Apache with/or Tomcat

I have received little to no information from other forums besides personal opinions about this subject. I am running an Apache server just fine, but I wanted to beef up my webpages. I am a fan of Java and know a little to get started. I can't, however, decide how to configure my server.

I have read that Tomcat can be a stand-alone server or work with Apache. I have been told the following suggestions:
- Run Tomcat as a stand-alone
- Run Apache with a module for JSP
- Run Apache and Tomcat and proxy webpages between them with port numbers (this sounds messy)
- ... the list goes on.

Can someone give me some good info on what the best setup would be? I was hoping to run Apache with Tomcat handling JSP requests (like a module).

Thanks in advance,
ian

If you are not expecting a super-high volume of hits, or if the majority of your resources are going to be active anyway (servelts/JSPs), stand-alone Tomcat is certainly the easiest route and works pretty well.

If there is going to be a high demand for static resources, then Apache with the Tomcat connector is a common configuration.

Ignoring benchmarks for the moment, and falling back on opinion, I don't believe you can get a more well-informed opinion than from the tomcat developers / commmiters / super-users that hang around tomcat-user. They will all tell you that Tomcat is "ready" for high-volume sites. It doesn't need any help from Apache web server, thanks. Several will tell you that they are personally involved with running 'high traffic' production sites with Tomcat stand-alone.

As for 'personal opinion'. People think 'benchmarks' are the opposite of an 'opinion'. Benchmarks are objective and show you the "real" results, right? In truth though, there's lies, damn lies and benchmarks. There are dozens of different ways to configure Tomcat. There are hundreds of platforms, jvm's, hardware combos, etc, etc. These all have impact. And we haven't even started talking about the *application* that **you** are running.

Application 1: thousands of small requests, with very little processing/business logic. Should be sub-second.
Application 2: 'lots' of long-run requests. Perhaps back-end threads are spawned. Results can take minutes.

Should tomcat be configured the same for these two apps? Would app2 run slower or faster under the Tomcat configuration for app1? What impact does gc have? What about jvm heapsize switches? How many connectors should Tomcat be configured with? The list goes on and on.

The best advice (which involves work, so it's frequently unpopular) is to do your own stress-testing and benchmarks. Those people on tomcat-user would say the same thing.

Sorry, that turned into a mini-diatribe. I didn't mean it. I think what set me off was: I have received little to no information from other forums besides personal opinions about this subject.

There's a reason for that. There is no 'one right answer'. It seriously depends on what the app is doing, and what you have already. If you already have a site that does a bit of perl, a little bit of mod_rewrite, and maybe some (gasp) PHP mixed in... then you will *need* to run Tomcat behind Apache. If you have no other *need* for Apache, then many, many people will tell you that Tomcat by itself is fine. Even for "mostly static" sites.

Btw, what I left off my response was that personally I run Tomcat standalone with no difficulties.

Wow! Thanks for the replies. I guess there's nothing wrong with a well supported opinion. I'm going to run my own trials and see which one works best.

As far as my currently running services like Webmin and Webalizer, will those run normally with something like Tomcat? Will Webmin see Tomcat in its menu of servers? Will I be able to use Webalizer to get reports like I do with Apache? My guess would be that since both are from the same organization (http://apache.org/) they would work in a very similar way.

Thanks in advance for your help,
Ian

Apache+Tomcat will be better if you concern the security,
expose Tomcat to internet directly, is not good idea.

Apache+Tomcat will be better if you concern the security,
expose Tomcat to internet directly, is not good idea.

I think we would like to see a little documentary support for that idea instead of just a statement. There are many many Tomcat servers "exposed to the Internet" with no problem.

Tomcat has a wide variety of security tools available. If you care to, you can restrict what servlets are allowed to do in minute detail.
Bill

Originally posted by William Brogden:

Tomcat has a wide variety of security tools available.

Tools? or Settings? Honest curiosity. Where if the former? Are they all on the Jakarta Project website?

ian
[ May 17, 2004: Message edited by: Ian Getz ]

HA! I see your website is powered by Tomcat, Brogden!

[ May 17, 2004: Message edited by: Ian Getz ]
[ May 17, 2004: Message edited by: Ian Getz ]

Answering for William, I think he meant 'settings'. Tomcat is an implementation of the servlet spec, which provides for such things as declarative security, transport guarantees, etc, etc.

As for "does it have exploits?"...

The two I've heard about so far have been regarding the invoker servlet (which is off by default in recent versions), and another where the JSP source code is displayed to the browser. That last one resulted, ironically enough, by misconfiguring the jk connector between Apache and Tomcat.

I'm quite confident that if there ever was an actual security vulnerability, that there would be a hotfix available *at least* as soon as similar fixes for apache web server, or IIS.

as Mr William Brogden is asking, just conclude some point.
based on J2EE blueprint & my experience , Apache + Tomcat is better approach. there's a strong voice in my mind, Apache is Web server[\B], Tomcat is [B]Application Server. :roll:

1. Web server usually deployed before DMZ, and application server is
deployed within private network.

2. unless your application is not critical, means that it does cost you
much if it die.

3. the most simple & available internet attack is DoS.
I don't know how Tomcat is going to handle this, but I know Apache can
do some thing.

4. beside the security reason, I don't know how the application cluster
could be configured if no web server set up.

5. anyway, it is your own choice. Tomcat alone can handle the job, and
everyone feel comfortable with this, specially your customer. then
tomcat alone is alright.
There's also a rule, just keep it simple if the simple solution can
handle the job. as complex solution also introduce more failure points.


[ May 21, 2004: Message edited by: Lipman Li ]

http://www.cafesoft.com/products/cams/tomcat-security.html is a nice review of security with Tomcat 4. (Of course, they are trying to sell you their own security extensions.)
This page on the tomcat site describes the use of the basic Java SecurityManager as it gets configured on Tomcat 4. Basically, Java policy controls let you specify what each application can do in minute detail.
A google search for "tomcat security" found free book chapters on the subject.
Bill

Thank you all. Tomcat it is!

Have a great day,
ian