tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Why we need two servers (httpd and tomcat)
Date Mon, 27 Apr 2009 22:19:09 GMT
Robin Wilson wrote:
> For the record, my answer was neither stupid or reflexive. I simply pointed out why someone
might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound
and arguable at the same time.
> As for your assertion that 2 layers of security is just complexity and not more secure
- you obviously haven't run many enterprise production systems. Security in an enterprise
system is all about 'layers' of protection. And sure, if they hack one layer - they are probably
good enough to hack the next layer. But that's where intrusion detection and a variety of
other system come into play. It's all about slowing down the advance of the attack until you
can do something about it.
> As for performance, have you run any load testing against tomcat vs. apache - especially
on static files? Apache exceeds tomcat in performance by a large margin. When you are serving
millions of pages a day, and tens of millions of static files (images, css, js, videos, audios,
etc.), that makes a significant difference in the amount of hardware you have to throw at
the problem.
> So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many
production - enterprise - deployments, it can be useful to have a layer of web servers and
a separately managed layer of application servers - and that same model works just fine with
Apache and Tomcat.
I think the Tomcat folk would dispute your assertion on performance -- 
in particular when Tomcat is used with native APR.

That said, the biggest reason I know of for Apache fronting Tomcat is 
load balancing across Tomcats.

If you have a hardware load balancer doing that, then there are lesser 
reasons, e.g.:

    * there are more security plug-ins for Apache (e.g. SiteMinder and
      the like),
    * multi-LDAP authentication support is built into Apache, 
    * various existing Apache modules (e.g. mod_redirect) allow some
      classes of problems to be solved by configuration that would
      require coding in Tomcat.

On this last note, however, I'd say that writing necessary 
filter/listener/handler code for Tomcat can generally be done in a 
manner that is portable to any up-to-date servlet engine, is /far/ 
easier than writing code for Apache modules, and is sometimes even 
easier than achieving the same end by configuring modules in Apache 
(where that is approach is sufficient).

Jess Holle

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message