1. There's really no document (that I know of), and hopefully my comments weren't taken as a claim that Tomcat is inherently insecure. Lots of administrators, especially in the UNIX/Linux world, have an aversion to running services as root, especially web servers. In order for Tomcat to bind to port 80, it has to run as root (ports less than 1024 require root privileges for services to bind). Apache runs as root, but uses child processes with more restrictive privileges to serve actual requests. On the Windows side, everything runs as SYSTEM (essentially the equivalent of "root") by default (yuck!).
There are all sorts of reasons why you might want to use Apache with Tomcat: - don't have to run a service as root - need support for Apache modules like mod_rewrite or a custom Apache module - need support for PHP or other CGI-type technologies - need support for Apache-style access restrictions - need to load-balance to multiple Tomcats (JK and JK2 can do this) - need to support various types of virtual hosting, not all of which require a servlet container - and more 2. You can always look through the source, and I'm sure your specific questions would get answered pretty fast on the tomcat-dev list. John > -----Original Message----- > From: rf [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 03, 2003 7:21 AM > To: Tomcat Users List > Subject: RE: mod_jk > > > Hello John > Thanks for your email. > 1. What are the advantages of using Apache on top of > Tomcat (with regards to security and otherwise)? If > there is a document already, please point me to that. > 2. Where can I know more about the AJP protocol? > > ~rf > > --- "Turner, John" <[EMAIL PROTECTED]> wrote: > > > In production, you only want the connectors used for > > actual connections to > > be enabled. If you're leaving port 8080 open, > > there's really no purpose for > > Apache, as one of the primary purposes of using > > Apache on port 80 instead of > > Tomcat is security. Leaving Tomcat available on > > 8080 undermines this goal. > > So, if you are using a connector at all, there's no > > reason to have any port > > open except the connector port. > > > > The protocol used by the JK/JK2 connectors is not > > HTTP. It is called "AJP", > > which, I believe, stands for "Apache JServ > > Protocol". JServ was the > > "original" Apache + Tomcat connector. > > > > John > > > > -----Original Message----- > > From: rf [mailto:[EMAIL PROTECTED]] > > Sent: Monday, February 03, 2003 2:29 AM > > To: Tomcat Users List > > Subject: Re: mod_jk > > > > > > Thank you Lajos and Oscar. > > Btw, what is the interface Apache uses to > > communicate > > to Tomcat at 8009? I guess it wont be HTTP. For > > security reasons, I assume it would be safer to run > > all tomcat processes on the lo interface. Is this > > correct, and recommended? > > > > ~rf. > > > > > > --- Lajos <[EMAIL PROTECTED]> wrote: > > > Rf - > > > > > > When you use mod_jk, Apache communicates to Tomcat > > > on (default) port > > > 8009. Port 8080 is for direct HTTP connections to > > > Tomcat which, by > > > default is enabled. So, the answer is yes: you can > > > expose web > > > applications to Apache via mod_jk, and access them > > > on the Apache port, > > > but also access them by point your browser > > directly > > > to the Tomcat port. > > > > > > Regards, > > > > > > Lajos > > > > > > > > > rf wrote: > > > > When I use a tomcat-apache connector to redirect > > > http > > > > requests to port 80 to port 8080, can I still > > use > > > port > > > > 8080 to connect to tomcat directly bypassing > > > apache? > > > > If yes, how do I not allow this? By running > > tomcat > > > on > > > > lo's 8080? What about on Windows? > > > > > > > > Thank you > > > > Rf > > > > > > > > > > __________________________________________________ > > > > Do you Yahoo!? > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up > > > now. > > > > http://mailplus.yahoo.com > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > > > [EMAIL PROTECTED] > > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Lajos Moczar > > > ---------------------------------------- > > > Open Source Support, Consulting and Training > > > ---------------------------------------- > > > Cocoon Developer's Handbook > > > > > > > > (www.amazon.com/exec/obidos/tg/detail/-/0672322579) > > > > > > _ _____ > > > / \ / > > > /___\ / > > > / \ /____ > > > > > > http://www.galatea.com -- powered by AzSSL > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up > > now. > > http://mailplus.yahoo.com > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > --- > > > > Checked by AVG anti-virus system > > (http://www.grisoft.com). > > Version: 6.0.449 / Virus Database: 251 - Release > > Date: 1/27/2003 > > > > > > --- > > > > Checked by AVG anti-virus system > > (http://www.grisoft.com). > > Version: 6.0.449 / Virus Database: 251 - Release > > Date: 1/27/2003 > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > ______________________________________________________________ > __________ > Missed your favourite TV serial last night? Try the new, Yahoo! TV. > visit http://in.tv.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
