I run Tomcat behind HTTPD, and one of the things I like best about the arrangement is admittedly trivial: I don't have to fight with the Java keytool to set up SSL. There are some disadvantages: o Apache is a large pile of code. If you are doing nothing but pass all requests through it, you are giving yourself more opportunities to misconfigure your service and an attacker more potential weak spots to probe for. o You have to configure and maintain two server products instead of one. o Passing requests and responses between two processes via the network stack is going to cost you a little performance. (Although I would say that if that little hit is going to be noticed, your server is underconfigured.) I should say that the reason I got started using these in tandem was that it was difficult and messy to run Tomcat as a nonprivileged user and yet make it visible on the standard ports (which are only available to privileged users on most Unix-alikes). Nowadays you can use jsvc to start Tomcat with priv.s and then drop them after its sockets are set up, so that is a less compelling argument. If I only wanted HTTPD for privilege separation, I might just do without today. -- Mark H. Wood, Lead System Programmer mwood@xxxxxxxxx Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
Attachment:
pgpV0ZNYUbjr3.pgp
Description: PGP signature
|