[ajug-members] Tomcat + Apache and SSL

Travis Bailey mail at travisbailey.com
Tue Oct 30 13:24:33 EDT 2007 

Security should always be a consideration regardless of SSL.  Apache is generally prescribed for system architecture because it is, or can be made, bare-bones.  Being subjected to the Net's harshest situations has vetted that Apache will only expose a minimum set of security vulnerabilities.  Apache is, in essence, shielding and armor for you application.  It is also generally prescribed to live on it's own server in high security environments so that the application servers can be positioned behind a second set of firewalls that allow limited port access from specific machines.  This would require that a hostile agent would have to get past initial firewalls, compromise the Apache server, then get by secondary firewalls to compromise the application server.

The end game is guarding, with the highest needed cost, the database.  Since the application server generally needs direct access to the database, it is considered to be a vulnerable segment in the chain.  If someone compromises your application server they may have access to properties files, code, or other secure assets.  They would also have direct access to attack the database.

Use of Apache can help address both security and performance.  It just depends on your system and needs.  If you are streaming media or heavy amounts of static content, it may make sense to have Apache in the mix because it is more optimized for these activities.  If security is a concern then use of Apache allows for a simple front end web server with a history of being extremely hardened to security vulnerabilities.

You don't NEED Apache, as much as you should WANT Apache because the architecture demands it.  If my butt was on the line because a server gets hacked, you can be damn sure I will have the architecture set up to give me ultimate protection.  Apache is clearly a more secure web server than Tomcat, if more the mere reasons that it is simpler in function, more widely used as a web server, and been hardened a lot longer.

Of course there are other reasons to have Apache...
It allows for easy maintenance page replacement during system downtimesIt allows for introduction of applications across a variety of platformsIt has simpler URL rewriting functionalityIt can provide easier maintenance of SSL certificates since you can technically just have one Apache instance to multiple Tomcat instances.

That said... many configurations with Tomcat as the web server can and do make sense (not many in my opinion, but some...)
 
Travis Bailey
 www.travisbailey.com
 404.664.7782 (c)

        "The greater the artist the greater the doubt. Perfect confidence is granted to the less talented as a consolation prize." - Robert Hughes



----- Original Message ----
From: "Buch, Peter" <peter.buch at emory.edu>
To: ajug-members at ajug.org
Sent: Tuesday, October 30, 2007 8:27:14 AM
Subject: Re: [ajug-members] Tomcat + Apache and SSL





 
 


<!--
 _filtered {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;text-decoration:underline;}
span.EmailStyle17
	{font-family:Arial;color:navy;}
 _filtered {margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{}
-->






I think two issues of serving static
content with Tomcat are security and performance. Although, I don’t fully
understand the security argument if all your apps and pages require SSL and authentication.
Perhaps someone could enlighten me. The performance argument is a sound one on
a high load web app. Why bogg your app server down with static requests? It
sounds like performance isn’t an issue in this situation if your
considering removing Apache.
 



  
 

  
 













From: Carl Hall
[mailto:carl.hall at gmail.com] 

Sent: Monday, October 29, 2007
5:02 PM

To: General AJUG membership forum
(100-200 messages/month)

Subject: [ajug-members] Tomcat +
Apache and SSL
 




  
 

Our current production setup has an Apache instance in front of each
tomcat instance (4 machines; each with 1 Apache + 1 Tomcat).  This sits
behind a BigIP load balancer.  We let Apache serve the static content as
well though the Tomcat docs lead me to believe that Tomcat can server static
content as good or better.  The only explanation I've heard for using this
is that it's easier for Apache to unwrap the SSL requests than it is for Tomcat
(more overhead on Tomcat; all of our traffic is over SSL).  We're using
Apache 2.0 + mod_jk + Tomcat 5.5 and are considering going to Apache 2.2 +
mod_proxy_ajp + Tomcat 5.5 but I'm wondering if we could remove Apache all
together.  Does anyone have any experience or data to support/deny the
claim of SSL is better handled by Apache than Tomcat.  Is Apache + Tomcat
still the way to go? 
 







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ajug.org/pipermail/ajug-members/attachments/20071030/603c3bf2/attachment.html

More information about the ajug-members mailing list