Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 70193 invoked from network); 16 Mar 2010 03:17:11 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 16 Mar 2010 03:17:11 -0000 Received: (qmail 93694 invoked by uid 500); 16 Mar 2010 03:17:08 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 93555 invoked by uid 500); 16 Mar 2010 03:17:08 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 93546 invoked by uid 99); 16 Mar 2010 03:17:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Mar 2010 03:17:07 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [64.202.165.22] (HELO smtpauth16.prod.mesa1.secureserver.net) (64.202.165.22) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 16 Mar 2010 03:16:58 +0000 Received: (qmail 6076 invoked from network); 16 Mar 2010 03:16:36 -0000 Received: from unknown (76.252.112.72) by smtpauth16.prod.mesa1.secureserver.net (64.202.165.22) with ESMTP; 16 Mar 2010 03:16:36 -0000 Message-ID: <4B9EF7FD.80705@rowe-clan.net> Date: Mon, 15 Mar 2010 22:16:13 -0500 From: "William A. Rowe Jr." User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 MIME-Version: 1.0 To: users@httpd.apache.org CC: =?UTF-8?B?5aSP6JK46ZGr?= References: <2dfefcd21003141922p5577a88ahabf8c8f0346154a5@mail.gmail.com> <2dfefcd21003151435r1460054eh8581204c5eedce7d@mail.gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Is web server in front of app server necessary? On 3/15/2010 8:52 PM, 夏蒸鑫 wrote: > maybe,I don't know. > but there is one point that we must believe. > that is,tomcat's stable version is more secure than devel version of httpd. Really? You have over a century, perhaps 2 centuries of security experience among the experts who monitor httpd commits, and that is only the core developers who aren't out to profit over httpd's flaws to become blips on the httpd radar. Hundreds of researchers are watching httpd commits for the opportunity to say 'gotcha', and hundreds more for the opportunity to quietly exploit a vulnerability. It will be nice once the tomcat project grows to such proactive oversight. All that said, neither is 'better'; the advantage of running httpd in front of a tomcat server is that one is likely to avert an exploit in the other, due to the fact that you have two sets of parsers in place, each rejecting bogus requests, so the chances of a defect in one server showing up are significantly minimized. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org