown. Are there any timing issues? This is a RedHat installation. Thanks, Jim. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Apache vs. Tomcat
Hi, I know that, for a more secure enviroment, we should use Apache integrated with Tomcat. What I need is some kind of paper or web page explaining that. Does anyone know something like it ?? Thanks, Tiago. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs. Tomcat
On Thu, 27 Mar 2003, Tiago Ferraz Machado wrote: Date: Thu, 27 Mar 2003 15:10:54 -0300 From: Tiago Ferraz Machado [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Apache vs. Tomcat Hi, I know that, for a more secure enviroment, we should use Apache integrated with Tomcat. What I need is some kind of paper or web page explaining that. Does anyone know something like it ?? I do not buy the underlying assumption that this is necessary strictly for a more secure environment. It is quite feasible to set up a secure Tomcat standalone environment (and, in fact, one could argue that this is likely to be more secure because it's not written in C, and therefore not vulnerable to the typical buffer overflow type attacks). The most important security-related thing about Tomcat standalone is if you need your app to run on a privileged port (1024). Right now, that would mean having to run Tomcat as the root user, which is a very bad thing, or you can set up some sort of port forwarding. Note that I am *not* saying Apache is insecure -- it's not. But you should not make the assumption that Tomcat standalone is any *less* secure without some sort of proof, and the reported security vulnerabilities against the two (over the last few years) would lead you to the opposite conclusion. Thanks, Tiago. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat and apache vs tomcat standalone
I have a very basic question. What are the advantages/disadvantages of using Apache connected with Tomcat compared to just using Tomcat Standalone? Assuming I'm just using Java and don't need any other connector or module like PHP, Perl or C. Are there any scalability, flexibility or efficiency differences between those two options? Alan Sparago [EMAIL PROTECTED] 602 494 9596
RE: tomcat and apache vs tomcat standalone
Search the archives. This topic comes up regularly. Basic questions usually do. ;) Quickly: yes, there are all sorts of advantages to using Apache with Tomcat: - don't have to run Tomcat as root on port 80 - can use all Apache modules - can use other dynamic technologies (PHP, etc) - Apache is tuned for static content, Tomcat is not - One or many Apaches can distribute load to one or many Tomcats (even on separate machines) ...and on and on. In general, use Tomcat stand-alone unless there is a need for Apache. Many people have problems getting the two to work together, it may not be worth the effort if your project doesn't really need Apache. John -Original Message- From: alan sparago [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 16, 2002 3:43 AM To: [EMAIL PROTECTED] Subject: tomcat and apache vs tomcat standalone I have a very basic question. What are the advantages/disadvantages of using Apache connected with Tomcat compared to just using Tomcat Standalone? Assuming I'm just using Java and don't need any other connector or module like PHP, Perl or C. Are there any scalability, flexibility or efficiency differences between those two options? Alan Sparago [EMAIL PROTECTED] 602 494 9596 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Apache vs Tomcat
Hi All, Anybody have any experience with relative performance of pure Tomcat vs Apache/Tomcat in a real world environment, particularly with SSL? Thanks, Rick -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]