tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: How to limit tomcats thread consumption?
Date Fri, 08 Apr 2011 08:53:03 GMT
Michael Jerger wrote:
> Am Dienstag, 5. April 2011, 18:13:57 schrieb Michael Jerger:
>> Andre wrote:
>>> That is one of those areas where giving a precise answer is not easy,
>>> because it depends on so many things..
>>> You can run two separate Apache httpd instances of course, each with its
>>> individual MaxClients setting.  But then you will have to give them
>>> separate listening ports, which may or may not make other things more
>>> complicated in your case.
>> I'm not shure about this - let me figure this out the next days. Are you
>> interested in a way to run two instances on the same port?
>> I think I've seen such a configuration allready ...
> Found out how it works ... but I think, this solution is new only to me - but 
> anyhow :-)
> Many apache instances on one machine can run
> * either on 1IP & different ports
> * or on different IPs & same port

Well, let me throw in some additional confusion then : you can even run a single Apache 
httpd instance, with several VHosts, each listening on a separate IP address.
See :

>> thank you very much for the elaborated answer - there are some good points
>> to think about.
>> On question left for me (I think, you asked it allready) - why using apache
>> in front of tomcat at all - if its so complicated to configure?
>> Do you have an answer to that question?
>> For me the answer is - security, loadbalancing and client certificate
>> handling - at least in general and for larger applications.

A lot of people just use Apache httpd as a front-end, because that is the first 
configuration that they have found, and they do not realise that Tomcat can act as a good

"normal" webserver too, to serve static html pages.

I would say that if you are using an Apache front-end, but you find yourself forwarding 
"/" to Tomcat, then you most probably do not need Apache.  But a lot of people come to 
this list, who are doing exactly that.

Load-balancing is one good reason.  Tomcat by itself cannot do that, it needs a front-end.
There exist other front-end load-balancers than Apache httpd, as well open-source/free as

commercial, and hardware-based too.
But Apache httpd is well-know and well-tested, so many people use that.

For scenarios involving user authentication and/or SSL, I personally find it easier to use

Apache httpd as a front-end, and do the authentication/SSL bit at that level, and pass to

Tomcat the already authenticated user-id from Apache.

Another thing that Tomcat by itself cannot do, and httpd easily can, is act as a HTTP 
proxy server (forward or reverse).

And then, there are a whole series of cases where Tomcat is not the most appropriate 
server to use for some kinds of contents : for example, running cgi-bin scripts is often a

lot more efficient (or the only way) under httpd than under Tomcat (which is optimised to

run Java servlets).

There also exists a very vast library of Apache add-on modules and filters, which is not 
yet matched by the Tomcat/Java add-on libraries (or at least, let's say that they are 
usually much easier to find and set up for Apache httpd than for Tomcat).

My own personal main reason is that I am a perl programmer, and use a lot of perl add-on 
modules for doing all kinds of nifty things at the request and response level.  The 
mod_perl add-on to Apache httpd is very tightly integrated into Apache, very powerful and

very efficient, and it allows one to leverage the amazing CPAN library of perl modules, 
which can help solve just about any problem under the sun, is extremely well documented, 
concentrated in one place and easy to search and browse.

Generally speaking, I like the Apache httpd / Tomcat combination a lot, because each one 
has different strengths, and the combination is extremely powerful and flexible (as its 
success on the WWW demonstrates).

>> In my scenario described the only good argument would be security - have
>> you ever done/seen an pentest to tomcat without fronting apache?

Security, by itself, should not be a valid enough reason, because Tomcat is as secure as 
httpd.  And if you use Apache httpd as a front-end to Tomcat, there are many opportunities

for configuring this wrongly, and allow accesses to bypass the Tomcat security mechanisms,

thus in general making your whole configuration less secure, instead of more so.

 >> Do you have a good starting point to read about this topic?
Not really, apart from the whole documentation of Apache httpd and Tomcat.  There are 
little bits and pieces about security spread all over the place.

Probably the one major piece of advice would be : if you are configuring Apache as a 
front-end to Tomcat, then /do not/ allow Apache to access the Tomcat application 
directories directly.  For example, /do not/ configure the Apache DocumentRoot to be the 
same as the Tomcat webapps directory.
(See the red warning here :

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message