On 1/9/07, Christopher Schultz <[EMAIL PROTECTED]> wrote:
Leon's message says flat out that adding Apache httpd reduces security, and provides no basis for that statement. A more appropriate statement might have been that Apache does not add any appreciable measure of security as Tomcat provides the same kinds of protections against unauthorized access, etc.
Allow to explain this. As other posters already explained puting a httpd in front of tomcat doesn't increase security. The only way it could increase it, would be if it could handle known security issues and protects the tomcat from the usage of such exploits. Personally I don't know of any, and even I did, I would doubt that putting httpd in front would be the best solution, or that httpd can protect something better than a firewall, which is actually desinged to protect. Httpd is not. Can we agree that httpd doesn't increase security now? Now, moving on, if httpd doesn't increase security, it has a) zero impact or b) decreases it. As for option a) (despite I don't believe it) even if it would have zero effect, there is always a possibility for human factor (mistakenly released configs or something). So even with the option a) the solely presence of httpd wouldn't reduce security, it's presence would give more opportunity for the human to fail, and therefor reduce security indirectly. As for option b): httpd is a lot of code. Any contains bugs. So chances are good that httpd will add own bugs to the existing tomcat bugs without hiding some of them. So the overall bug count will increase therefor increasing the number of possbile security-relevant bugs. Therefore decreased security. q.e.d :-) However, puting a firewall in front of any webserver to protect it the host and the server from attacks he can't deal with, seems a very good idea to me :-) best regards Leon --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
