You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rob Gregory <Ro...@ibsolutions.com> on 2010/10/14 18:19:41 UTC
Apache Reverse Proxy required or not?
Hi All,
Quick question on what people's views are with regard to using Tomcat to
host external/internet facing sites. A quick Google search recommends
that these should be 'fronted' by Apache running reverse proxy. Is
Tomcat classed as insecure and as such requires this proxy in front or
is this due to the fact that Tomcat cannot reverse proxy on its own.
Cheers
Rob
Re: Apache Reverse Proxy required or not?
Posted by Ben Stringer <be...@burbong.com>.
> Hi All,
>
>
>
> Quick question on what people's views are with regard to using Tomcat to
> host external/internet facing sites. A quick Google search recommends
> that these should be 'fronted' by Apache running reverse proxy. Is
> Tomcat classed as insecure and as such requires this proxy in front or
> is this due to the fact that Tomcat cannot reverse proxy on its own.
>
Certainly tomcat is up to the task of running external sites without a
reverse proxy. Some reasons you may choose to put a httpd reverse proxy in
front of tomcat:
- Allows displaying a "this site is down for maintenance" message when you
have taken your tomcat down for maintenance.
- Many third party security products supply agents as an apache httpd plugin.
- httpd can be used as a load balancer to a farm of tomcat processes.
- you may prefer to have the web access logging granularity that httpd
provides.
It really depends on your situation.
Cheers, Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Apache Reverse Proxy required or not?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Apache Reverse Proxy required or not?
> > > Is Tomcat classed as insecure
> >
> > Nope.
> Unless it's identified as Jetty. :(
> [Sorry, I can't find a reference to that thread....
> I swear it was this week!]
It was JRun, not Jetty.
http://marc.info/?l=tomcat-user&m=128673918709979&w=2
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Apache Reverse Proxy required or not?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
On 10/14/2010 1:01 PM, Pid wrote:
> On 14/10/2010 17:19, Rob Gregory wrote:
>>
>> Is Tomcat classed as insecure
>
> Nope.
Unless it's identified as Jetty. :(
[Sorry, I can't find a reference to that thread.... I swear it was this
week!]
>> and as such requires this proxy in front or is this due to the fact that
>> Tomcat cannot reverse proxy on its own.
>
> Why does it need to?
>
> (Arguably, putting HTTPD in front of Tomcat gives you a larger potential
> for vulnerabilities, not less)
...or at least a different set of vulnerabilities.
As Mark Thomas mentioned the other day, Tomcat cannot currently do
reverse-proxying, though it's been considered a few times in the past.
Nobody has ever bothered to implement it, probably because Apache httpd
does such a good job at it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAky3V1cACgkQ9CaO5/Lv0PAcFgCgh6PWoc0ZXGrbLikOo5WU0WYc
qm8An25SGd+07tr8tTkcv40/tvx7kcUk
=MNJf
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Reverse Proxy required or not?
Posted by Pid <pi...@pidster.com>.
On 14/10/2010 17:19, Rob Gregory wrote:
> Hi All,
>
> Quick question on what people's views are with regard to using Tomcat to
> host external/internet facing sites. A quick Google search recommends
> that these should be 'fronted' by Apache running reverse proxy.
What reasons did they give?
> Is Tomcat classed as insecure
Nope.
> and as such requires this proxy in front or is this due to the fact that
> Tomcat cannot reverse proxy on its own.
Why does it need to?
(Arguably, putting HTTPD in front of Tomcat gives you a larger potential
for vulnerabilities, not less)
p