Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <49F62FB6.70303@ptc.com>
Date: Mon, 27 Apr 2009 17:20:38 -0500
From: Jess Holle <jessh@ptc.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
CC: "aw@ice-sa.com" <aw@ice-sa.com>
Subject: Re: Why we need two servers (httpd and tomcat)
References: <5a5c29e70904270751h1d62bda5y6baad86066accba7@mail.gmail.com>
	 <49F5DCB6.4000905@haneke.de>
	 <6B028542C4A77D4CB7F06CCC1C1AEB1D018BA6B2FF@AUSP01VMBX03.collaborationhost.net>
	 <327858f40904271059y17af1175g993fa51d22055afe@mail.gmail.com>
	 <49F605B5.6090603@ice-sa.com>
 <327858f40904271341m3217daf8ifdc253cdf7c1fbd7@mail.gmail.com>
 <6B028542C4A77D4CB7F06CCC1C1AEB1D018BA6B462@AUSP01VMBX03.collaborationhost.net>
 <49F62F5D.3090505@ptc.com>
In-Reply-To: <49F62F5D.3090505@ptc.com>
Content-Type: multipart/alternative;
 boundary="------------020003020907020202090304"

--------------020003020907020202090304
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Jess Holle wrote:
> Robin Wilson wrote:
>> For the record, my answer was neither stupid or reflexive. I simply pointed out why someone might want 2 layers of servers (httpd and tomcat). And certainly, my rationale is both sound and arguable at the same time.
>>
>> As for your assertion that 2 layers of security is just complexity and not more secure - you obviously haven't run many enterprise production systems. Security in an enterprise system is all about 'layers' of protection. And sure, if they hack one layer - they are probably good enough to hack the next layer. But that's where intrusion detection and a variety of other system come into play. It's all about slowing down the advance of the attack until you can do something about it.
>>
>> As for performance, have you run any load testing against tomcat vs. apache - especially on static files? Apache exceeds tomcat in performance by a large margin. When you are serving millions of pages a day, and tens of millions of static files (images, css, js, videos, audios, etc.), that makes a significant difference in the amount of hardware you have to throw at the problem.
>>
>> So you may be absolutely correct - it is not 'necessary' in a lot of cases. But in many production - enterprise - deployments, it can be useful to have a layer of web servers and a separately managed layer of application servers - and that same model works just fine with Apache and Tomcat.
>>   
> I think the Tomcat folk would dispute your assertion on performance -- 
> in particular when Tomcat is used with native APR.
>
> That said, the biggest reason I know of for Apache fronting Tomcat is 
> load balancing across Tomcats.
>
> If you have a hardware load balancer doing that, then there are lesser 
> reasons, e.g.:
>
>     * there are more security plug-ins for Apache (e.g. SiteMinder and
>       the like),
>     * multi-LDAP authentication support is built into Apache,
>
It is my understanding that the next Tomcat release will provide 
multi-LDAP authentication support, by the way.
>
>     * various existing Apache modules (e.g. mod_redirect) allow some
>       classes of problems to be solved by configuration that would
>       require coding in Tomcat.
>
> On this last note, however, I'd say that writing necessary 
> filter/listener/handler code for Tomcat can generally be done in a 
> manner that is portable to any up-to-date servlet engine, is /far/ 
> easier than writing code for Apache modules, and is sometimes even 
> easier than achieving the same end by configuring modules in Apache 
> (where that is approach is sufficient).


--------------020003020907020202090304--