, but
can't really see why or how. Anyone know?
Great product this Tomcat. Kudos to all involved.
- Original Message -
From: Turner, John [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Thursday, October 17, 2002 1:57 PM
Subject: RE: Best practices question
I run
Qmail List wrote:
I have been wondering about this as well. Apache screams and hollers
BIG_SECURITY_HOLE if you compile it with the flags allowing it to run as
root.
That said, I love the fact that Tomcat runs as root. It makes it easy for
your webapp to do things admin applications, servers,
I run Tomcat under a separate user account. I avoid running services as
root whenever possible.
John
-Original Message-
From: Randy Paries [mailto:randy.paries;unitnet.com]
Sent: Thursday, October 17, 2002 1:56 PM
To: 'Tomcat Users List'
Subject: Best practices question
Hello
On Thu, 17 Oct 2002, Qmail List wrote:
Date: Thu, 17 Oct 2002 15:03:27 -0400
From: Qmail List [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: Best practices question
I have been wondering about this as well. Apache
Mark Eggers wrote:
Following that idea, only run Tomcat as root if you
are using it as a web server binding to a port less
than 1024. Otherwise, run it from a non-privledged
account so that if there is a security issue the most
it should trash is your web server environment.
In addition, it is
.
John
-Original Message-
From: Qmail List [mailto:edahnke;earthlink.net]
Sent: Thursday, October 17, 2002 3:03 PM
To: Tomcat Users List
Subject: Re: Best practices question
I have been wondering about this as well. Apache screams and hollers
BIG_SECURITY_HOLE if you compile
Randy,
A general rule of security is permit only what is
needed, and deny everything else.
Following that idea, only run Tomcat as root if you
are using it as a web server binding to a port less
than 1024. Otherwise, run it from a non-privledged
account so that if there is a security issue the
. Anyone know?
Great product this Tomcat. Kudos to all involved.
- Original Message -
From: Turner, John [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Thursday, October 17, 2002 1:57 PM
Subject: RE: Best practices question
I run Tomcat under a separate user
Hello,
I was wondering are most people starting tomcat from root, or are they
doing it other ways.
What is the suggestion for this.
How big are the security issues if started by root
Would it be ok to start it by user apache?
Thanks
--
To unsubscribe, e-mail:
Sun, 29 Sep 2002 22:17:25 -0700 (PDT) Craig R. McClanahan [EMAIL PROTECTED] said:
Regarding restarting a webapp without restarting Tomcat, you should read
up on the Manager servlet that comes with Tomcat 4.0 and 4.1:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/manager-howto.html
If the
Message-
From: V. Cekvenich [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 29, 2002 8:32 PM
To: [EMAIL PROTECTED]
Subject: Re: Best Practices Question
I think there is no reason to use Apache.
Tomcat can do it all and it is simpler this way.
Plus Tomcat can do JSPs, etc.
V
-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 29, 2002 9:40 PM
... snip...
Valid reasons to need it include:
* Tomcat standalone is not fast enough (note that this is different
from a rule saying select the fastest possible
What about SSL, is it better/more efficient to allow apache to handle the
SSL or to drop apache and allow tomcat to do it all?
-Original Message-
From: Turner, John [mailto:[EMAIL PROTECTED]]
Sent: 30 September 2002 13:39
To: 'Tomcat Users List'
Subject: RE: Best Practices Question
On Mon, 30 Sep 2002 [EMAIL PROTECTED] wrote:
Date: Mon, 30 Sep 2002 13:39:07 +0100
From: [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: Best Practices Question
What about SSL, is it better/more efficient to allow apache to handle
For a medium to high volume site using Apache to serve static
content (static html, images, css, etc.) is:
1. Faster and more reliable (no pauses due to JVM garbage collection, etc.)
2. Takes that load off of Tomcat so it can concentrate on dynamic content.
(JSPs/Servlets)
3. Allows you to do
Craig R. McClanahan wrote:
On Sun, 29 Sep 2002 [EMAIL PROTECTED] wrote:
Kent,
I think we are on the same track , Apache was designed for that purposes
, is more robust and mature and certainly has less security related
issues.
Regarding maturity, I presume you're talking about 1.3,
I have not used Tomacat in a couple years. The last
time I used it, our companies policy was to integrate
with Apache and get Apache to do the serving duties
and just use Tomcat as the jsp processor.
With Tomact 4 is this still considered a good practice
for high traffic sites?
Thanks,
Barry
Unequivocally : yes if u r serving up only jsp and servlets !
I use 4.0.4
Barry Moore wrote:
I have not used Tomacat in a couple years. The last
time I used it, our companies policy was to integrate
with Apache and get Apache to do the serving duties
and just use Tomcat as the jsp
I think there is no reason to use Apache.
Tomcat can do it all and it is simpler this way.
Plus Tomcat can do JSPs, etc.
V.
Barry Moore wrote:
I have not used Tomacat in a couple years. The last
time I used it, our companies policy was to integrate
with Apache and get Apache to do the
On Sun, Sep 29, 2002 at 08:31:32PM -0400, V. Cekvenich wrote:
I think there is no reason to use Apache.
Tomcat can do it all and it is simpler this way.
IF you want tomcat running at root, assuming that you want tomcat to
answer requests on port 80.
I, personally, prefer to have apache on
V. Cekvenich wrote:
I think there is no reason to use Apache
Tomcat can do it all and it is simpler this way.
Apache is by far the more mature and robust of the two and was designed
with the web in mind.
Whereas it is true Tomcat can take over from Apache to some extend it
was designed as a
Kent Perrier wrote:
On Sun, Sep 29, 2002 at 08:31:32PM -0400, V. Cekvenich wrote:
I think there is no reason to use Apache.
Tomcat can do it all and it is simpler this way.
IF you want tomcat running at root, assuming that you want tomcat to
answer requests on port 80.
I,
[EMAIL PROTECTED] wrote:
Kent Perrier wrote:
On Sun, Sep 29, 2002 at 08:31:32PM -0400, V. Cekvenich wrote:
I think there is no reason to use Apache.
Tomcat can do it all and it is simpler this way.
IF you want tomcat running at root, assuming that you want tomcat to
answer
On Sun, 29 Sep 2002 [EMAIL PROTECTED] wrote:
Kent,
I think we are on the same track , Apache was designed for that purposes
, is more robust and mature and certainly has less security related
issues.
Regarding maturity, I presume you're talking about 1.3, right? The Apache
2.0 code is
Sun, 29 Sep 2002 18:39:54 -0700 (PDT) Craig R. McClanahan [EMAIL PROTECTED] said:
IMHO, anyone who goes to all the extra effort of configuring
Apache+Tomcat, instead of Tomcat alone, is nuts unless they need it.
Valid reasons to need it include:
I am pondering one more: reducing interruption
PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: Best Practices Question
Sun, 29 Sep 2002 18:39:54 -0700 (PDT) Craig R. McClanahan [EMAIL PROTECTED]
said:
IMHO, anyone who goes to all the extra effort of configuring
Apache+Tomcat, instead of Tomcat alone, is nuts unless
26 matches
Mail list logo
