Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
True, but I don't have much static content and the Apache Tomcat Security book is not making that point. I'm trying to determine whether or not it is better to have a web server in front of Tomcat under Windows for security reasons. The book seems to say that but it clearly describe why this provides better security when running Tomcat under Windows. Nathan - Original Message - From: Rick Roberts [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 11:02 PM Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server? Because a web server serves static content (html, images, etc.) much faster than tomcat will. Nathan Ward wrote: Hello John, I hate to be pushy, but are you going to post a reply to this question at some point? Nathan - Original Message - From: Nathan Ward To: [EMAIL PROTECTED] ; Tomcat Users List Sent: Monday, August 04, 2003 11:05 AM Subject: Why integrate Tomcat with a web server? I have a question for John Turner about a statement in the book Apache Tomcat Security. Page 12 says: As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet. Question: Does this apply when running under Windows? The reference to as discussed earlier talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? Nathan -- *** * Rick Roberts* * Advanced Information Technologies, Inc. * * http://www.ait-web.com * *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Howdy, Because a web server serves static content (html, images, etc.) much faster than tomcat will. Really? Do you have a benchmark using tomcat 4.1.x that supports the above? Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
If you do run a benchmark don't forget to turn on mod_cache in apache :) -Original Message- From: Eric J. Pinnell [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 11:43 AM To: Tomcat Users List Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server? Hi, I agree. That is what I have always read and I think it's a wide conception that is out there. If this isn't true could someone enlighten us? -e On Fri, 8 Aug 2003, Rick Roberts wrote: Of course not. I'm only regergitating stuff I have read. But I have seen it from several different sources, so I took it as truth. Do you have benchmarks to prove otherwise? -- *** * Rick Roberts* * Advanced Information Technologies, Inc. * * http://www.ait-web.com * *** Shapira, Yoav wrote: Howdy, Because a web server serves static content (html, images, etc.) much faster than tomcat will. Really? Do you have a benchmark using tomcat 4.1.x that supports the above? Yoav Shapira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Howdy, If you do run a benchmark don't forget to turn on mod_cache in apache :) I have run several benchmarks, and there's no doubt either server can be tuned/configured/customized to a large degree to affect performance. I'm not going to bother with that: I'm going to run them both as close to out of the box as possible. If you'd like to experiment with the performance of each option/mod/setting, feel free to do your own benchmark ;) Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Nathan, There are many facets to the subject, but if all you don't mind running all of your domains in one process, have no need for load balancing, no need for non-Tomcat features, etc., then running Tomcat directly is probably fine. Historically (and structurally), Tomcat should prove more secure than an IIS frontend. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Howdy, It actually makes since. Most web servers are in native code which is uasually faster, and tomcat is in java. You're right (in meaning if not in spelling ;)), it does make sense for native code to execute faster. But java performance has been continually improving so that it's no longer always a huge difference. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
It actually makes since. Most web servers are in native code which is uasually faster, and tomcat is in java. -Original Message- From: Rick Roberts [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 10:38 AM To: Tomcat Users List Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server? Of course not. I'm only regergitating stuff I have read. But I have seen it from several different sources, so I took it as truth. Do you have benchmarks to prove otherwise? -- *** * Rick Roberts* * Advanced Information Technologies, Inc. * * http://www.ait-web.com * *** Shapira, Yoav wrote: Howdy, Because a web server serves static content (html, images, etc.) much faster than tomcat will. Really? Do you have a benchmark using tomcat 4.1.x that supports the above? Yoav Shapira - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Sorry about that John. I must have missed your reply. I'm still figuring out how to effectively use the mailing lists. I wanted to direct the message to you, but I thought it would be useful to others so I wanted to post it here rather than sending it only to you. Nathan - Original Message - From: John Turner [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, August 08, 2003 9:35 AM Subject: Re: Can I get an answer please -- Re: Why integrate Tomcat with a web server? I did, last week. In any case, if you have something to ask me directly, you can send me a message off-list. John Nathan Ward wrote: Hello John, I hate to be pushy, but are you going to post a reply to this question at some point? Nathan - Original Message - From: Nathan Ward To: [EMAIL PROTECTED] ; Tomcat Users List Sent: Monday, August 04, 2003 11:05 AM Subject: Why integrate Tomcat with a web server? I have a question for John Turner about a statement in the book Apache Tomcat Security. Page 12 says: As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet. Question: Does this apply when running under Windows? The reference to as discussed earlier talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? Nathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Why integrate Tomcat with a web server?
In my opinion it applies even moreso to Windows. If it was my call, I would never, ever use IIS. I would rather use Tomcat alone on port 80 if Windows was my environment. Even IIS shouldn't be run with default permissions and access levels. Granted, changing this is not for anyone who isn't an advanced Microsoft admin, but that doesn't alter the fact that default configurations from MSFT, even the new Windows Server 2003, should always be immediately suspect until proven otherwise. I'm not trying to bash MSFT, just trying to describe what I consider a best practice. Security best practice is deny everything by default, then allow only what you absolutely need. Translated to server admin, that means never run any service that can do anything it wants to do unless there is no other alternative. The statement in the book has less oomph on Windows because Windows doesn't have the 1024 port restriction as does UNIX and Linux. You can run a service that doesn't have SYSTEM level access on port 80 on Windows without any additional configuration. This is not true of UNIX or Linux. Either way, running services as root or SYSTEM in my mind is a bad idea if there is an alternative. The worst exploit in the world is the one that nobody knows about except the guy who just found it. Better to take precautions as much as you can and do the triage up front rather than after. Avoiding configurations where services have admin access is just one way to do that, even if on the surface it seems unnecessary. HTH John Nathan Ward wrote: I have a question for John Turner about a statement in the book Apache Tomcat Security. Page 12 says: As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet. Question: Does this apply when running under Windows? The reference to as discussed earlier talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? Nathan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can I get an answer please -- Re: Why integrate Tomcat with a web server?
Hello John, I hate to be pushy, but are you going to post a reply to this question at some point? Nathan - Original Message - From: Nathan Ward To: [EMAIL PROTECTED] ; Tomcat Users List Sent: Monday, August 04, 2003 11:05 AM Subject: Why integrate Tomcat with a web server? I have a question for John Turner about a statement in the book Apache Tomcat Security. Page 12 says: As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet. Question: Does this apply when running under Windows? The reference to as discussed earlier talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? Nathan
Why integrate Tomcat with a web server?
I have a question for John Turner about a statement in the book Apache Tomcat Security. Page 12 says: As discussed earlier, running publicly available web services as root or superuser is typically a bad idea, so the solution is to avoid using Tomcat as a stand-alone web server on port 80 by integrating it with a standard HTTP web server such as Apache, Microsoft's IIS, or Sun Microsystem's iPlanet. Question: Does this apply when running under Windows? The reference to as discussed earlier talks about running Tomcat as a service with more permissions than necessary. Windows defaults to running services as SYSTEM which has administrator privileges. Fine, but as also mentioned earlier, you can create a user account with less permissions and setup the service to run Tomcat under that account. So, how does the statement on page 12 relate to running Tomcat under windows, i.e. why run Tomcat with IIS rather than just run Tomcat? There may be performance reasons, but from a security point of view, is there increased security risks in running Tomcat without IIS when running as a service under Windows? Nathan
