PDA

View Full Version : Poll: usage of tomcat-behind-apache

Kees de Kooter
18-02-2009, 09:23
I routinely set up tomcat behind apache on production servers and also recommend my customers to do so.

On the tomcat mailing list their are threads disputing this setup on a regular basis. That is why I would like to poll the java-monitor members.

Who is using tomcat behind apache in a production environment for a public site?

Of course I am also interested in alternative setups.
Barry
18-02-2009, 17:14
As I mentioned elswhere, setup Tomcat behind a reverse proxy (can be apache, just not mod_jk)
admini
20-02-2009, 15:30
On production servers I normally use tomcat behiind apache. Unless I know using port 8080 is no obstacle.
On experimental setups (which is a large part of my work) I only do that when port 8080 is unavailable to the clients for some reason.
On Windows, uhhh, I dont care. I just run tomcat on port 80 directly.
jingming
03-03-2009, 03:52
I am ashamed to say that I always run tomcat on port 80 directly both windows and linux.
And I am also thinking about running tomcat behind apache with mod_jk to make a load balancer.
I don't know what's the drawbacks to do it in this way.
Kees de Kooter
03-03-2009, 08:51
If you use apache in front of tomcat you can use a bunch of facilities apache is really good at: SSL encryption for secure sites, http compression. Plus using mod_jk or mod_proxy you can only expose the public apps on your tomcat server to the outside world and do some loadbalancing tricks.

For non public sites running on tomcat+port 80 you should not feel ashamed ;-)
Barry
03-03-2009, 11:28
I am ashamed to say that I always run tomcat on port 80 directly both windows and linux.
And I am also thinking about running tomcat behind apache with mod_jk to make a load balancer.
I don't know what's the drawbacks to do it in this way.

Well in general it's "safe" unless a way is found to exploit the JVM.
However security is the process of placing as many barriers as possible in front of would be attackers as each single security measure can fail/be broken.

Drawbacks of Tomcat behind a loadbalancer?
Very little.
The "loadbalancer" becomes a single point of failure unless you make it redundant; Some applications might not like the URL rewriting going on and if the user-agent data is not passed on properly your logs will be useless. (But the loadbalancer has the right logs)
All of these issues have good workarounds though