Michael Jerger wrote:
Am Dienstag, 5. April 2011, 18:13:57 schrieb Michael Jerger:
Andre wrote:
That is one of those areas where giving a precise answer is not easy,
because it depends on so many things..
You can run two separate Apache httpd instances of course, each with its
individual MaxClients setting. But then you will have to give them
separate listening ports, which may or may not make other things more
complicated in your case.
I'm not shure about this - let me figure this out the next days. Are you
interested in a way to run two instances on the same port?
I think I've seen such a configuration allready ...
Found out how it works ... but I think, this solution is new only to me - but
anyhow :-)
Many apache instances on one machine can run
* either on 1IP & different ports
* or on different IPs & same port
Well, let me throw in some additional confusion then : you can even run a single Apache
httpd instance, with several VHosts, each listening on a separate IP address.
See : http://httpd.apache.org/docs/2.2/vhosts/ip-based.html
thank you very much for the elaborated answer - there are some good points
to think about.
On question left for me (I think, you asked it allready) - why using apache
in front of tomcat at all - if its so complicated to configure?
Do you have an answer to that question?
For me the answer is - security, loadbalancing and client certificate
handling - at least in general and for larger applications.
A lot of people just use Apache httpd as a front-end, because that is the first
configuration that they have found, and they do not realise that Tomcat can act as a good
"normal" webserver too, to serve static html pages.
I would say that if you are using an Apache front-end, but you find yourself forwarding
"/" to Tomcat, then you most probably do not need Apache. But a lot of people come to
this list, who are doing exactly that.
Load-balancing is one good reason. Tomcat by itself cannot do that, it needs a
front-end.
There exist other front-end load-balancers than Apache httpd, as well open-source/free as
commercial, and hardware-based too.
But Apache httpd is well-know and well-tested, so many people use that.
For scenarios involving user authentication and/or SSL, I personally find it easier to use
Apache httpd as a front-end, and do the authentication/SSL bit at that level, and pass to
Tomcat the already authenticated user-id from Apache.
Another thing that Tomcat by itself cannot do, and httpd easily can, is act as a HTTP
proxy server (forward or reverse).
And then, there are a whole series of cases where Tomcat is not the most appropriate
server to use for some kinds of contents : for example, running cgi-bin scripts is often a
lot more efficient (or the only way) under httpd than under Tomcat (which is optimised to
run Java servlets).
There also exists a very vast library of Apache add-on modules and filters, which is not
yet matched by the Tomcat/Java add-on libraries (or at least, let's say that they are
usually much easier to find and set up for Apache httpd than for Tomcat).
My own personal main reason is that I am a perl programmer, and use a lot of perl add-on
modules for doing all kinds of nifty things at the request and response level. The
mod_perl add-on to Apache httpd is very tightly integrated into Apache, very powerful and
very efficient, and it allows one to leverage the amazing CPAN library of perl modules,
which can help solve just about any problem under the sun, is extremely well documented,
concentrated in one place and easy to search and browse.
(http://www.cpan.org/modules/index.html)
Generally speaking, I like the Apache httpd / Tomcat combination a lot, because each one
has different strengths, and the combination is extremely powerful and flexible (as its
success on the WWW demonstrates).
In my scenario described the only good argument would be security - have
you ever done/seen an pentest to tomcat without fronting apache?
Security, by itself, should not be a valid enough reason, because Tomcat is as secure as
httpd. And if you use Apache httpd as a front-end to Tomcat, there are many opportunities
for configuring this wrongly, and allow accesses to bypass the Tomcat security mechanisms,
thus in general making your whole configuration less secure, instead of more so.
>> Do you have a good starting point to read about this topic?
>
Not really, apart from the whole documentation of Apache httpd and Tomcat. There are
little bits and pieces about security spread all over the place.
Probably the one major piece of advice would be : if you are configuring Apache as a
front-end to Tomcat, then /do not/ allow Apache to access the Tomcat application
directories directly. For example, /do not/ configure the Apache DocumentRoot to be the
same as the Tomcat webapps directory.
(See the red warning here :
http://tomcat.apache.org/connectors-doc/reference/apache.html)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
