Why we need two servers (httpd and tomcat)

[Vinay Nagrik <vn...@gmail.com>]

Hello Group,

Can someone explain to me the basic difference between httpd and tomacat
serer.  What one can do so the other can not do.  And why do we need these
two servers in the first place.

I will appreciate this.

-- 
Thanks

Nagrik

Re: Why we need two servers (httpd and tomcat)

["Mihamina Rakotomandimby (R12y)" <mi...@lab.vectoris.fr>]

George Sexton wrote:
> You really don't need to have Apache httpd running.

Vinay didn't talk about Apache as HTTP ;-)
It could have been LightHTTPd or something else :-P

I think Vinay should know that Tomcat embeds an HTTP server.

-- 
                              Chef de projet chez Vectoris
                                  Phone: +261 33 11 207 36
System: xUbuntu 8.10 with almost all from package install
    http://www.google.com/search?q=mihamina+rakotomandimby

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[George Sexton <ge...@mhsoftware.com>]

You really don't need to have Apache httpd running. OTOH, if you want 
things like PHP, Perl CGI, etc, then you need httpd.

For our application, we run Tomcat on port 80 and do not use Apache/mod_jk.

Vinay Nagrik wrote:
> Hello Group,
> 
> Can someone explain to me the basic difference between httpd and tomacat
> serer.  What one can do so the other can not do.  And why do we need these
> two servers in the first place.
> 
> I will appreciate this.
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Why we need two servers (httpd and tomcat)

[Peter Crowther <Pe...@melandra.com>]

> From: Vinay Nagrik [mailto:vnagrik@gmail.com]
> Can someone explain to me the basic difference between httpd
> and tomacat serer.  What one can do so the other can not do.

Apache httpd can serve static content over HTTP.  It can have modules plugged in (CGI, perl, PHP) to serve various kinds of dynamic content.  It has many modules, and very flexible configuration options.  It is written in C and needs to be compiled for each platform.  It cannot serve Java servlet content; for that you need a Java servlet container, which you can connect to it in various ways.

Apache Tomcat is a Java servlet specification-compliant servlet container.  It can serve static content over HTTP.  It has built-in facilities for serving Java servlets, and requires no modules to do this.  It has relatively few modules, and some configuration has to be done in code where Apache httpd allows configuration through files.  It is written in Java, and portable to any platform able to run a (sensible) Java virtual machine.  It can be connected to Apache httpd in various ways so that httpd can appear to serve servlet content.

> And why do we need these two servers in the first place.

Because httpd doesn't serve Java servlets (and Tomcat doesn't serve perl and PHP efficiently, though it's pretty good at static content).  Even if httpd did everything, someone would write a "pure Java" web server and servlet container, because Java developers are like that :-).

                - Peter

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[André Warnier <aw...@ice-sa.com>]

Jeff Allison wrote:
>>
> Don't you need to run apache etc in front of tomcat because unless you run
> tomcat as root it cannot listen on port 80???
> 
No.
Since you're talking about root, I will assume Unix/Linux.
For that, you can run Tomcat under jsvc, which will open port 80 for 
you, and allow Tomcat to run under a non-root user.
Most recent versions of Linux install it that way for you.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[George Sexton <ge...@mhsoftware.com>]

Elmar Haneke wrote:
>> unless you run
>> tomcat as root it cannot listen on port 80???
> 
> You can easyly redirect port 80 to the port tomcat is listening at.

A better solution is to use JSVC. There are some issues with using 
iptables to re-direct requests from port 80 to another port.

> 
> Elmar
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Elmar Haneke <el...@haneke.de>]

> unless you run
> tomcat as root it cannot listen on port 80???

You can easyly redirect port 80 to the port tomcat is listening at.

Elmar

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Jeff Allison <je...@allygray.2y.net>]

> Hello Group,
>
> Can someone explain to me the basic difference between httpd and tomacat
> serer.  What one can do so the other can not do.  And why do we need these
> two servers in the first place.
>
> I will appreciate this.
>
> --
> Thanks
>
> Nagrik
>
Don't you need to run apache etc in front of tomcat because unless you run
tomcat as root it cannot listen on port 80???


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[David kerber <dc...@verizon.net>]

Vinay Nagrik wrote:
> Hello Group,
>
> Can someone explain to me the basic difference between httpd and tomacat
> serer.  What one can do so the other can not do.  And why do we need these
> two servers in the first place.
>
> I will appreciate this.
>
>   
While there is some overlap in their functionality, there is a need for 
both.  Tomcat is a servlet container, which lets you run jsp and java on 
the server side; httpd doesn't do this.  Tomcat also serves plain html 
pages efficiently, as does httpd.  I don't use httpd at all, so somebody 
else will describe it in more detail.

D



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Andre-John Mas <aj...@sympatico.ca>]

On 27-Apr-2009, at 13:59, Leon Rosenberg wrote:

>>
>> In addition to more granular security (as described above), having  
>> isolated the web layer from the application layer allows you to  
>> independently adjust the performance >of each. If you are finding  
>> that your system serves a lot more static content than it does  
>> 'application' functionality, you may need several web servers to  
>> handle the load. >Likewise, if your system is application focused,  
>> you may need more tomcat servers (probably clustered) than web  
>> servers.
>
> The short answer to that would probably be, if you have performance
> concerns, you just do not use apache httpd. If you want/need to
> loadbalance, a hardware loadbalancer is the weapon of choice. If you
> need to server a lot of large static content (pictures) you put
> reverse proxies in front of your tomcats. If you need to serve static
> content (js, css etc) along with dynamic content, you let tomcat
> handle it, it serves static content faster than httpd anyway.
>
> Imho, the only valid use for httpd in front of tomcat is when you are
> a one-man one-server company and need to host a lot of virtual stuff
> on your box including php and such. Everything else and you are better
> of without httpd :-)
>

If you have a large budget, then hardware anything generally makes for
better performance, since that what they are optimized for. On the other
hand when you a small startup Apache HTTPD allows you to leverage  
hardware
you already have for a much lower cost. The following article  
illustrates
this:

http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=47204086

Long term it makes more sense to invest the right equipment, but we  
don't
all have $4000 available right off.

Are there any good articles, with performance numbers that show how  
Tomcat can
compete against Apache HTTPD? While many on this will accept what you  
have
to say, the people who make the financial choices often want something
that lays it out bare in a documented format.

André-John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leon,

On 5/1/2009 12:14 PM, Leon Rosenberg wrote:
> On Fri, May 1, 2009 at 6:01 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
> 
>> Amusingly enough, the way Tomcat serves static content as quickly as
>> httpd does is by... using the same code used by httpd.
> 
> no. unless you assume that http runs an embedded java vm inside.

Sorry, I was thinking of getting top SSL speed (which requires
tcnative/apr), not getting top static-file speed.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkn7IbwACgkQ9CaO5/Lv0PAySACghUJOkbcpRa96KT2zWbRkM9n+
T18AnR/CCZ0u8Cam1xkUsRaQ+t3bGg1z
=gmpb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Leon Rosenberg <ro...@googlemail.com>]

On Fri, May 1, 2009 at 6:25 PM, Pid <p...@pidster.com> wrote:
> Leon Rosenberg wrote:
>> On Fri, May 1, 2009 at 6:01 PM, Christopher Schultz
>> <ch...@christopherschultz.net> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>
>>> Amusingly enough, the way Tomcat serves static content as quickly as
>>> httpd does is by... using the same code used by httpd.
>>>
>>
>> no. unless you assume that http runs an embedded java vm inside.
>
> Eh?
>
> I think Chris was implying APR is the speediest way to serve static
> content from Tomcat, and that APR is used by HTTPD.

yes, but this is not really true, plain old java connector is still
the best in serving mixed type of content,
apr actually is only better for serving really LARGE files, which i
still assume to be an exception.

regards
Leon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Pid <p...@pidster.com>]

Leon Rosenberg wrote:
> On Fri, May 1, 2009 at 6:01 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
> 
>> Amusingly enough, the way Tomcat serves static content as quickly as
>> httpd does is by... using the same code used by httpd.
>>
> 
> no. unless you assume that http runs an embedded java vm inside.

Eh?

I think Chris was implying APR is the speediest way to serve static
content from Tomcat, and that APR is used by HTTPD.

p


> Leon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Leon Rosenberg <ro...@googlemail.com>]

On Fri, May 1, 2009 at 6:01 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>

>
> Amusingly enough, the way Tomcat serves static content as quickly as
> httpd does is by... using the same code used by httpd.
>

no. unless you assume that http runs an embedded java vm inside.
Leon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leon,

On 4/30/2009 6:32 PM, Leon Rosenberg wrote:
> On Thu, Apr 30, 2009 at 9:58 PM, Christopher Schultz
>>> If you need to serve static content (js, css etc) along with dynamic
>>> content, you let tomcat handle it, it serves static content faster
>>> than httpd anyway.
>>
>> Citation? Or more Tomcat FUD ;)
> 
> Actually I mentioned the book in this thread, and some time ago in a
> mail in reply to YOUR question. But why not, here's the link again:
> 
> http://www.amazon.com/gp/product/0596101066/ref=s9_sims_gw_s9_p14_i1?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=1J4CRZSBWAQZMCDA54ET&pf_rd_t=101&pf_rd_p=470938631&pf_rd_i=507846
> 
> Tomcat: The Definitive Guide (Paperback) 2nd edition. Be sure to get
> the second edition from 2007, it covers tomcat 6. There are a lot of
> performance comparison charts in this book for various tomcat
> connectors with or without apr against various httpd setups.

Amusingly enough, the way Tomcat serves static content as quickly as
httpd does is by... using the same code used by httpd.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkn7HNIACgkQ9CaO5/Lv0PCudgCgmqD40BOnVw1eLSrMeVLWamyl
jYsAnAknv7/8dgYTn4DmlEvJwkLup6sG
=CSKP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Leon Rosenberg <ro...@googlemail.com>]

On Thu, Apr 30, 2009 at 9:58 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Leon,
>
> On 4/27/2009 1:59 PM, Leon Rosenberg wrote:
>> On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rw...@kingsisle.com> wrote:
>>> The apache servers can sit in a different DMZ area
>>
>> Sorry, this is no security at all. If the attacker was able to break
>> your os once and come to your apache httpd server, he will be able to
>> break it second time and come to the tomcat serving server. Increasing
>> complexity doesn't necessary increase security, the truth is that more
>> complexity usually compromise security. Anyway an unfiltered
>> connection between your httpd and your tomcat server exist (ajp), and
>> the attacker can exploit it directly, since httpd will just send all
>> maped request 1 on 1.
>
> A connection that allows only ajp would be, IMO, a "filtered"
> connection, not an unfiltered one. Just because an attacker can break
> into Apache httpd on a publicly-available web server doesn't guarantee
> that he will be able to break through your ajp connection into the app
> server. I'm not sure how you can logically connect a web server
> intrusion with a definite app server intrusion.

I so much hoped the thread was dead, but since you are addressing me directly:-)

The only way to break into a tomcat is to send something which leads
to something else giving the attacker at the end more control of the
machine as intended. For the sake of experiment lets assume that if
you send a "/givemegodpermissions.html" to a tomcat server it opens a
console in root mode on the machine it runs on.
For a standalone tomcat behind a firewall (and don't tell me people
can't afford firewalls, iptables is free) where only port 8080 is open
(and probably mapped from 80 by portmapper or something) the only way
to exploit tomcat itself (we are not talking about os level hacking)
is to send http://youradress/givemegodpermissions.html.

Now lets add an apache httpd in front and connect them via ajp. If the
attacker sends the very same url
http://youradress/givemegodpermissions.html the apache will just send
the /givemegodpermissions.html to the tomcat over ajp and exactly the
same happens. So what have you gained? Nothing.


>
>> Finally, httpd is written in C and therefore vulnerable to all kind of
>> attacks a java program is not like buffer/heap overflows.
>
> True, which is exactly why breaking into the web server and breaking
> into the app server would require different techniques. Therefore
> compromising the web server does not necessarily equal an app server
> break-in.

see above. having an additional piece of software means that you have
more holes and more to protect.

>
>>> In addition to more granular security (as described above), having
>>> isolated the web layer from the application layer allows you to
>>> independently adjust the performance >of each.
>>
>> The short answer to that would probably be, if you have performance
>> concerns, you just do not use apache httpd. If you want/need to
>> loadbalance, a hardware loadbalancer is the weapon of choice. If you
>> need to serve a lot of large static content (pictures) you put
>> reverse proxies in front of your tomcats.
>
> ...and run /what/ as your reverse proxies?

squid, varnish, whatever. you may even serve static files via a fast
lean web server like lighttpd.

>
>> If you need to serve static content (js, css etc) along with dynamic
>> content, you let tomcat handle it, it serves static content faster
>> than httpd anyway.
>
> Citation? Or more Tomcat FUD ;)

Actually I mentioned the book in this thread, and some time ago in a
mail in reply to YOUR question. But why not, here's the link again:

http://www.amazon.com/gp/product/0596101066/ref=s9_sims_gw_s9_p14_i1?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-2&pf_rd_r=1J4CRZSBWAQZMCDA54ET&pf_rd_t=101&pf_rd_p=470938631&pf_rd_i=507846

Tomcat: The Definitive Guide (Paperback) 2nd edition. Be sure to get
the second edition from 2007, it covers tomcat 6. There are a lot of
performance comparison charts in this book for various tomcat
connectors with or without apr against various httpd setups.

regards
Leon

>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkn6AuEACgkQ9CaO5/Lv0PBMKwCeKwfzn7Pgwpl+DoKqbo93NEef
> o30AoJ7e7ZddDISQj/lP0WEkdqEsXGDh
> =qKnx
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leon,

On 4/27/2009 1:59 PM, Leon Rosenberg wrote:
> On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rw...@kingsisle.com> wrote:
>> The apache servers can sit in a different DMZ area
> 
> Sorry, this is no security at all. If the attacker was able to break
> your os once and come to your apache httpd server, he will be able to
> break it second time and come to the tomcat serving server. Increasing
> complexity doesn't necessary increase security, the truth is that more
> complexity usually compromise security. Anyway an unfiltered
> connection between your httpd and your tomcat server exist (ajp), and
> the attacker can exploit it directly, since httpd will just send all
> maped request 1 on 1.

A connection that allows only ajp would be, IMO, a "filtered"
connection, not an unfiltered one. Just because an attacker can break
into Apache httpd on a publicly-available web server doesn't guarantee
that he will be able to break through your ajp connection into the app
server. I'm not sure how you can logically connect a web server
intrusion with a definite app server intrusion.

> Finally, httpd is written in C and therefore vulnerable to all kind of
> attacks a java program is not like buffer/heap overflows.

True, which is exactly why breaking into the web server and breaking
into the app server would require different techniques. Therefore
compromising the web server does not necessarily equal an app server
break-in.

>> In addition to more granular security (as described above), having
>> isolated the web layer from the application layer allows you to
>> independently adjust the performance >of each.
> 
> The short answer to that would probably be, if you have performance
> concerns, you just do not use apache httpd. If you want/need to
> loadbalance, a hardware loadbalancer is the weapon of choice. If you
> need to serve a lot of large static content (pictures) you put
> reverse proxies in front of your tomcats.

...and run /what/ as your reverse proxies?

> If you need to serve static content (js, css etc) along with dynamic
> content, you let tomcat handle it, it serves static content faster
> than httpd anyway.

Citation? Or more Tomcat FUD ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkn6AuEACgkQ9CaO5/Lv0PBMKwCeKwfzn7Pgwpl+DoKqbo93NEef
o30AoJ7e7ZddDISQj/lP0WEkdqEsXGDh
=qKnx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joesph,

On 4/27/2009 5:41 PM, Joseph Millet wrote:
> What's then common use where the two are required ?

I have one: you don't have a lot of money for hardware and so you aren't
buying BigIPs anytime soon. You have multiple Tomcats for whatever
reason (cluster, multiple apps with single TC instance per app, whatever).

Without httpd, what do you do?

Tomcat would have to be heavily customized to make it a proxy/load
balancer and doesn't it speak AJP outbound, either.

For my money, I'll take httpd.

I'm not sure what Leon's problem is... he probably had a bad
configuration a long time ago and is still feeling sore over it.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkn6A/wACgkQ9CaO5/Lv0PAFXACdFk5384uCZhYTyWQFWJhlH0Uh
6yYAn2TOTdeZDsjnVmJPPEeK3Z9dPnq3
=BjOa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Joseph Millet <jo...@gmail.com>]

What's then common use where the two are required ?

On Mon, Apr 27, 2009 at 11:21 PM, Pid <p...@pidster.com> wrote:

> Leon Rosenberg wrote:
> > On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <aw...@ice-sa.com> wrote:
> >> Leon Rosenberg wrote:
> >>> I'm sorry, I can't shut up my mouth on this, but you are telling myths
> :-)
> >>>
> >> And anyway, you just all forget this Java nonsense, and use Perl, as
> Real
> >> Programmers do.
> >>
> >> That's just kidding of course, but let's keep a sense of perspective.
> >
> > Hello André,
> >
> > I don't want to start a new religious war, so I'll live most of the
> > mail unanswered, however, one thing:
> >
> >> And that's also where the versatility of Apache httpd comes into play, a
> >> versatility which Tomcat does not match and probably never will, because
> the
> >> purpose of each is different.
> >
> > That's true, httpd is able to do everything (and nothing right:-)) but
> > what I'm speaking up against is this
> > stupid reflective answer "you need a httpd in front of your tomcat".
> > You don't. There might by reasons, some of them stated by you, but
> > also other,
> > where its appropriate, but its not the rule, its an exception.
> > The rule and therefore the standard answer should be: "you don't need
> > an apache httpd in front of your tomcat unless, ..." and not
> > "put an apache in front of your tomcat and stop thinking anyway" as it
> > often is today.
> >
> > Having said that, lets close the thread anyway :-)
>
> Postscript: the OP's type of question smells like a student sniffing for
> an essay answer, (no offence meant if I'm wrong).
>
> Of course the real reason we need web AND application servers is to
> makes the interwebs, where we can has flame wars.
>
>
> p
>
>
>
> > regards
> > Leon
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Why we need two servers (httpd and tomcat)

[Pid <p...@pidster.com>]

Leon Rosenberg wrote:
> On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <aw...@ice-sa.com> wrote:
>> Leon Rosenberg wrote:
>>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)
>>>
>> And anyway, you just all forget this Java nonsense, and use Perl, as Real
>> Programmers do.
>>
>> That's just kidding of course, but let's keep a sense of perspective.
> 
> Hello André,
> 
> I don't want to start a new religious war, so I'll live most of the
> mail unanswered, however, one thing:
> 
>> And that's also where the versatility of Apache httpd comes into play, a
>> versatility which Tomcat does not match and probably never will, because the
>> purpose of each is different.
> 
> That's true, httpd is able to do everything (and nothing right:-)) but
> what I'm speaking up against is this
> stupid reflective answer "you need a httpd in front of your tomcat".
> You don't. There might by reasons, some of them stated by you, but
> also other,
> where its appropriate, but its not the rule, its an exception.
> The rule and therefore the standard answer should be: "you don't need
> an apache httpd in front of your tomcat unless, ..." and not
> "put an apache in front of your tomcat and stop thinking anyway" as it
> often is today.
> 
> Having said that, lets close the thread anyway :-)

Postscript: the OP's type of question smells like a student sniffing for
an essay answer, (no offence meant if I'm wrong).

Of course the real reason we need web AND application servers is to
makes the interwebs, where we can has flame wars.


p



> regards
> Leon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Jess Holle <je...@ptc.com>]

Jess Holle wrote:
> Robin Wilson wrote:
>> For the record, my answer was neither stupid or reflexive. I simply pointed out why someone might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound and arguable at the same time.
>>
>> As for your assertion that 2 layers of security is just complexity and not more secure - you obviously haven't run many enterprise production systems. Security in an enterprise system is all about 'layers' of protection. And sure, if they hack one layer - they are probably good enough to hack the next layer. But that's where intrusion detection and a variety of other system come into play. It's all about slowing down the advance of the attack until you can do something about it.
>>
>> As for performance, have you run any load testing against tomcat vs. apache - especially on static files? Apache exceeds tomcat in performance by a large margin. When you are serving millions of pages a day, and tens of millions of static files (images, css, js, videos, audios, etc.), that makes a significant difference in the amount of hardware you have to throw at the problem.
>>
>> So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many production - enterprise - deployments, it can be useful to have a layer of web servers and a separately managed layer of application servers - and that same model works just fine with Apache and Tomcat.
>>   
> I think the Tomcat folk would dispute your assertion on performance -- 
> in particular when Tomcat is used with native APR.
>
> That said, the biggest reason I know of for Apache fronting Tomcat is 
> load balancing across Tomcats.
>
> If you have a hardware load balancer doing that, then there are lesser 
> reasons, e.g.:
>
>     * there are more security plug-ins for Apache (e.g. SiteMinder and
>       the like),
>     * multi-LDAP authentication support is built into Apache,
>
It is my understanding that the next Tomcat release will provide 
multi-LDAP authentication support, by the way.
>
>     * various existing Apache modules (e.g. mod_redirect) allow some
>       classes of problems to be solved by configuration that would
>       require coding in Tomcat.
>
> On this last note, however, I'd say that writing necessary 
> filter/listener/handler code for Tomcat can generally be done in a 
> manner that is portable to any up-to-date servlet engine, is /far/ 
> easier than writing code for Apache modules, and is sometimes even 
> easier than achieving the same end by configuring modules in Apache 
> (where that is approach is sufficient).

Re: Why we need two servers (httpd and tomcat)

[Jess Holle <je...@ptc.com>]

Robin Wilson wrote:
> For the record, my answer was neither stupid or reflexive. I simply pointed out why someone might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound and arguable at the same time.
>
> As for your assertion that 2 layers of security is just complexity and not more secure - you obviously haven't run many enterprise production systems. Security in an enterprise system is all about 'layers' of protection. And sure, if they hack one layer - they are probably good enough to hack the next layer. But that's where intrusion detection and a variety of other system come into play. It's all about slowing down the advance of the attack until you can do something about it.
>
> As for performance, have you run any load testing against tomcat vs. apache - especially on static files? Apache exceeds tomcat in performance by a large margin. When you are serving millions of pages a day, and tens of millions of static files (images, css, js, videos, audios, etc.), that makes a significant difference in the amount of hardware you have to throw at the problem.
>
> So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many production - enterprise - deployments, it can be useful to have a layer of web servers and a separately managed layer of application servers - and that same model works just fine with Apache and Tomcat.
>   
I think the Tomcat folk would dispute your assertion on performance -- 
in particular when Tomcat is used with native APR.

That said, the biggest reason I know of for Apache fronting Tomcat is 
load balancing across Tomcats.

If you have a hardware load balancer doing that, then there are lesser 
reasons, e.g.:

    * there are more security plug-ins for Apache (e.g. SiteMinder and
      the like),
    * multi-LDAP authentication support is built into Apache, 
    * various existing Apache modules (e.g. mod_redirect) allow some
      classes of problems to be solved by configuration that would
      require coding in Tomcat.

On this last note, however, I'd say that writing necessary 
filter/listener/handler code for Tomcat can generally be done in a 
manner that is portable to any up-to-date servlet engine, is /far/ 
easier than writing code for Apache modules, and is sometimes even 
easier than achieving the same end by configuring modules in Apache 
(where that is approach is sufficient).

--
Jess Holle

Re: Why we need two servers (httpd and tomcat)

[Leon Rosenberg <ro...@googlemail.com>]

On Mon, Apr 27, 2009 at 11:53 PM, Robin Wilson <rw...@kingsisle.com> wrote:
> For the record, my answer was neither stupid or reflexive. I simply pointed out why someone might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound and arguable at the same time.

I never ment to insult you, so if I did so by mistake, I beg my pardon.

>
> As for your assertion that 2 layers of security is just complexity and not more secure - you obviously haven't run many enterprise production systems. Security in an >enterprise system is all about 'layers' of protection. And sure, if they hack one layer - they are probably good enough to hack the next layer. But that's where intrusion >detection and a variety of other system come into play. It's all about slowing down the advance of the attack until you can do something about it.

Well actually I'm working with Enterprise Systems for last 10 year,
last 5 in high performance field. Whatever you are doing to prevent an
attack from happening you still need a connection from outside to your
tomcat. An AJP connection is a plain connection, everything sent in is
going through. Neither mod_ajp, nor mod_jk or mod_proxy_ajp do any
security inspection on what they are sending over. So if there is a
vulnerability in tomcat itself or your app its fully exposed no matter
how many apaches you put in front. If it is possible to inject
javascript or sql code into your application it will still be injected
with apache. Furthermore, the two last (serious) security issues with
tomcat were the url encoding problem and the buffer overflow in
mod_jk. So by using an apache httpd in front of your tomcat you
actually doubled the risk of being hacked.

>
> As for performance, have you run any load testing against tomcat vs. apache - especially on static files? Apache exceeds tomcat in performance by a large margin. When you are serving millions of pages a day, and tens of millions of static files (images, css, js, videos, audios, etc.), that makes a significant difference in the amount of hardware you have to throw at the problem.

I actually did. We tried a lot and ended up with reverse proxies
(squid, varnish). As for tomcat vs. apache, I haven't read a single
comparison in last 3 years where apache was faster, expect for
'very-large-static-files', which are better served by fast http
servers like lightttpd.
For tomcat vs. apache check out this book please:
http://www.amazon.com/Tomcat-Definitive-Guide-Jason-Brittain/dp/0596101066/ref=sr_1_1?ie=UTF8&s=books&qid=1240350860&sr=1-1

>
> So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many production - enterprise - deployments, it can be useful to have a layer of web servers and a separately managed layer of application servers - and that same model works just fine with Apache and Tomcat.

Just out of curiosity how large is your web farm and what is the
average response time?

regards
Leon



>
> --
> Robin D. Wilson
> Director of Web Development
> KingsIsle Entertainment, Inc.
> WORK: 512-623-5913
> CELL: 512-426-3929
> www.KingsIsle.com
>
>
> -----Original Message-----
> From: Leon Rosenberg [mailto:rosenberg.leon@googlemail.com]
> Sent: Monday, April 27, 2009 3:41 PM
> To: Tomcat Users List; aw@ice-sa.com
> Subject: Re: Why we need two servers (httpd and tomcat)
>
> On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <aw...@ice-sa.com> wrote:
>> Leon Rosenberg wrote:
>>>
>>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)
>>>
>> And anyway, you just all forget this Java nonsense, and use Perl, as Real
>> Programmers do.
>>
>> That's just kidding of course, but let's keep a sense of perspective.
>
> Hello André,
>
> I don't want to start a new religious war, so I'll live most of the
> mail unanswered, however, one thing:
>
>> And that's also where the versatility of Apache httpd comes into play, a
>> versatility which Tomcat does not match and probably never will, because the
>> purpose of each is different.
>
> That's true, httpd is able to do everything (and nothing right:-)) but
> what I'm speaking up against is this
> stupid reflective answer "you need a httpd in front of your tomcat".
> You don't. There might by reasons, some of them stated by you, but
> also other,
> where its appropriate, but its not the rule, its an exception.
> The rule and therefore the standard answer should be: "you don't need
> an apache httpd in front of your tomcat unless, ..." and not
> "put an apache in front of your tomcat and stop thinking anyway" as it
> often is today.
>
> Having said that, lets close the thread anyway :-)
>
> regards
> Leon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Pid <p...@pidster.com>]

Robin Wilson wrote:
> For the record, my answer was neither stupid or reflexive. I simply pointed out why someone might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound and arguable at the same time.
> 
> As for your assertion that 2 layers of security is just complexity and not more secure - you obviously haven't run many enterprise production systems. 

That assertion was a little unnecessary.

> Security in an enterprise system is all about 'layers' of protection.
And sure, if they hack one layer - they are probably good enough to hack
the next layer. But that's where intrusion detection and a variety of
other system come into play. It's all about slowing down the advance of
the attack until you can do something about it.

</lecture>

Not sure I've heard of many IDS that do deep packet inspection of AJP,
so should you restrict yourself to HTTP proxying only?

I assume, when you suggested putting HTTPD in a DMZ, that you didn't
mean putting it completely outside of firewall protection?

> As for performance, have you run any load testing against tomcat vs. apache - especially on static files? Apache exceeds tomcat in performance by a large margin. When you are
serving millions of pages a day, and tens of millions of static files
(images, css, js, videos, audios, etc.), that makes a significant
difference in the amount of hardware you have to throw at the problem.

Not true.  This kind of statement is the kind of thing that helps
perpetuate myths and subsequently bad system design - your information
is out of date.

In fact it has been satisfactorily demonstrated that Tomcat is
comparable with Apache HTTPD in terms of speed of serving static files.

Q: How?
A: http://apr.apache.org/

I've not personally tested the new NIO connectors, but I've heard that
they do perform quite well.


> So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many production - enterprise - deployments, it can be useful to have a layer of web servers and a separately managed layer of application servers - and that same model works just fine with Apache and Tomcat.

In your enthusiasm, I think you've conflated a few arguments, instead
I'd say that these should be appraised individually.

1. On many occasions 'separation of concerns' is a good idea.
Separating application and static file servers assists in tuning big
applications for performance - otherwise CDNs wouldn't be a good idea.
This has nothing to do with security and you could use Tomcat for both.

2. Layered/zoned security is a Good Idea.

3. Hardware loadbalancers are probably a better choice for enterprise.
A load balancing Apache HTTPD won't handover to another instance if it
fails.

4. Deploying HTTPD & Tomcat together is a popular choice.
I'd suggest that it's /on average/ more suited to SMEs (or businesses
without massive IT/IS budgets) who are using HTTPD to load balance AND,
say, mod_cache static files - as it's a cheap, scalable and effective
solution.



(OP really got more than he bargained for, I suspect)


p



> --
> Robin D. Wilson
> Director of Web Development
> KingsIsle Entertainment, Inc.
> WORK: 512-623-5913
> CELL: 512-426-3929
> www.KingsIsle.com
> 
> 
> -----Original Message-----
> From: Leon Rosenberg [mailto:rosenberg.leon@googlemail.com] 
> Sent: Monday, April 27, 2009 3:41 PM
> To: Tomcat Users List; aw@ice-sa.com
> Subject: Re: Why we need two servers (httpd and tomcat)
> 
> On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <aw...@ice-sa.com> wrote:
>> Leon Rosenberg wrote:
>>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)
>>>
>> And anyway, you just all forget this Java nonsense, and use Perl, as Real
>> Programmers do.
>>
>> That's just kidding of course, but let's keep a sense of perspective.
> 
> Hello André,
> 
> I don't want to start a new religious war, so I'll live most of the
> mail unanswered, however, one thing:
> 
>> And that's also where the versatility of Apache httpd comes into play, a
>> versatility which Tomcat does not match and probably never will, because the
>> purpose of each is different.
> 
> That's true, httpd is able to do everything (and nothing right:-)) but
> what I'm speaking up against is this
> stupid reflective answer "you need a httpd in front of your tomcat".
> You don't. There might by reasons, some of them stated by you, but
> also other,
> where its appropriate, but its not the rule, its an exception.
> The rule and therefore the standard answer should be: "you don't need
> an apache httpd in front of your tomcat unless, ..." and not
> "put an apache in front of your tomcat and stop thinking anyway" as it
> often is today.
> 
> Having said that, lets close the thread anyway :-)
> 
> regards
> Leon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[George Sexton <ge...@mhsoftware.com>]

Robin Wilson wrote:
> I like how your argument presumes the most foolish configuration for
> Apache vs. the ideal configuration if you only use tomcat. If you


If you're doing the "ideal configuration" and only using tomcat, then
what's the point of putting httpd on in the first place? Even if you
only use apache w/ mod_jk, you're tripling your attack surface. Why do
that?

Really, why insert httpd at all if you're not going to have PHP or other 
things involved. You're just adding an extra two layers into your request.

With the Tomcat connector, the request goes to the connector and is 
serviced.

With Apache httpd, it gets the connection. The request gets handed to 
mod_jk. Via the URI Worker map, mod_jk shoves the data to the 
appropriate worker's connector for servicing.

 From a practical standpoint, it's much easier to not have Apache httpd 
in the process. If you deploy a new host using the host manager 
application, it starts working. With httpd, you have to modify the 
configuration files and reload it. I run hundreds of tomcat virtual 
hosts spread across three servers, so this is something I understand 
pretty well.

> want to go that route, the default tomcat install includes a bunch of
> 'examples' and other exploitable stuff - why not assume that they
> left all that at the default values as well?

As far as a "default" tomcat install goes, I use the catalina
base/catalina home deployment methodology, so I'm not carrying all of 
the sample application baggage with me, not even by accident. As a side
benefit, it makes upgrading new tomcat releases a little less painful.


> 
> -- Robin D. Wilson Director of Web Development KingsIsle
> Entertainment, Inc. WORK: 512-623-5913 CELL: 512-426-3929 
> www.KingsIsle.com
> 
> 
> 
> -----Original Message----- From: George Sexton
> [mailto:georges@mhsoftware.com] Sent: Tuesday, April 28, 2009 10:30
> AM To: Tomcat Users List Subject: Re: Why we need two servers (httpd
> and tomcat)
> 
> 
> 
> Robin Wilson wrote:
>> As for your assertion that 2 layers of security is just complexity 
>> and not more secure - you obviously haven't run many enterprise 
>> production systems. Security in an enterprise system is all about 
>> 'layers' of protection. And sure, if they hack one layer - they are
>>  probably good enough to hack the next layer. But that's where 
>> intrusion detection and a variety of other system come into play. 
>> It's all about slowing down the advance of the attack until you can
>>  do something about it.
>> 
> 
> In theory, you're right. Defense in depth is a sound and established
>  practice. I remember as a Marine, reading company level tactics
> books that laid out how to set up a rifle company for defense in
> depth.
> 
> In this particular instance you're just wrong. Putting apache in
> front of Tomcat makes the visible surface for attack about 10 times
> bigger. If you're running Apache httpd, you've probably got PHP
> running which is a huge security attack area, and then there are
> probably 20 other modules that are loaded by default. Instead of
> having a small gate to defend, you now have 10 gates to defend.
> 
> You believe that to get your system, they have to get through httpd,
> and then through tomcat. This is your defense in depth theory. It's
> just wrong. If there's a buffer overflow in httpd, then they just
> have to exploit that to get on your machine.
> 
> Layers of protection in an Enterprise security system would be
> firewalls protecting the perimeter, intrusion detection systems
> monitoring network traffic, monitoring systems that detect changes in
> the host systems.
> 
> So, by all means do defense in depth. Just don't delude yourself into
>  thinking that putting httpd in front of tomcat adds a layer of
> security. It doesn't.
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[David Smith <dn...@cornell.edu>]

There is another argument.  Once upon a time it was standard recommended
advice to put a conventional web service like Apache's Httpd in front of
tomcat.  All the static resources get served up by the conventional web
service and only the dynamic content would come from tomcat.  That was a
loooong time ago and the performance and stability of tomcat has
increased dramatically, but there are still a lot of poorly maintained
websites and old programming books out there still spouting obsolete advice.

I personally subscribe to the KISS philosophy.  If it's just static
resources and java webapp content, by all means just put up a tomcat
service on port 80, stripped down to what's actually needed, and forget
about Apache Httpd.  Your life get's simplified and response times are
on par with Apache Httpd.  However, if you have a site that is a fusion
of a lot of different technologies like PHP, Perl, Python, etc., ...
then a service in front like Apache Httpd makes loads of sense.  I don't
see any security advantage to putting Apache Httpd in front of tomcat
that wouldn't be mitigated by some defensive programming.  The servlet
spec is loaded with stuff designed to help webapp programmers with security.

--David

Robin Wilson wrote:
> I like how your argument presumes the most foolish configuration for Apache vs. the ideal configuration if you only use tomcat. If you want to go that route, the default tomcat install includes a bunch of 'examples' and other exploitable stuff - why not assume that they left all that at the default values as well?
>
> --
> Robin D. Wilson
> Director of Web Development
> KingsIsle Entertainment, Inc.
> WORK: 512-623-5913
> CELL: 512-426-3929
> www.KingsIsle.com
>
>
>
> -----Original Message-----
> From: George Sexton [mailto:georges@mhsoftware.com] 
> Sent: Tuesday, April 28, 2009 10:30 AM
> To: Tomcat Users List
> Subject: Re: Why we need two servers (httpd and tomcat)
>
>
>
> Robin Wilson wrote:
>   
>> As for your assertion that 2 layers of security is just complexity
>> and not more secure - you obviously haven't run many enterprise
>> production systems. Security in an enterprise system is all about
>> 'layers' of protection. And sure, if they hack one layer - they are
>> probably good enough to hack the next layer. But that's where
>> intrusion detection and a variety of other system come into play.
>> It's all about slowing down the advance of the attack until you can
>> do something about it.
>>
>>     
>
> In theory, you're right. Defense in depth is a sound and established 
> practice. I remember as a Marine, reading company level tactics books 
> that laid out how to set up a rifle company for defense in depth.
>
> In this particular instance you're just wrong. Putting apache in front 
> of Tomcat makes the visible surface for attack about 10 times bigger. If 
> you're running Apache httpd, you've probably got PHP running which is a 
> huge security attack area, and then there are probably 20 other modules 
> that are loaded by default. Instead of having a small gate to defend, 
> you now have 10 gates to defend.
>
> You believe that to get your system, they have to get through httpd, and 
> then through tomcat. This is your defense in depth theory. It's just 
> wrong. If there's a buffer overflow in httpd, then they just have to 
> exploit that to get on your machine.
>
> Layers of protection in an Enterprise security system would be firewalls 
> protecting the perimeter, intrusion detection systems monitoring network 
> traffic, monitoring systems that detect changes in the host systems.
>
> So, by all means do defense in depth. Just don't delude yourself into 
> thinking that putting httpd in front of tomcat adds a layer of security. 
> It doesn't.
>
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Why we need two servers (httpd and tomcat)

[Robin Wilson <rw...@kingsisle.com>]

I like how your argument presumes the most foolish configuration for Apache vs. the ideal configuration if you only use tomcat. If you want to go that route, the default tomcat install includes a bunch of 'examples' and other exploitable stuff - why not assume that they left all that at the default values as well?

--
Robin D. Wilson
Director of Web Development
KingsIsle Entertainment, Inc.
WORK: 512-623-5913
CELL: 512-426-3929
www.KingsIsle.com



-----Original Message-----
From: George Sexton [mailto:georges@mhsoftware.com] 
Sent: Tuesday, April 28, 2009 10:30 AM
To: Tomcat Users List
Subject: Re: Why we need two servers (httpd and tomcat)



Robin Wilson wrote:
> As for your assertion that 2 layers of security is just complexity
> and not more secure - you obviously haven't run many enterprise
> production systems. Security in an enterprise system is all about
> 'layers' of protection. And sure, if they hack one layer - they are
> probably good enough to hack the next layer. But that's where
> intrusion detection and a variety of other system come into play.
> It's all about slowing down the advance of the attack until you can
> do something about it.
> 

In theory, you're right. Defense in depth is a sound and established 
practice. I remember as a Marine, reading company level tactics books 
that laid out how to set up a rifle company for defense in depth.

In this particular instance you're just wrong. Putting apache in front 
of Tomcat makes the visible surface for attack about 10 times bigger. If 
you're running Apache httpd, you've probably got PHP running which is a 
huge security attack area, and then there are probably 20 other modules 
that are loaded by default. Instead of having a small gate to defend, 
you now have 10 gates to defend.

You believe that to get your system, they have to get through httpd, and 
then through tomcat. This is your defense in depth theory. It's just 
wrong. If there's a buffer overflow in httpd, then they just have to 
exploit that to get on your machine.

Layers of protection in an Enterprise security system would be firewalls 
protecting the perimeter, intrusion detection systems monitoring network 
traffic, monitoring systems that detect changes in the host systems.

So, by all means do defense in depth. Just don't delude yourself into 
thinking that putting httpd in front of tomcat adds a layer of security. 
It doesn't.

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Why we need two servers (httpd and tomcat)

[Martin Gainty <mg...@hotmail.com>]

what do you recommend to bulletproof Robin's installation?

Martin 
______________________________________________ 
Disclaimer and Confidentiality
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.






> Date: Tue, 28 Apr 2009 09:30:28 -0600
> From: georges@mhsoftware.com
> To: users@tomcat.apache.org
> Subject: Re: Why we need two servers (httpd and tomcat)
> 
> 
> 
> Robin Wilson wrote:
> > As for your assertion that 2 layers of security is just complexity
> > and not more secure - you obviously haven't run many enterprise
> > production systems. Security in an enterprise system is all about
> > 'layers' of protection. And sure, if they hack one layer - they are
> > probably good enough to hack the next layer. But that's where
> > intrusion detection and a variety of other system come into play.
> > It's all about slowing down the advance of the attack until you can
> > do something about it.
> > 
> 
> In theory, you're right. Defense in depth is a sound and established 
> practice. I remember as a Marine, reading company level tactics books 
> that laid out how to set up a rifle company for defense in depth.
> 
> In this particular instance you're just wrong. Putting apache in front 
> of Tomcat makes the visible surface for attack about 10 times bigger. If 
> you're running Apache httpd, you've probably got PHP running which is a 
> huge security attack area, and then there are probably 20 other modules 
> that are loaded by default. Instead of having a small gate to defend, 
> you now have 10 gates to defend.
> 
> You believe that to get your system, they have to get through httpd, and 
> then through tomcat. This is your defense in depth theory. It's just 
> wrong. If there's a buffer overflow in httpd, then they just have to 
> exploit that to get on your machine.
> 
> Layers of protection in an Enterprise security system would be firewalls 
> protecting the perimeter, intrusion detection systems monitoring network 
> traffic, monitoring systems that detect changes in the host systems.
> 
> So, by all means do defense in depth. Just don't delude yourself into 
> thinking that putting httpd in front of tomcat adds a layer of security. 
> It doesn't.
> 
> -- 
> George Sexton
> MH Software, Inc.
> Voice: +1 303 438 9585
> URL:   http://www.mhsoftware.com/
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Rediscover Hotmail®: Get e-mail storage that grows with you. 
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage2_042009

Re: Why we need two servers (httpd and tomcat)

[George Sexton <ge...@mhsoftware.com>]

Robin Wilson wrote:
> As for your assertion that 2 layers of security is just complexity
> and not more secure - you obviously haven't run many enterprise
> production systems. Security in an enterprise system is all about
> 'layers' of protection. And sure, if they hack one layer - they are
> probably good enough to hack the next layer. But that's where
> intrusion detection and a variety of other system come into play.
> It's all about slowing down the advance of the attack until you can
> do something about it.
> 

In theory, you're right. Defense in depth is a sound and established 
practice. I remember as a Marine, reading company level tactics books 
that laid out how to set up a rifle company for defense in depth.

In this particular instance you're just wrong. Putting apache in front 
of Tomcat makes the visible surface for attack about 10 times bigger. If 
you're running Apache httpd, you've probably got PHP running which is a 
huge security attack area, and then there are probably 20 other modules 
that are loaded by default. Instead of having a small gate to defend, 
you now have 10 gates to defend.

You believe that to get your system, they have to get through httpd, and 
then through tomcat. This is your defense in depth theory. It's just 
wrong. If there's a buffer overflow in httpd, then they just have to 
exploit that to get on your machine.

Layers of protection in an Enterprise security system would be firewalls 
protecting the perimeter, intrusion detection systems monitoring network 
traffic, monitoring systems that detect changes in the host systems.

So, by all means do defense in depth. Just don't delude yourself into 
thinking that putting httpd in front of tomcat adds a layer of security. 
It doesn't.

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Why we need two servers (httpd and tomcat)

[Robin Wilson <rw...@kingsisle.com>]

I'll agree with you - this provided a fair and thorough examination of the reasons some people run httpd and tomcat, and why others don't - which was my original intention... To stimulate that very discussion.

BTW, I hope none of you got the idea that I supported _either_ approach, only described why some people do them.

--
Robin D. Wilson
Director of Web Development
KingsIsle Entertainment, Inc.
WORK: 512-623-5913
CELL: 512-426-3929
www.KingsIsle.com



-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Monday, April 27, 2009 6:28 PM
To: Tomcat Users List
Subject: Re: Why we need two servers (httpd and tomcat)

Robin Wilson wrote:
> For the record, my answer was neither stupid or reflexive. 

And for the record, I personally did not think it was either.

I agree with Leon when he says that some people just automatically put 
an Apache in front of a Tomcat when they don't really need to, just by 
habit or because they've found a configuration to copy, and without even 
thinking about whether they really need it.  Or maybe just because the 
server comes that way pre-installed.
Then they add a
JkMount /* ajp13
;-)

Or they configure a load-balancer to balance one single back-end..

Or they set Apache's DocumentRoot to the Tomcat webapps directory, just 
because it's easier and this way all the links work (usually in even 
more ways than they expect).

On the other hand, I also believe, contrarily to Leon, that there are 
plenty of practical cases where running some back-end Java applications 
on a Tomcat server is necessary, but is not the main purpose of the 
site, and thus having an Apache httpd in front comes in very handy or is 
necessary.  And provided you know what you're doing, the additional 
overhead due to mod_jk is going to take 100 years to overtake the cost 
of two days of trying to figure out how to do the same in Tomcat.

It also depends very much on the skills at hand.  Given a certain 
problem, the "right" solution will be different depending on whether you 
have a staff of mostly java-oriented people, or not.

So this was not a flame, just an attempt at restoring some balance which 
I felt was a bit upset by Leon's diatribe.

Thus, to the original poster : I believe that by now you should have a 
relative balance of arguments allowing you to decide when one needs only 
Apache httpd, only Tomcat, or a combination.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[André Warnier <aw...@ice-sa.com>]

Robin Wilson wrote:
> For the record, my answer was neither stupid or reflexive. 

And for the record, I personally did not think it was either.

I agree with Leon when he says that some people just automatically put 
an Apache in front of a Tomcat when they don't really need to, just by 
habit or because they've found a configuration to copy, and without even 
thinking about whether they really need it.  Or maybe just because the 
server comes that way pre-installed.
Then they add a
JkMount /* ajp13
;-)

Or they configure a load-balancer to balance one single back-end..

Or they set Apache's DocumentRoot to the Tomcat webapps directory, just 
because it's easier and this way all the links work (usually in even 
more ways than they expect).

On the other hand, I also believe, contrarily to Leon, that there are 
plenty of practical cases where running some back-end Java applications 
on a Tomcat server is necessary, but is not the main purpose of the 
site, and thus having an Apache httpd in front comes in very handy or is 
necessary.  And provided you know what you're doing, the additional 
overhead due to mod_jk is going to take 100 years to overtake the cost 
of two days of trying to figure out how to do the same in Tomcat.

It also depends very much on the skills at hand.  Given a certain 
problem, the "right" solution will be different depending on whether you 
have a staff of mostly java-oriented people, or not.

So this was not a flame, just an attempt at restoring some balance which 
I felt was a bit upset by Leon's diatribe.

Thus, to the original poster : I believe that by now you should have a 
relative balance of arguments allowing you to decide when one needs only 
Apache httpd, only Tomcat, or a combination.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Why we need two servers (httpd and tomcat)

[Robin Wilson <rw...@kingsisle.com>]

For the record, my answer was neither stupid or reflexive. I simply pointed out why someone might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound and arguable at the same time.

As for your assertion that 2 layers of security is just complexity and not more secure - you obviously haven't run many enterprise production systems. Security in an enterprise system is all about 'layers' of protection. And sure, if they hack one layer - they are probably good enough to hack the next layer. But that's where intrusion detection and a variety of other system come into play. It's all about slowing down the advance of the attack until you can do something about it.

As for performance, have you run any load testing against tomcat vs. apache - especially on static files? Apache exceeds tomcat in performance by a large margin. When you are serving millions of pages a day, and tens of millions of static files (images, css, js, videos, audios, etc.), that makes a significant difference in the amount of hardware you have to throw at the problem.

So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many production - enterprise - deployments, it can be useful to have a layer of web servers and a separately managed layer of application servers - and that same model works just fine with Apache and Tomcat.

--
Robin D. Wilson
Director of Web Development
KingsIsle Entertainment, Inc.
WORK: 512-623-5913
CELL: 512-426-3929
www.KingsIsle.com


-----Original Message-----
From: Leon Rosenberg [mailto:rosenberg.leon@googlemail.com] 
Sent: Monday, April 27, 2009 3:41 PM
To: Tomcat Users List; aw@ice-sa.com
Subject: Re: Why we need two servers (httpd and tomcat)

On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <aw...@ice-sa.com> wrote:
> Leon Rosenberg wrote:
>>
>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)
>>
> And anyway, you just all forget this Java nonsense, and use Perl, as Real
> Programmers do.
>
> That's just kidding of course, but let's keep a sense of perspective.

Hello André,

I don't want to start a new religious war, so I'll live most of the
mail unanswered, however, one thing:

> And that's also where the versatility of Apache httpd comes into play, a
> versatility which Tomcat does not match and probably never will, because the
> purpose of each is different.

That's true, httpd is able to do everything (and nothing right:-)) but
what I'm speaking up against is this
stupid reflective answer "you need a httpd in front of your tomcat".
You don't. There might by reasons, some of them stated by you, but
also other,
where its appropriate, but its not the rule, its an exception.
The rule and therefore the standard answer should be: "you don't need
an apache httpd in front of your tomcat unless, ..." and not
"put an apache in front of your tomcat and stop thinking anyway" as it
often is today.

Having said that, lets close the thread anyway :-)

regards
Leon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Leon Rosenberg <ro...@googlemail.com>]

On Mon, Apr 27, 2009 at 9:21 PM, André Warnier <aw...@ice-sa.com> wrote:
> Leon Rosenberg wrote:
>>
>> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)
>>
> And anyway, you just all forget this Java nonsense, and use Perl, as Real
> Programmers do.
>
> That's just kidding of course, but let's keep a sense of perspective.

Hello André,

I don't want to start a new religious war, so I'll live most of the
mail unanswered, however, one thing:

> And that's also where the versatility of Apache httpd comes into play, a
> versatility which Tomcat does not match and probably never will, because the
> purpose of each is different.

That's true, httpd is able to do everything (and nothing right:-)) but
what I'm speaking up against is this
stupid reflective answer "you need a httpd in front of your tomcat".
You don't. There might by reasons, some of them stated by you, but
also other,
where its appropriate, but its not the rule, its an exception.
The rule and therefore the standard answer should be: "you don't need
an apache httpd in front of your tomcat unless, ..." and not
"put an apache in front of your tomcat and stop thinking anyway" as it
often is today.

Having said that, lets close the thread anyway :-)

regards
Leon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[André Warnier <aw...@ice-sa.com>]

Leon Rosenberg wrote:
> I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)
> 
And anyway, you just all forget this Java nonsense, and use Perl, as 
Real Programmers do.

That's just kidding of course, but let's keep a sense of perspective.

If you just want to run jsp pages and java servlets, then you need 
Tomcat (or another servlet engine), and there is no reason to add an 
Apache httpd in front. It would just complicate and slow down things.

If you need to serve some static content in addition to running your jsp 
pages and servlets, then there is still no need to put an Apache httpd 
in front of Tomcat, it can do that fine too by itself.

If you need several Tomcats to take the load, and you need to balance 
the calls to them, then you need a load-balancer in front; whether you 
want to use Apache httpd for that, or some other device/software is 
dependent on other factors. And if you want to use Apache, you can still 
choose between mod_proxy_http, mod_proxy_ajp or mod_jk.

If you do not need to run jsp pages and servlets, then you don't need 
Tomcat at all, and you'll be better off with Apache httpd alone.

If you need to run PHP or Perl or other non-Java applications, then you 
need Apache httpd, because Tomcat can't do that with anywhere near the 
same kind of speed and flexibility.

Now apart from the ideal clear-cut cases above, in the real world there 
are many cases where what you need to do is a mixture of all that, and 
that's where an Apache httpd/Tomcat combination may be the best choice.
And that's also where the versatility of Apache httpd comes into play, a 
versatility which Tomcat does not match and probably never will, because 
the purpose of each is different.

Where Tomcat is designed to be a Java servlet engine, Apache httpd is 
designed for being a "swiss-army-knife" webserver. And it is free too 
(contrary to a hardware load-balancer).
As much as Tomcat can also serve static content (and in simple cases do 
it well and efficiently), Apache httpd can do everything that Tomcat can 
do (except running Java applications).  And then it can do a lot of 
extra things that Tomcat cannot, and it can do it almost out of the box, 
with a configuration which does not require being a Java expert.
And it is used by about 50% of all websites on the WWW, for a total of 
some 100 Million. So it must be doing something right.

And not everyone can afford a server farm.

The point is, Apache httpd /can/ be a front-end to Tomcat, forwarding 
what needs to be and serving the rest either locally or by proxying it 
somehere else, do the authentication on behalf of itself and of Tomcat 
with just about any back-end imaginable, balancing between several 
back-end Tomcats, modifying requests to Tomcat on-the-fly and modifying 
Tomcat's responses if need be also, cache responses, negotiate content,
track user activity and whatnot, and that is all just with the standard 
modules available directly within the standard Apache distribution.

Tomcat cannot do the same for Apache.  And it does not want to do it, 
because its focus is on being a good java servlet server, not on being a 
universal webserver like Apache httpd wants to be.

Now maybe in another 10 years, Tomcat will be able to do all these 
things too.  But by then maybe Java will be out of fashion (remember 
Pascal, PL/1, RPG ?) and all decent webservers will be written in Erlang.






---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Leon Rosenberg <ro...@googlemail.com>]

I'm sorry, I can't shut up my mouth on this, but you are telling myths :-)

On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rw...@kingsisle.com> wrote:
> I can't answer for others - but one of the big values in a 'production' environment is to separate concerns. The apache servers can sit in a different DMZ area, and have >only static (and unprotected) content on them. The tomcat servers have another firewall between them and the apache servers - and they host the webapps, and have >access to protected content (which is controlled via servlets). In addition, the apache servers have no access to the databases, so an attacker would have to break >through both the apache and the tomcat defenses in order to gain access to the database content.

Sorry, this is no security at all. If the attacker was able to break
your os once and come to your apache httpd server, he will be able to
break it second time and come to the tomcat serving server. Increasing
complexity doesn't necessary increase security, the truth is that more
complexity usually compromise security. Anyway an unfiltered
connection between your httpd and your tomcat server exist (ajp), and
the attacker can exploit it directly, since httpd will just send all
maped request 1 on 1.
Finally, httpd is written in C and therefore vulnerable to all kind of
attacks a java program is not like buffer/heap overflows,

>
> In addition to more granular security (as described above), having isolated the web layer from the application layer allows you to independently adjust the performance >of each. If you are finding that your system serves a lot more static content than it does 'application' functionality, you may need several web servers to handle the load. >Likewise, if your system is application focused, you may need more tomcat servers (probably clustered) than web servers.

The short answer to that would probably be, if you have performance
concerns, you just do not use apache httpd. If you want/need to
loadbalance, a hardware loadbalancer is the weapon of choice. If you
need to server a lot of large static content (pictures) you put
reverse proxies in front of your tomcats. If you need to serve static
content (js, css etc) along with dynamic content, you let tomcat
handle it, it serves static content faster than httpd anyway.

Imho, the only valid use for httpd in front of tomcat is when you are
a one-man one-server company and need to host a lot of virtual stuff
on your box including php and such. Everything else and you are better
of without httpd :-)

regards
Leon

P.S. to determine whether you need or do not need httpd in front of
your tomcat, stick with the KISS principle: ask yourself the question:
will it ease your pain and really really solve your problems without
adding new? In most cases the answer will be no :-)

>
> All that being said, it's really a matter of the needs for your particular deployment. If you have no serious security concerns, and you don't need to isolate the web load from the application server load - a single server running tomcat is perfectly acceptable.
>
> --
> Robin D. Wilson
> Director of Web Development
> KingsIsle Entertainment, Inc.
> WORK: 512-623-5913
> CELL: 512-426-3929
> www.KingsIsle.com
>
>
>
> -----Original Message-----
> From: Elmar Haneke [mailto:elmar@haneke.de]
> Sent: Monday, April 27, 2009 11:27 AM
> To: Tomcat Users List
> Subject: Re: Why we need two servers (httpd and tomcat)
>
>> And why do we need these two servers in the first place.
>
> Running tomcat in stand-alone-mode might be sufficient for an website
> not depending on modules available in httpd only (as PHP, mod_rewrite or
> server-side-includes).
>
> Elmar
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Why we need two servers (httpd and tomcat)

[Robin Wilson <rw...@kingsisle.com>]

I can't answer for others - but one of the big values in a 'production' environment is to separate concerns. The apache servers can sit in a different DMZ area, and have only static (and unprotected) content on them. The tomcat servers have another firewall between them and the apache servers - and they host the webapps, and have access to protected content (which is controlled via servlets). In addition, the apache servers have no access to the databases, so an attacker would have to break through both the apache and the tomcat defenses in order to gain access to the database content.

In addition to more granular security (as described above), having isolated the web layer from the application layer allows you to independently adjust the performance of each. If you are finding that your system serves a lot more static content than it does 'application' functionality, you may need several web servers to handle the load. Likewise, if your system is application focused, you may need more tomcat servers (probably clustered) than web servers.

All that being said, it's really a matter of the needs for your particular deployment. If you have no serious security concerns, and you don't need to isolate the web load from the application server load - a single server running tomcat is perfectly acceptable.

--
Robin D. Wilson
Director of Web Development
KingsIsle Entertainment, Inc.
WORK: 512-623-5913
CELL: 512-426-3929
www.KingsIsle.com



-----Original Message-----
From: Elmar Haneke [mailto:elmar@haneke.de] 
Sent: Monday, April 27, 2009 11:27 AM
To: Tomcat Users List
Subject: Re: Why we need two servers (httpd and tomcat)

> And why do we need these two servers in the first place.

Running tomcat in stand-alone-mode might be sufficient for an website
not depending on modules available in httpd only (as PHP, mod_rewrite or
server-side-includes).

Elmar

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Why we need two servers (httpd and tomcat)

[Elmar Haneke <el...@haneke.de>]

> And why do we need these two servers in the first place.

Running tomcat in stand-alone-mode might be sufficient for an website
not depending on modules available in httpd only (as PHP, mod_rewrite or
server-side-includes).

Elmar

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org