> simpler = better Fully agree. Keep it simple.
We however have to put an httpd in front in the DMZ anyway because our security people would never allow us to put any business logic there. And they want us to change protocol on the way to the application so the switch from HTTPS to AJP is good to calm them down. Torsten -----Original Message----- From: David Smith [mailto:[EMAIL PROTECTED] Sent: 30. oktober 2008 19:55 To: Tomcat Users List Subject: Re: JSVC vs standard startup / shutdown scripts > > I don't have any personal issue with moving to running Tomcat directly as > the non-privileged account meant for Tomcat ... Just to clarify, jsvc runs tomcat as an unprivileged user as well. One advantage to jsvc is it allows tomcat to be run by itself without funky iptables rules or a front-end server. It's a simpler setup and overall I'm a firm believer in simpler = better. --David Andrew Ralph Feller, afelle1 wrote: > Thanks for the response Torsten! > > In our environment, the machines we have Tomcat running on strictly use > Tomcat 6, APR for SSL support, and we load balance applications through an > external load balancer. We have been able to get by without brining HTTPD > for things like mod_rewrite or any of the PAMs, so I would like to keep it > as simple as possible. > > I don't have any personal issue with moving to running Tomcat directly as > the non-privileged account meant for Tomcat, however I am curious about the > trade offs especially related to security. > > Thanks! > > On 10/30/08 12:37 PM, "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> wrote: > > >> Hi Andrew, >> >> We let all our Tomcats run on a non-privileged port and use some init script >> using startup.sh/shutdown.sh, and have an Apache httpd forwarding requests >> with AJP. >> >> We then use Apache httpd for things like terminating SSL, do RADIUS or LDAP >> authentication, load balancing several Tomcat instances and so on. >> >> I think it is a good and common setup like that. >> >> Torsten >> >> -----Original Message----- >> From: Andrew Feller [mailto:[EMAIL PROTECTED] >> Sent: 30. oktober 2008 18:16 >> To: users@tomcat.apache.org >> Cc: Brad Cupit >> Subject: JSVC vs standard startup / shutdown scripts >> >> QUESTION: What is the best practice for running Tomcat? JSVC daemon or >> startup / shutdown scripts as a non-root user and forwarding HTTPS requests >> to a non-privileged port? >> >> While reading the Professional Apache Tomcat 6 (ISBN: 978-0-471-75361-2), >> they recommend running Tomcat to start it up using the startup script >> provided in the Tomcat binary and having your firewall forward requests from >> HTTPS to a non-privileged port. This is very interesting for two reasons: >> >> 1. The book never mentions JSVC, which the Tomcat documentation does >> 2. We believed using JSVC was the only way to run as a non-root user, >> which doesn't seem to be the case now >> >> I would appreciate any feedback about the trade offs and why people choose >> one over the other. >> >> Thanks, >> Andrew >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
