tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Tomcat as a standalone webserver. Why not?
Date Thu, 01 Jun 2006 11:29:12 GMT
This is getting dated but is still somewhat accurate:

The latest versions of Tomcat are comparable to apache in delivering static 
content. But in reality - unless your site is very high traffic - this is not 
an issue. Its ([expensive dynamic content] + [high concurrency]) which will 
hurt your scalability.

For security, apache is more likely to be attacked than tomcat since it has a 
wider usage base. (Notice how windows/IE is attacked alot, mac attacks are 
coming, Linux attacks are already here, ...) Because of the higher threat to 
apache - there are more resources dedictated to looking for apache 
vulnerabilities and media outlets are more inclined to make apache 
vulnerablities front page news. (I'm not saying this is right, its just the 
world we live in). In a good apache + tomcat installation, only apache is 
publicly available to the internet. Tomcat is only accessable by an internal 
network AND apache. This should make tomcat very secure since the only 
attacks it can receive are via apache or an internal network. (But there have 
been attacks against apache and other servers which act as proxies by using 
HTTP response splitting)

Personally - I like having apache in front of tomcat because I find it easier 
to do CGI, static content directory aliasing, and the volume of available 
modules to be very convenient. It also allows my site to be up with a higher 
uptime since I can restart / replace a tomcat and in those periods of 
downtime - I can reconfigure apache to have an outage message.



Danny Lee wrote:
> Hi guys!
> I wondering if it's really so good to use Tomcat behind "a real" web 
> server like Apache or IIS.
> In my Tomcat 5 book there are two reasons to do it so:
> 1. Tomcat is not as secure as common web servers, especially if     you 
> want  to use CGI and SSI (I don't think I want to)
> 2. Tomcat is slow delivering static content.
> Well, as long it's just planned to use only 1 server for my application,
> I don't think the both points are true for me. On the Tomcat site 
> there's a note about performance:
> "When using a single server, the performance when using a native 
> webserver in front of the Tomcat instance is most of the time 
> significantly worse than a standalone Tomcat with its default HTTP 
> connector, even if a large part of the web application is made of static 
> files"
> And security... what about security? Why is Tomcat behind of Apache
> more secure then without it, especially (as I said) if both are running
> on the same server.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message