> From: Igal @ Lucee.org [mailto:i...@lucee.org] > Subject: Re: This is weird: can't bind to 443
> I agree about the "one more thing to go wrong", but fronting Tomcat with > a Web Server gives a performance hit? I mean, sure, now requests for > Tomcat have another step to go through, but all of the static resources > (assuming there are static resources) will supposedly be handled more > efficiently by a web server, no? Um, no. A lot of work has gone into improving Tomcat performance over the past few years, to the point where it's largely on par with httpd. Put both in the mix (assuming you're not using httpd for other reasons), and what you've mostly done is add latency. > The added layer usually provides more security as well, provided that the > web server doesn't add new vulnerabilities, of course. Pretty much all components have (undiscovered) vulnerabilities, so having more components actually increases the attack surface. > I personally use nginx for SSL termination, which I find easier than > Tomcat, though it's been many years since I last tried to setup Tomcat > with https. Now that Tomcat can use OpenSSL directly, it's easier than it used to be. That said, if you do have a front end to Tomcat, might as well do the SSL termination there to simplify things. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
smime.p7s
Description: S/MIME cryptographic signature
