This is getting dated but is still somewhat accurate:
http://tomcat.apache.org/faq/connectors.html#integrate
The latest versions of Tomcat are comparable to apache in delivering static
content. But in reality - unless your site is very high traffic - this is not
an issue. Its ([expensive dynamic content] + [high concurrency]) which will
hurt your scalability.
For security, apache is more likely to be attacked than tomcat since it has a
wider usage base. (Notice how windows/IE is attacked alot, mac attacks are
coming, Linux attacks are already here, ...) Because of the higher threat to
apache - there are more resources dedictated to looking for apache
vulnerabilities and media outlets are more inclined to make apache
vulnerablities front page news. (I'm not saying this is right, its just the
world we live in). In a good apache + tomcat installation, only apache is
publicly available to the internet. Tomcat is only accessable by an internal
network AND apache. This should make tomcat very secure since the only
attacks it can receive are via apache or an internal network. (But there have
been attacks against apache and other servers which act as proxies by using
HTTP response splitting)
Personally - I like having apache in front of tomcat because I find it easier
to do CGI, static content directory aliasing, and the volume of available
modules to be very convenient. It also allows my site to be up with a higher
uptime since I can restart / replace a tomcat and in those periods of
downtime - I can reconfigure apache to have an outage message.
YMMV
-Tim
Danny Lee wrote:
Hi guys!
I wondering if it's really so good to use Tomcat behind "a real" web
server like Apache or IIS.
In my Tomcat 5 book there are two reasons to do it so:
1. Tomcat is not as secure as common web servers, especially if you
want to use CGI and SSI (I don't think I want to)
2. Tomcat is slow delivering static content.
Well, as long it's just planned to use only 1 server for my application,
I don't think the both points are true for me. On the Tomcat site
there's a note about performance:
"When using a single server, the performance when using a native
webserver in front of the Tomcat instance is most of the time
significantly worse than a standalone Tomcat with its default HTTP
connector, even if a large part of the web application is made of static
files"
And security... what about security? Why is Tomcat behind of Apache
more secure then without it, especially (as I said) if both are running
on the same server.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
