httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Is web server in front of app server necessary?
Date Tue, 16 Mar 2010 03:16:13 GMT
On 3/15/2010 8:52 PM, 夏蒸鑫 wrote:
> maybe,I don't know.
> but there is one point that we must believe.
> that is,tomcat's stable version is more secure than devel version of httpd.

Really?

You have over a century, perhaps 2 centuries of security experience among the
experts who monitor httpd commits, and that is only the core developers who aren't
out to profit over httpd's flaws to become blips on the httpd radar.  Hundreds of
researchers are watching httpd commits for the opportunity to say 'gotcha', and
hundreds more for the opportunity to quietly exploit a vulnerability.

It will be nice once the tomcat project grows to such proactive oversight.

All that said, neither is 'better'; the advantage of running httpd in front of
a tomcat server is that one is likely to avert an exploit in the other, due to the
fact that you have two sets of parsers in place, each rejecting bogus requests, so
the chances of a defect in one server showing up are significantly minimized.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message