-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leon,
On 4/27/2009 1:59 PM, Leon Rosenberg wrote: > On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rwil...@kingsisle.com> wrote: >> The apache servers can sit in a different DMZ area > > Sorry, this is no security at all. If the attacker was able to break > your os once and come to your apache httpd server, he will be able to > break it second time and come to the tomcat serving server. Increasing > complexity doesn't necessary increase security, the truth is that more > complexity usually compromise security. Anyway an unfiltered > connection between your httpd and your tomcat server exist (ajp), and > the attacker can exploit it directly, since httpd will just send all > maped request 1 on 1. A connection that allows only ajp would be, IMO, a "filtered" connection, not an unfiltered one. Just because an attacker can break into Apache httpd on a publicly-available web server doesn't guarantee that he will be able to break through your ajp connection into the app server. I'm not sure how you can logically connect a web server intrusion with a definite app server intrusion. > Finally, httpd is written in C and therefore vulnerable to all kind of > attacks a java program is not like buffer/heap overflows. True, which is exactly why breaking into the web server and breaking into the app server would require different techniques. Therefore compromising the web server does not necessarily equal an app server break-in. >> In addition to more granular security (as described above), having >> isolated the web layer from the application layer allows you to >> independently adjust the performance >of each. > > The short answer to that would probably be, if you have performance > concerns, you just do not use apache httpd. If you want/need to > loadbalance, a hardware loadbalancer is the weapon of choice. If you > need to serve a lot of large static content (pictures) you put > reverse proxies in front of your tomcats. ...and run /what/ as your reverse proxies? > If you need to serve static content (js, css etc) along with dynamic > content, you let tomcat handle it, it serves static content faster > than httpd anyway. Citation? Or more Tomcat FUD ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkn6AuEACgkQ9CaO5/Lv0PBMKwCeKwfzn7Pgwpl+DoKqbo93NEef o30AoJ7e7ZddDISQj/lP0WEkdqEsXGDh =qKnx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
