On 05.03.2018 14:21, Mark Thomas wrote:
On 02/03/18 20:59, rich...@xentu.com wrote:
If I want to have IIS act as an intermediary between Tomcat and the
outside world, if I've understood it correctly, there seem to be two
choices.
Either add something called HttpPlatformHandler into IIS
https://www.iis.net/downloads/microsoft/httpplatformhandler
or, use the Apache Tomcat Connectors
https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/jk-1.2.30/ia64/
That is the Itanium build. Are you sure that is the version you want?
Also, 1.2.30 is 8+ years old. The latest version is 1.2.42 (with 1.2.43
currently being voted on for release). Get the latest version from:
https://tomcat.apache.org/download-connectors.cgi
Is either considered best practice, to be preferred over the other?
I've never used HttpPlatformHandler so it is hard to comment. This
community is more likely to be able to support the ISAPI redirector (the
IIS component of Tomcat Connectors).
Generally it looks as if the pros/cons of HTTP proxy vs AJP proxy would
apply. Which usually boils down to:
- if you want to proxy over a TLS connection use an HTTP proxy
- else if you want to expose client info to the back-end easily use AJP
- else choose whichever you are more familiar / comfortable with
A difference may also be, if you intend/plan/foresee to have some day multiple Tomcats
sharing the load between them, as a cluster. The Isapi/AJP redirector can work as a
load-balancer in such a case. The HttpPlatformHandler (which I have also never
used/looked at) may also be able to do that, or not.
A little graphic often helps :
browser <--(1)--> webserver front-end <--(3)--> Tomcat + <Connector>(4)
+ proxy/redirector
module (2)
In the absolute :
(1) can be a HTTP or HTTPS connection
(2) can be Apache httpd, IIS, or any webserver
(3) can be a HTTP, HTTPS or AJP connection
(AJP is a different protocol than HTTP/S, but it can carry the same
information
back and forth, only in a different format. AJP is not encrypted.)
(4) the <Connector> that you configure in Tomcat, must match the protocol used
for (3)
To connect the front-end webserver with a Tomcat back-end via AJP, you MUST use
a specific
proxy/redirector module at the front-end level :
- if the front-end is IIS, you must use the "Isapi redirector" (available from the Tomcat
website under "Connectors")
- if the front-end is Apache httpd, you can use either mod_proxy_ajp (available from the
Apache httpd website) or mod_jk (available from the Tomcat website)
To connect the front-end webserver with a Tomcat back-end via either HTTP or
HTTPS,
you can use any front-end proxy module capable of doing HTTP or HTTPS.
Under IIS, this could be HttpPlatformHandler (I guess).
Under Apache httpd, this could be mod_proxy_http.
Performance-wise, there is probably nowadays not a very big difference between the various
options. The AJP connection is probably a bit more tricky to set up and configure, but it
provides a number of options which the HTTP(S) connection do not provide (or not as readily).
An AJP connection is not encrypted, which means that in theory someone could listen in the
middle and know what is being exchanged. But if the connection between the front-end and
the back-end is relatively private (such as when both run on the same host), it probably
does not matter.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org