I'm in the process of configuring Apache and
Tomcat to run on separate servers and using mod_jk to connect the 2. The plan is to have the Apache server sit in the DMZ and have any servlet/JSP requests forwarede to Tomcat behind our inner firewall. I've never setup this type of configuration before, but I realize it is a standard security practice. I do however, have a few questions about how HTTP traffic will flow in this configuration.
My understanding:
HTTP requests coming in from clients on the Intenet will always hit the Apache Web server and never our application server (i.e. Tomcat). Any requests to Tomcat will be forwarded from Apache on port 8009 using the AJP13 protocol.
My question is, how does the HTTP response get back to the client? Does the client see the response as coming from the Apache server or the Tomcat server? When I browse the Apache Web server and hit a
JSP or
servlet, the URL location in my browser changes to the Tomcat server. To me, that implies that the response came from Tomcat directly. This would mean we would have to allow traffic from Tomcat server behind the inner firewall out to clients on the internet.
Would enabling load balancing in the mod_jk connector help? We only plan on running single Tomcat instance on the backend, but I could setup load balancing with a single worker.
Thoughts?
Regards,
Eric