tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Sexton <>
Subject Re: Why we need two servers (httpd and tomcat)
Date Tue, 28 Apr 2009 17:50:11 GMT
Robin Wilson wrote:
> I like how your argument presumes the most foolish configuration for
> Apache vs. the ideal configuration if you only use tomcat. If you

If you're doing the "ideal configuration" and only using tomcat, then
what's the point of putting httpd on in the first place? Even if you
only use apache w/ mod_jk, you're tripling your attack surface. Why do

Really, why insert httpd at all if you're not going to have PHP or other 
things involved. You're just adding an extra two layers into your request.

With the Tomcat connector, the request goes to the connector and is 

With Apache httpd, it gets the connection. The request gets handed to 
mod_jk. Via the URI Worker map, mod_jk shoves the data to the 
appropriate worker's connector for servicing.

 From a practical standpoint, it's much easier to not have Apache httpd 
in the process. If you deploy a new host using the host manager 
application, it starts working. With httpd, you have to modify the 
configuration files and reload it. I run hundreds of tomcat virtual 
hosts spread across three servers, so this is something I understand 
pretty well.

> want to go that route, the default tomcat install includes a bunch of
> 'examples' and other exploitable stuff - why not assume that they
> left all that at the default values as well?

As far as a "default" tomcat install goes, I use the catalina
base/catalina home deployment methodology, so I'm not carrying all of 
the sample application baggage with me, not even by accident. As a side
benefit, it makes upgrading new tomcat releases a little less painful.

> -- Robin D. Wilson Director of Web Development KingsIsle
> Entertainment, Inc. WORK: 512-623-5913 CELL: 512-426-3929 
> -----Original Message----- From: George Sexton
> [] Sent: Tuesday, April 28, 2009 10:30
> AM To: Tomcat Users List Subject: Re: Why we need two servers (httpd
> and tomcat)
> Robin Wilson wrote:
>> As for your assertion that 2 layers of security is just complexity 
>> and not more secure - you obviously haven't run many enterprise 
>> production systems. Security in an enterprise system is all about 
>> 'layers' of protection. And sure, if they hack one layer - they are
>>  probably good enough to hack the next layer. But that's where 
>> intrusion detection and a variety of other system come into play. 
>> It's all about slowing down the advance of the attack until you can
>>  do something about it.
> In theory, you're right. Defense in depth is a sound and established
>  practice. I remember as a Marine, reading company level tactics
> books that laid out how to set up a rifle company for defense in
> depth.
> In this particular instance you're just wrong. Putting apache in
> front of Tomcat makes the visible surface for attack about 10 times
> bigger. If you're running Apache httpd, you've probably got PHP
> running which is a huge security attack area, and then there are
> probably 20 other modules that are loaded by default. Instead of
> having a small gate to defend, you now have 10 gates to defend.
> You believe that to get your system, they have to get through httpd,
> and then through tomcat. This is your defense in depth theory. It's
> just wrong. If there's a buffer overflow in httpd, then they just
> have to exploit that to get on your machine.
> Layers of protection in an Enterprise security system would be
> firewalls protecting the perimeter, intrusion detection systems
> monitoring network traffic, monitoring systems that detect changes in
> the host systems.
> So, by all means do defense in depth. Just don't delude yourself into
>  thinking that putting httpd in front of tomcat adds a layer of
> security. It doesn't.

George Sexton
MH Software, Inc.
Voice: +1 303 438 9585

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message