Robin Wilson wrote: > For the record, my answer was neither stupid or reflexive. I simply pointed > out why someone might want 2 layers of servers (httpd and tomcat). And > certainly, my rationale is both sound and arguable at the same time. > > As for your assertion that 2 layers of security is just complexity and not > more secure - you obviously haven't run many enterprise production systems.
That assertion was a little unnecessary. > Security in an enterprise system is all about 'layers' of protection. And sure, if they hack one layer - they are probably good enough to hack the next layer. But that's where intrusion detection and a variety of other system come into play. It's all about slowing down the advance of the attack until you can do something about it. </lecture> Not sure I've heard of many IDS that do deep packet inspection of AJP, so should you restrict yourself to HTTP proxying only? I assume, when you suggested putting HTTPD in a DMZ, that you didn't mean putting it completely outside of firewall protection? > As for performance, have you run any load testing against tomcat vs. apache - > especially on static files? Apache exceeds tomcat in performance by a large > margin. When you are serving millions of pages a day, and tens of millions of static files (images, css, js, videos, audios, etc.), that makes a significant difference in the amount of hardware you have to throw at the problem. Not true. This kind of statement is the kind of thing that helps perpetuate myths and subsequently bad system design - your information is out of date. In fact it has been satisfactorily demonstrated that Tomcat is comparable with Apache HTTPD in terms of speed of serving static files. Q: How? A: http://apr.apache.org/ I've not personally tested the new NIO connectors, but I've heard that they do perform quite well. > So you may be absolutely correct - it is not 'necessary' in a lot of cases. > But in many production - enterprise - deployments, it can be useful to have a > layer of web servers and a separately managed layer of application servers - > and that same model works just fine with Apache and Tomcat. In your enthusiasm, I think you've conflated a few arguments, instead I'd say that these should be appraised individually. 1. On many occasions 'separation of concerns' is a good idea. Separating application and static file servers assists in tuning big applications for performance - otherwise CDNs wouldn't be a good idea. This has nothing to do with security and you could use Tomcat for both. 2. Layered/zoned security is a Good Idea. 3. Hardware loadbalancers are probably a better choice for enterprise. A load balancing Apache HTTPD won't handover to another instance if it fails. 4. Deploying HTTPD & Tomcat together is a popular choice. I'd suggest that it's /on average/ more suited to SMEs (or businesses without massive IT/IS budgets) who are using HTTPD to load balance AND, say, mod_cache static files - as it's a cheap, scalable and effective solution. (OP really got more than he bargained for, I suspect) p > -- > Robin D. Wilson > Director of Web Development > KingsIsle Entertainment, Inc. > WORK: 512-623-5913 > CELL: 512-426-3929 > www.KingsIsle.com > > > -----Original Message----- > From: Leon Rosenberg [mailto:rosenberg.l...@googlemail.com] > Sent: Monday, April 27, 2009 3:41 PM > To: Tomcat Users List; a...@ice-sa.com > Subject: Re: Why we need two servers (httpd and tomcat) > > On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <a...@ice-sa.com> wrote: >> Leon Rosenberg wrote: >>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-) >>> >> And anyway, you just all forget this Java nonsense, and use Perl, as Real >> Programmers do. >> >> That's just kidding of course, but let's keep a sense of perspective. > > Hello André, > > I don't want to start a new religious war, so I'll live most of the > mail unanswered, however, one thing: > >> And that's also where the versatility of Apache httpd comes into play, a >> versatility which Tomcat does not match and probably never will, because the >> purpose of each is different. > > That's true, httpd is able to do everything (and nothing right:-)) but > what I'm speaking up against is this > stupid reflective answer "you need a httpd in front of your tomcat". > You don't. There might by reasons, some of them stated by you, but > also other, > where its appropriate, but its not the rule, its an exception. > The rule and therefore the standard answer should be: "you don't need > an apache httpd in front of your tomcat unless, ..." and not > "put an apache in front of your tomcat and stop thinking anyway" as it > often is today. > > Having said that, lets close the thread anyway :-) > > regards > Leon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
