• Post Reply Bookmark Topic Watch Topic
  • New Topic

Tomcat behind IIS on windows 2012  RSS feed

 
Ranch Hand
Posts: 205
13
Notepad
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If I want to have IIS act as an intermediary between Tomcat and the outside world, if I've understood it correctly, there seem to be two choices.

Either add something called HttpPlatformHandler into IIS

https://www.iis.net/downloads/microsoft/httpplatformhandler

or, use the Apache Tomcat Connectors

https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/win64/jk-1.2.30/ia64/

Is either considered best practice, to be preferred over the other?
 
Richard Hayward
Ranch Hand
Posts: 205
13
Notepad
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Didn't get any takers here, so I tried the tomcat users mailing list.

For anyone else pondering this same issue, the responses on that mailing list are in the March 2018 archive.
Subject title: 'Tomcat behind IIS on windows 2012'.

http://mail-archives.apache.org/mod_mbox/tomcat-users/201803.mbox/browser

 
Bartender
Posts: 19445
88
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry we couldn't be of more help. I'm afraid that my best practice includes not using Windows for Internet-facing servers. If you'd wanted to know about using Apache or Nginx on Linux or Unix systems, that's more my area of expertise. I haven't worked with IIS since the last millennium, and that was for an intra-departmental operation.

Windows isn't the security nightmare it used to be, but it still costs money I can't spare, has intrusive licensing requirements, and wants to "phone home" to Redmond and chat about what's going on inside, so the next time I boot up a copy it's going to be when I run TurboTax, which is about the only application that has no Linux equivalent these days (Actually, Intuit is more deeply wired into Windows than even Windows is, as I learned when trying to do a Quickbooks "export to Excel"  ).

That's why I'm usually silent when people have Windows-related questions in this forum. Fortunately we have other people here who can usually answer in my stead. Sorry that in this case no one did.

Thanks for sharing what you learned with us, though! 
 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Richard,

I am researching this too. I was curious what have you decided on and anything else you may have learned? Specifically, I am trying to understand why someone would want IIS as an intermediary? What do you gain by configuring the Tomcat to go through IIS with HttpPlatformHandler, verses just not using IIS and only using Tomcat? I see that there is excitement around it being possible, but I why do it this way?

Thank you
 
Tim Holloway
Bartender
Posts: 19445
88
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch, Justin!

There are 2 reasons for using IIS - or Apache, Nginx, or any of probably dozens of other webservers as "intermediaries" to Tomcat. Or, as they are technically known: "reverse proxy servers".

First, there's flexibility. Tomcat can host J2EE webapps, but that's about it. Something like Apache or IIS can host webapps written in a variety of languages - PHP, .Net, Python, C, Perl and much more. But not, as it happens, J2EE, since J2EE requires a JVM and those webapp servers don't run in JVMs. So by proxying to Tomcat, you get J2EE plus all those other language options. Not that you'd write a single webapp in multiple languages, but one webapp server often hosts many webapps.

Secondly, and equally importantly, there's security. For reasons that undoubtedly seemed good at the time, TCP/IP systems are usually set up so that only administrative users can open ports under 4096 for listening. The default port for HTTP is port 80 and the default port for HTTPS is 443, so in order for Tomcat to use those ports instead of its own defaults of 8080 and 8443, it would have to be run as an administrator/root user account. And since that means that the entire JVM would be running as a privileged user, anything that broke through the Java security would then own the entire OS.

The port security problem for Apache and IIS is dealt with in a different way. Those servers start up as an administrative user while they grab the TCP/IP listening ports, but then switch to a "normal" user account. So if something breaks loose, it can only meddle with OS resources that the IIS or Apache user can meddle with instead of virtually anything in the entire system.

So why doesn't Tomcat do that? Because Tomcat is written in Java and Java is "write once/run anywhere". There's no Java API function for switching user IDs - it's something that can only be done using OS-native system functions. So by using a proxy, you can have a webapp server listening on ports 80 and 8443 and the proxy channel then forwards the request to Tomcat using the AJP port (8009), or as a redirect to 8080/8443 (depending on how you set things up). Thus security is maintained and everyone's happy.
 
Justin Gooley
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

First of all thank you for putting up with my original post. I see now I didn't proofread very well and it doesn't appear that I can edit that post now. Additionally, that was a great reply. Thank you so much for effort and quality in your response.



 
Uh oh, we're definitely being carded. Here, show him this tiny ad:
Rocket Oven Kickstarter - from the trailboss
https://coderanch.com/t/695773/Rocket-Oven-Kickstarter-trailboss
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!