I'm sorry, I can't shut up my mouth on this, but you are telling myths :-) On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rwil...@kingsisle.com> wrote: > I can't answer for others - but one of the big values in a 'production' > environment is to separate concerns. The apache servers can sit in a > different DMZ area, and have >only static (and unprotected) content on them. > The tomcat servers have another firewall between them and the apache servers > - and they host the webapps, and have >access to protected content (which is > controlled via servlets). In addition, the apache servers have no access to > the databases, so an attacker would have to break >through both the apache > and the tomcat defenses in order to gain access to the database content.
Sorry, this is no security at all. If the attacker was able to break your os once and come to your apache httpd server, he will be able to break it second time and come to the tomcat serving server. Increasing complexity doesn't necessary increase security, the truth is that more complexity usually compromise security. Anyway an unfiltered connection between your httpd and your tomcat server exist (ajp), and the attacker can exploit it directly, since httpd will just send all maped request 1 on 1. Finally, httpd is written in C and therefore vulnerable to all kind of attacks a java program is not like buffer/heap overflows, > > In addition to more granular security (as described above), having isolated > the web layer from the application layer allows you to independently adjust > the performance >of each. If you are finding that your system serves a lot > more static content than it does 'application' functionality, you may need > several web servers to handle the load. >Likewise, if your system is > application focused, you may need more tomcat servers (probably clustered) > than web servers. The short answer to that would probably be, if you have performance concerns, you just do not use apache httpd. If you want/need to loadbalance, a hardware loadbalancer is the weapon of choice. If you need to server a lot of large static content (pictures) you put reverse proxies in front of your tomcats. If you need to serve static content (js, css etc) along with dynamic content, you let tomcat handle it, it serves static content faster than httpd anyway. Imho, the only valid use for httpd in front of tomcat is when you are a one-man one-server company and need to host a lot of virtual stuff on your box including php and such. Everything else and you are better of without httpd :-) regards Leon P.S. to determine whether you need or do not need httpd in front of your tomcat, stick with the KISS principle: ask yourself the question: will it ease your pain and really really solve your problems without adding new? In most cases the answer will be no :-) > > All that being said, it's really a matter of the needs for your particular > deployment. If you have no serious security concerns, and you don't need to > isolate the web load from the application server load - a single server > running tomcat is perfectly acceptable. > > -- > Robin D. Wilson > Director of Web Development > KingsIsle Entertainment, Inc. > WORK: 512-623-5913 > CELL: 512-426-3929 > www.KingsIsle.com > > > > -----Original Message----- > From: Elmar Haneke [mailto:el...@haneke.de] > Sent: Monday, April 27, 2009 11:27 AM > To: Tomcat Users List > Subject: Re: Why we need two servers (httpd and tomcat) > >> And why do we need these two servers in the first place. > > Running tomcat in stand-alone-mode might be sufficient for an website > not depending on modules available in httpd only (as PHP, mod_rewrite or > server-side-includes). > > Elmar > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org