On Mon, Apr 27, 2009 at 11:53 PM, Robin Wilson <rwil...@kingsisle.com> wrote: > For the record, my answer was neither stupid or reflexive. I simply pointed > out why someone might want 2 layers of servers (httpd and tomcat). And > certainly, my rationale is both sound and arguable at the same time.
I never ment to insult you, so if I did so by mistake, I beg my pardon. > > As for your assertion that 2 layers of security is just complexity and not > more secure - you obviously haven't run many enterprise production systems. > Security in an >enterprise system is all about 'layers' of protection. And > sure, if they hack one layer - they are probably good enough to hack the next > layer. But that's where intrusion >detection and a variety of other system > come into play. It's all about slowing down the advance of the attack until > you can do something about it. Well actually I'm working with Enterprise Systems for last 10 year, last 5 in high performance field. Whatever you are doing to prevent an attack from happening you still need a connection from outside to your tomcat. An AJP connection is a plain connection, everything sent in is going through. Neither mod_ajp, nor mod_jk or mod_proxy_ajp do any security inspection on what they are sending over. So if there is a vulnerability in tomcat itself or your app its fully exposed no matter how many apaches you put in front. If it is possible to inject javascript or sql code into your application it will still be injected with apache. Furthermore, the two last (serious) security issues with tomcat were the url encoding problem and the buffer overflow in mod_jk. So by using an apache httpd in front of your tomcat you actually doubled the risk of being hacked. > > As for performance, have you run any load testing against tomcat vs. apache - > especially on static files? Apache exceeds tomcat in performance by a large > margin. When you are serving millions of pages a day, and tens of millions of > static files (images, css, js, videos, audios, etc.), that makes a > significant difference in the amount of hardware you have to throw at the > problem. I actually did. We tried a lot and ended up with reverse proxies (squid, varnish). As for tomcat vs. apache, I haven't read a single comparison in last 3 years where apache was faster, expect for 'very-large-static-files', which are better served by fast http servers like lightttpd. For tomcat vs. apache check out this book please: http://www.amazon.com/Tomcat-Definitive-Guide-Jason-Brittain/dp/0596101066/ref=sr_1_1?ie=UTF8&s=books&qid=1240350860&sr=1-1 > > So you may be absolutely correct - it is not 'necessary' in a lot of cases. > But in many production - enterprise - deployments, it can be useful to have a > layer of web servers and a separately managed layer of application servers - > and that same model works just fine with Apache and Tomcat. Just out of curiosity how large is your web farm and what is the average response time? regards Leon > > -- > Robin D. Wilson > Director of Web Development > KingsIsle Entertainment, Inc. > WORK: 512-623-5913 > CELL: 512-426-3929 > www.KingsIsle.com > > > -----Original Message----- > From: Leon Rosenberg [mailto:rosenberg.l...@googlemail.com] > Sent: Monday, April 27, 2009 3:41 PM > To: Tomcat Users List; a...@ice-sa.com > Subject: Re: Why we need two servers (httpd and tomcat) > > On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <a...@ice-sa.com> wrote: >> Leon Rosenberg wrote: >>> >>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-) >>> >> And anyway, you just all forget this Java nonsense, and use Perl, as Real >> Programmers do. >> >> That's just kidding of course, but let's keep a sense of perspective. > > Hello André, > > I don't want to start a new religious war, so I'll live most of the > mail unanswered, however, one thing: > >> And that's also where the versatility of Apache httpd comes into play, a >> versatility which Tomcat does not match and probably never will, because the >> purpose of each is different. > > That's true, httpd is able to do everything (and nothing right:-)) but > what I'm speaking up against is this > stupid reflective answer "you need a httpd in front of your tomcat". > You don't. There might by reasons, some of them stated by you, but > also other, > where its appropriate, but its not the rule, its an exception. > The rule and therefore the standard answer should be: "you don't need > an apache httpd in front of your tomcat unless, ..." and not > "put an apache in front of your tomcat and stop thinking anyway" as it > often is today. > > Having said that, lets close the thread anyway :-) > > regards > Leon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
