Apache vs Tomcat WRT Security
I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. Please do not think that I am bashing Tomcat, juts pointing out some interesting findings that I have come across over time. I have been a supporter and user of tomcat back to the 3.x days and will continue. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
I won't argue with no. 1 since I don't use SSL connectors in Tomcat. However, no. 2 can be mitigated with the commons-daemon project among other tricks and IMHO, not a valid argument against having Tomcat out front. Just my thoughts on the subject. :-) -David Mark wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. Please do not think that I am bashing Tomcat, juts pointing out some interesting findings that I have come across over time. I have been a supporter and user of tomcat back to the 3.x days and will continue. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
On 5/19/05, Mark [EMAIL PROTECTED] wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. The next Tomcat 5.5 release will include APR based connectors, where SSL will (predictably) use OpenSSL. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. I think you should have googled for that. You can use either kernel level redirection (iptables, for example), or use jsvc. -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
I don't know about others, but I prefer to run tomcat on port 8080 and then setup the router to redirect port 80 to 8080. it's rather easy to setup these days. peter On 5/19/05, Remy Maucherat [EMAIL PROTECTED] wrote: On 5/19/05, Mark [EMAIL PROTECTED] wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. The next Tomcat 5.5 release will include APR based connectors, where SSL will (predictably) use OpenSSL. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. I think you should have googled for that. You can use either kernel level redirection (iptables, for example), or use jsvc. -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
OK, so I will admit that I am out of the loop with regards to #2. But I still have an issue with storing and passwords required to open key files in the clear. Is there some function that will handle this for me... On 5/19/05, Peter Lin [EMAIL PROTECTED] wrote: I don't know about others, but I prefer to run tomcat on port 8080 and then setup the router to redirect port 80 to 8080. it's rather easy to setup these days. peter On 5/19/05, Remy Maucherat [EMAIL PROTECTED] wrote: On 5/19/05, Mark [EMAIL PROTECTED] wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. The next Tomcat 5.5 release will include APR based connectors, where SSL will (predictably) use OpenSSL. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. I think you should have googled for that. You can use either kernel level redirection (iptables, for example), or use jsvc. -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
Mark wrote: OK, so I will admit that I am out of the loop with regards to #2. But I still have an issue with storing and passwords required to open key files in the clear. Is there some function that will handle this for me... Assuming that the file is sensibly protected with OS security if an attacker is able to read this file then the chances are they already own the box or are well on the way to owning it and you have much bigger problems. As always with security, you need to consider the all of threats to your system, the possible mitigation actions and the balance between effort/cost of the mitigation and the acceptable level of risk for your system. In my experience the balance is usually in favour of availability rather than using a password on startup but each system is unique. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
On Thu, 19 May 2005, Mark wrote: I was very interested in the discussion concerning Apache vs Tomcat WRT Performance. While I cannot argue with the performance numbers, I do like putting Apache in front of Tomcat for 2 reasons that I have found so far. 1. SSL. If I am going to be serving pages whether they be dynamic or static, I think Apache handles the SSL communications and key storage better. In tests that I have run, the crypto that needs to be done to support SSL is faster in C than Java. Also, Tomcat stores any key information in a flat file, where Apache will prompt for a password on startup. Now some administrators might like this better, because Tomcat will then start automatically at boot time, I would not want any password of mine sitting in the clear in a test file. Agreed. 2. If you are hosting your site using port 80 on Unix boxes this means running Tomcat as root. I can think of very few reasons why Tomcat needs to be run as root. Apache has the ability to 'downgrade' user privileges once Apache is started. jscv will allow you to do this with Tomcat, a simple guide to setting this up is here http://www.mythic-beasts.com/support/topic_vds_java.html Yours, Pete Stevens -- Pete Stevens [EMAIL PROTECTED] http://www.ex-parrot.com/~pete/ the Flat Earth Society announced in 1995 that their membership was global - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache vs Tomcat WRT Security
David Smith wrote: I won't argue with no. 1 since I don't use SSL connectors in Tomcat. However, no. 2 can be mitigated with the commons-daemon project among other tricks and IMHO, not a valid argument against having Tomcat out front. Just my thoughts on the subject. :-) I'll just add to the mix... The way I see it, you will use Apache as a front end for other reasons. Some of them might be: 1. You already have a web site, into which you would like to plug-in your applications 2. You would like to use Apache's mod_rewrite 3. You would like to mix PHP, ASP, Perl or something else on your global site 4. You have a need for exotic authentication, like LDAP or Kerberos5/SPNEGO (read: MS Active Directory) 5. You have a need for any of those nifty modules of Apache 6. You would like to use dedicated servers for TC's application serving and load balance Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]