On Fri, 7 Dec 2001, GOMEZ Henri wrote: > Caution, caution with security. > > On many sites, the web-server is located on a DMZ so subject > to be hacked, while the Tomcats are behind firewall. Having > webapp (program) could raise many problems.
Hmm... I hope sandboxing is used for tomcat in this case... > INTERNET ---> FW ---> APACHE HTTP -> FW (only ajp13) -> TOMCAT's > > Why not imagine that Apache will ask to Tomcat, may be to a > tomcat tagged a master repository, to be send all the WEBAPPS > infs ? As I said in a previous mail, startup sequence is one big problem. The other - I believe it's simpler. Apps must be deployed on apache as well, or at least the static content ( and with my proposal WEB-INF/jk.properties ). > >mod_jk will use the same logic as tomcat to find all subdirs, > >and automatically add the contexts. ( using 'global' mappings ) > > Why not, I'll be more than happy to remove workers.properties and > have it included in httpd.conf. Good things will be to map > VirtualHost to remote Virtual on Tomcat. Well... I already added code to allow use of httpd.conf instead of workers.properties ( I use it for development, so I don't have to change 2 files ). Virtual hosts are a problem I'm trying to resolve - the current mapper doesn't seem to have that, not sure how it works on IIS/iPlanet. Regarding my proposal, we can either use 3.3 non-flat webapps/ ( i.e webapps/virtual.host/app ) or have a webapp dir per virtual host, specified with either JkWebapps /webapps1 whost1.com or inside a <Virtual> directive. > >- no need to have tomcat running ( or running on > >the server machine ) > > For security reason, i'd like to avoid having webapp code > (servlet/jsp) on the web-server. And if tomcat is not > running (locally or remotly), did there is a need to > do a collect of webapp ? For servlets - you can remove them from apache if you want. For jsps - they could be removed, but ( when I'll have time... ) I want to try sending the static content of the jsp using apache. It may work or not - but I think it's worth trying, and if it works the way I expect it should have a good performance benefit. > Could we discuss about a Tomcat 3.3 running as a webapp > repositories manager ? Or in general a config server ? I.e. a server ( tomcatX, apache, OpenLDAP, database ) where all configs are stored and the workers get it automatically ? Yes, that would be nice - but I think it's more dream-level at this moment, most people have problems with configuring the simple case. Costin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
