On 3/15/2010 8:52 PM, 夏蒸鑫 wrote: > maybe,I don't know. > but there is one point that we must believe. > that is,tomcat's stable version is more secure than devel version of httpd. Really? You have over a century, perhaps 2 centuries of security experience among the experts who monitor httpd commits, and that is only the core developers who aren't out to profit over httpd's flaws to become blips on the httpd radar. Hundreds of researchers are watching httpd commits for the opportunity to say 'gotcha', and hundreds more for the opportunity to quietly exploit a vulnerability. It will be nice once the tomcat project grows to such proactive oversight. All that said, neither is 'better'; the advantage of running httpd in front of a tomcat server is that one is likely to avert an exploit in the other, due to the fact that you have two sets of parsers in place, each rejecting bogus requests, so the chances of a defect in one server showing up are significantly minimized. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx