-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chuck,
On 8/2/17 11:54 PM, Caldarale, Charles R wrote: >> From: Igal @ Lucee.org [mailto:i...@lucee.org] Subject: Re: This >> is weird: can't bind to 443 > >> I agree about the "one more thing to go wrong", but fronting >> Tomcat with a Web Server gives a performance hit? I mean, sure, >> now requests for Tomcat have another step to go through, but all >> of the static resources (assuming there are static resources) >> will supposedly be handled more efficiently by a web server, no? > > Um, no. A lot of work has gone into improving Tomcat performance > over the past few years, to the point where it's largely on par > with httpd. +1 I looked, and unfortunately the slides jcflere and I did for AapcheCon 2014 are not posted anywhere. They contained lots of comparisons of static-content load under various configurations and Tomcat keeps up with httpd. When using TLS, use of OpenSSL is required because JSSE is slow as a dog. There are updated comparisons available from this past year where jfclere compares OpenSSL performance through JSSE versus OpenSSL through APR versus pure-Java JSSE. Unfortunately it does not include a comparison against httpd, but https is essentially the same thing as APR+OpenSSL in Tomcat. http://schd.ws/hosted_files/apachecon2017/93/TomcatOpenSSL.pdf Start on slide 15 for pretty graphs. > Put both in the mix (assuming you're not using httpd for other > reasons), and what you've mostly done is add latency. +1 ... especially if you need TLS behind the proxy as well as in front. >> The added layer usually provides more security as well, provided >> that the web server doesn't add new vulnerabilities, of course. > > Pretty much all components have (undiscovered) vulnerabilities, so > having more components actually increases the attack surface. > >> I personally use nginx for SSL termination, which I find easier >> than Tomcat, though it's been many years since I last tried to >> setup Tomcat with https. > > Now that Tomcat can use OpenSSL directly, it's easier than it used > to be. That said, if you do have a front end to Tomcat, might as > well do the SSL termination there to simplify things. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZg1NTAAoJEBzwKT+lPKRYl+MP/Rc0erZaU4vDxzJJ2j+w30HX 4W4qwR/qoSFM/P5wsC7aRXC9qoHNHyHE4n19zZXVVSw0pmaBKwhCCxEXqupaA+mF unJoGZXOayy/cWg5rxeqjHL7QBDu68+F0iSYLqd4iUWoLOp7fnOxpw4/ygbx5rme pPVxsVJfR1oW8oCGbQBQ2+EjKgyWu0OEB/CCCMfUcDDr3L7hYd/A2MLQSAjYBkJv EhAM35vX/fVSAmJyEbwUIwQXtObw48aNziGfw7gEdkak+kL8m3cir0cTEkoXF6si K6rf7fM3SjYFa/gHgDU8zzn4sBr1mYbcDqxXzWLdqj9n5s1FI0EJaCb8uKzqRzmX MhcyREZsJ8rLdzXxeYuIkXKJtxtqFwvvjzoZHCBLe+MlUryMuiMC5o6l6Mfm1fZG Lal8R4rDuoHX+EHO/NBQ5rlutUtAkWvO0z4Rl/fqIn55Lah7qGjH10zuT9cKn1k6 h1QPquGVzqQxptx2FqyA0+8J/AKR/6HaZ/0UrDBDYCXEcxZPqbG0NMOp4S0dxCrd 5W5GPoFYA8GxpyNfHYCfhHmZRiC6gF9F6tt9Db5IDdJ90lHFBeyIsE5/cN9jhIo0 CAIS7jwPEVx+MEU00GlkkePWI285Tasp3obWW0w/obpcca5On3/d64UBbZxVhcv1 5isGNlAyaqOWnu9gus9B =JlL6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
