tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <>
Subject How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?
Date Sat, 12 Jan 2013 23:56:49 GMT

This is my infrastructure, from the point of view of what my
users/attackers are facing:

- Amazon web service Elastic Load balancer

- 2 or more Ubuntu Linux VPSs behind the load balancer

- IPTables running inside Ubuntu

- JVM 1.6.0_35-b10

- Tomcat 7.0.33

- My app, running inside Tomcat

I want to stop if one person starts making an excesive amount of requests
to my app, maybe because he needs to make all those requests but didn’t
know there is a service limit in the RestFul service I'm providing, maybe
because he doesn’t care about the service limits, or maybe because he wants
to attack me with a DoS.

I can do it at the app level using a servlet filter and I'm already
filtering them by IPs there, but that is not the best solution because the
http requests will go all the way to my app, causing a lot of work to the
previous layers (from the OS to the app).

I can also do it at the Tomcat level using valves even at the engine level,
but the same concern applies here: too much previous effort. Besides that,
I can not update the offending IPs registered in the valve in a
programmatic way (as I can do using servler filters and a MySQL database
containing the offending IPs).

I can NOT do it at the IPTables level, because the real IP address is in
the "x_forwarded_for" header and IPTables deals with TCP/IP, not with HTTP.
Or at least, even if there is a way to create a rule, it will not run in an
efficient way.

I will NOT be able to do it a the load balancer level, because Amazon
doesn't allow us the stop some IPs there, not to mention a way to stop a

I have been doing some reasearch, and it seems that I have two good
options: Installing Apache HTTPD server or NGINX, before Tomcat. I know a
lot about Tomcat, but almost nothing about Apache HTTPD and nothing about
NGINX. Which one would you recommend me? This is what I’m looking for:

- To be able to evaluate the x_forwarded_for header to recognize the real
IP address (because there will be a load balancer behind)

- To be able to limit the rate of request based on the IP making it enter
my site at a slower rate, or if that is not possible to reject the excesive

- To place this new layer (HTTPD or NGINX) between the load balancer and
Tomcat, so Tomcat will still run the app. My app has been written in Java
and I love java/Tomcat, so this will definitely existing.

- Speed, low resources consumption (mainly CPU and RAM), stability,

- Easy to learn, install and maintain.

Which one would you recommend, Apache or NGINX? I guess it would be better
to use Apache because of all the documentation and information out there,
and It would not harm me to finally learn about Apache. But I read
somewhere that NGINX is specially fast and light in doing this (stopping
Dos). However, I read that it is easier to connect HTTPD and Tomcat while
it is not that easy NGINX/Tomcat.
Or is there a better solution to stop users making an excesive amount of
requests, using just Tomcat? Is there a filter somewhere that could help
me, or a valve I haven't heard of?



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message