tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Turner, John" <JTur...@AAS.com>
Subject RE: mod_jk
Date Mon, 03 Feb 2003 13:07:38 GMT

1.  There's really no document (that I know of), and hopefully my comments
weren't taken as a claim that Tomcat is inherently insecure.  Lots of
administrators, especially in the UNIX/Linux world, have an aversion to
running services as root, especially web servers.  In order for Tomcat to
bind to port 80, it has to run as root (ports less than 1024 require root
privileges for services to bind).  Apache runs as root, but uses child
processes with more restrictive privileges to serve actual requests.  On the
Windows side, everything runs as SYSTEM (essentially the equivalent of
"root") by default (yuck!).

There are all sorts of reasons why you might want to use Apache with Tomcat:


- don't have to run a service as root
- need support for Apache modules like mod_rewrite or a custom Apache module
- need support for PHP or other CGI-type technologies
- need support for Apache-style access restrictions
- need to load-balance to multiple Tomcats (JK and JK2 can do this)
- need to support various types of virtual hosting, not all of which require
a servlet container
- and more

2.  You can always look through the source, and I'm sure your specific
questions would get answered pretty fast on the tomcat-dev list.

John

> -----Original Message-----
> From: rf [mailto:rufoo2001@yahoo.com]
> Sent: Monday, February 03, 2003 7:21 AM
> To: Tomcat Users List
> Subject: RE: mod_jk
> 
> 
> Hello John
> Thanks for your email.
> 1. What are the advantages of using Apache on top of
> Tomcat (with regards to security and otherwise)? If
> there is a document already, please point me to that.
> 2. Where can I know more about the AJP protocol? 
> 
> ~rf
> 
>  --- "Turner, John" <JTurner@AAS.com> wrote: > 
> > In production, you only want the connectors used for
> > actual connections to
> > be enabled.  If you're leaving port 8080 open,
> > there's really no purpose for
> > Apache, as one of the primary purposes of using
> > Apache on port 80 instead of
> > Tomcat is security.  Leaving Tomcat available on
> > 8080 undermines this goal.
> > So, if you are using a connector at all, there's no
> > reason to have any port
> > open except the connector port.
> > 
> > The protocol used by the JK/JK2 connectors is not
> > HTTP.  It is called "AJP",
> > which, I believe, stands for "Apache JServ
> > Protocol".  JServ was the
> > "original" Apache + Tomcat connector.
> > 
> > John
> > 
> > -----Original Message-----
> > From: rf [mailto:rufoo2001@yahoo.com] 
> > Sent: Monday, February 03, 2003 2:29 AM
> > To: Tomcat Users List
> > Subject: Re: mod_jk
> > 
> > 
> > Thank you Lajos and Oscar.
> > Btw, what is the interface Apache uses to
> > communicate
> > to Tomcat at 8009? I guess it wont be HTTP. For
> > security reasons, I assume it would be safer to run
> > all tomcat processes on the lo interface. Is this
> > correct, and recommended?
> > 
> > ~rf.
> > 
> > 
> > --- Lajos <lmocz@galatea.com> wrote:
> > > Rf -
> > > 
> > > When you use mod_jk, Apache communicates to Tomcat
> > > on (default) port
> > > 8009. Port 8080 is for direct HTTP connections to
> > > Tomcat which, by 
> > > default is enabled. So, the answer is yes: you can
> > > expose web 
> > > applications to Apache via mod_jk, and access them
> > > on the Apache port, 
> > > but also access them by point your browser
> > directly
> > > to the Tomcat port.
> > > 
> > > Regards,
> > > 
> > > Lajos
> > > 
> > > 
> > > rf wrote:
> > > > When I use a tomcat-apache connector to redirect
> > > http
> > > > requests to port 80 to port 8080, can I still
> > use
> > > port
> > > > 8080 to connect to tomcat directly bypassing
> > > apache?
> > > > If yes, how do I not allow this? By running
> > tomcat
> > > on
> > > > lo's 8080? What about on Windows?
> > > > 
> > > > Thank you
> > > > Rf
> > > > 
> > > >
> > __________________________________________________
> > > > Do you Yahoo!?
> > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > > now.
> > > > http://mailplus.yahoo.com
> > > > 
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> > > tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail:
> > > tomcat-user-help@jakarta.apache.org
> > > > 
> > > > 
> > > 
> > > 
> > > --
> > > 
> > > 
> > > 
> > >                     Lajos Moczar
> > >        ----------------------------------------
> > >      Open Source Support, Consulting and Training
> > >        ----------------------------------------
> > >              Cocoon Developer's Handbook
> > >  
> > >
> > (www.amazon.com/exec/obidos/tg/detail/-/0672322579)
> > > 
> > >                     _      _____
> > >                    / \         /
> > >                   /___\      /
> > >                  /     \   /____
> > > 
> > >       http://www.galatea.com -- powered by AzSSL
> > > 
> > > 
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> > > tomcat-user-help@jakarta.apache.org
> > > 
> > 
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> > now.
> > http://mailplus.yahoo.com
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> > 
> > ---
> > 
> > Checked by AVG anti-virus system
> > (http://www.grisoft.com).
> > Version: 6.0.449 / Virus Database: 251 - Release
> > Date: 1/27/2003
> >  
> > 
> > ---
> > 
> > Checked by AVG anti-virus system
> > (http://www.grisoft.com).
> > Version: 6.0.449 / Virus Database: 251 - Release
> > Date: 1/27/2003
> >  
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> >  
> 
> ______________________________________________________________
> __________
> Missed your favourite TV serial last night? Try the new, Yahoo! TV.
>        visit http://in.tv.yahoo.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message