tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Why we need two servers (httpd and tomcat)
Date Thu, 30 Apr 2009 19:58:25 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leon,

On 4/27/2009 1:59 PM, Leon Rosenberg wrote:
> On Mon, Apr 27, 2009 at 6:46 PM, Robin Wilson <rwilson@kingsisle.com> wrote:
>> The apache servers can sit in a different DMZ area
> 
> Sorry, this is no security at all. If the attacker was able to break
> your os once and come to your apache httpd server, he will be able to
> break it second time and come to the tomcat serving server. Increasing
> complexity doesn't necessary increase security, the truth is that more
> complexity usually compromise security. Anyway an unfiltered
> connection between your httpd and your tomcat server exist (ajp), and
> the attacker can exploit it directly, since httpd will just send all
> maped request 1 on 1.

A connection that allows only ajp would be, IMO, a "filtered"
connection, not an unfiltered one. Just because an attacker can break
into Apache httpd on a publicly-available web server doesn't guarantee
that he will be able to break through your ajp connection into the app
server. I'm not sure how you can logically connect a web server
intrusion with a definite app server intrusion.

> Finally, httpd is written in C and therefore vulnerable to all kind of
> attacks a java program is not like buffer/heap overflows.

True, which is exactly why breaking into the web server and breaking
into the app server would require different techniques. Therefore
compromising the web server does not necessarily equal an app server
break-in.

>> In addition to more granular security (as described above), having
>> isolated the web layer from the application layer allows you to
>> independently adjust the performance >of each.
> 
> The short answer to that would probably be, if you have performance
> concerns, you just do not use apache httpd. If you want/need to
> loadbalance, a hardware loadbalancer is the weapon of choice. If you
> need to serve a lot of large static content (pictures) you put
> reverse proxies in front of your tomcats.

...and run /what/ as your reverse proxies?

> If you need to serve static content (js, css etc) along with dynamic
> content, you let tomcat handle it, it serves static content faster
> than httpd anyway.

Citation? Or more Tomcat FUD ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkn6AuEACgkQ9CaO5/Lv0PBMKwCeKwfzn7Pgwpl+DoKqbo93NEef
o30AoJ7e7ZddDISQj/lP0WEkdqEsXGDh
=qKnx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message