Christopher Schultz wrote: > Leon Rosenberg wrote: > > Also by using apache in front of tomcat you rather loose[sic] > > security than gain it. At least this is my personal opinion :-) > > Would you care to defend that argument?
You defend it yourself in the next paragraph you've written. > One could argue that more moving parts equals more complexity, and that > complexity is an enemy of security (and I agree). However, there must be > a balance. If good security requires layers, and each layer adds more > complexity, then there is a paradox. Exactly. > I would argue that Apache httpd is quite mature and is trustworthy. > Sure, you're not likely to run into a buffer overflow bug in Tomcat, but > a bad configuration can open any server to attack. Is a bad Tomcat > configuration alone any better than a bad Tomcat configuration sitting > behind Apache httpd? IMO you're missing the point. If your Tomcat configuration is "bad" then what I would consider the right measure to be taken is change the Tomcat configuration so that it becomes "good". I wouldn't consider it a wise idea to put a httpd in front of a badly configured Tomcat and thereby hope to improve things. httpd may be mature and trustworthy but whether it's "secure" largely depends on how skillful and careful httpd's configuration is crafted. And if someone isn't able to build a "good" configuration for Tomcat, I doubt that he'll be able to come up with really, really "good" configuration for httpd, this way compensating the former with the latter . Anyway: AFAIR (can't reach owasp.org atm) the Article mentions putting httpd in front of Tomcat as one means among others to work around the fact that on Unix-like systems Tomcat alone can't bind to port 80 if running under a restricted account. No question, this is one possible solution. But whether or not it's the right solution to chose is a entirely different question. If someone asks: "I've a server running Tomcat. Tomcat is all I need and it's working fine. The only thing that bugs me is: How can I make Tomcat accessible via port 80 without running it as root?" In this case answering "Easy! Just install httpd, install mod_jk, configure httpd, configure mod_jk, configure Tomcat to accept requests via AJP and voilá, you're set", I would call completely brain-dead. OTOH: in an environment where there's already an httpd installed that can't be replaced by Tomcat, using this httpd as a frontend to Tomcat might be exactly the way to go. Maybe the article could provide some hints on how to decide which of the possible solutions might be the best for a given circumstance. Regards mks --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
