Gregor Schneider wrote:
> On 1/9/07, Markus Schönhaber <[EMAIL PROTECTED]> wrote:
> > Did you read the article that is subject to this thread?
>
> yep
>
> > I don't think I understand how your post relates to mine.
>
> My post relates to yours and to some other posts here in that sense
> that you (and others) stated that putting apache httpd in front of
> tomcat would decrease security.
Wrong. I never stated that an httpd in front of Tomcat would *always* decrease
security. Please read again what I wrote.
Indeed, I do think that putting an httpd in front of Tomcat *without need* is
dumb, needlessly adds al level of complexity to the system and potentially
decreases the overall security of the system.
OTOH there a very good reasons to use a httpd-Tomcat combination. Alas,
the "only reason" there "usually" is, as you said, I wouldn't count amongst
the good reasons. Tomcat serves static content just fine. In combination with
APR even finer. I've never seen it necessary to use httpd just because of
static content. I've read this claim ("httpd is superior for static content")
many times, but I've never seen the one making that claim also providing
facts that back up it's truth. Of course, YMMV.
Top of *my* list of good reasons for using httpd and Tomcat together is a
httpd that acts as load-balancer for multiple Tomcat instances.
Second comes the httpd that's already there and isn't going away. This one
obviously is already part of the system's complexity and therefore won't add
to it.
> that's definately not the case.
"Definitely"? Hm, again such an absolute claim of yours for which you provide
no facts to back it up.
> when reading those posts, somebody
> might think that putting apache in front might even break security.
And he might think right. If you're adding complexity to the system you should
be aware that there's the need to add even more sensible care to the system.
If you fail to do that, the overall security will very propably be lower. As
I see it, the chain of security is just as strong as it's weakest link.
Likewise a httpd that is configured perfectly secure won't help if the Tomcat
it handles requests to can be bugged into starting a root shell.
> since it's a real-world-scenario having apache httpd in front of
> tomcat, i'm just saying that nobody should worry about this
> combination.
My point is: one should worry about every piece of software installed. Even
more so if it is accessible from an untrusted network. The more software, the
more there is to worry about.
> however, to make it clear: you are right, putting apache in front TO
> IMPROVE SECURITY doesn't make sense.
OK, at least wrt this point we see things the same way.
> OTOH, i'd rather have apache in
> front than running tomcat on port 80 via jsvc or as a service.
I'd like to repeat Chuck's question: why?
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
